# Default values for timetracker

# External PostgreSQL Configuration
# PREREQUISITE: An existing PostgreSQL database must be provisioned before installing this chart.
postgresql:
  host: "postgres"
  port: 5432
  database: "timetracker"

  # Provide credentials either inline or from an existing secret.
  # If auth.existingSecret is set, username and password are read from that
  # secret using the keys "username" and "password". The inline auth.username
  # and auth.password values are ignored in that case.
  auth:
    username: "timetracker"
    password: "timetracker_password"
    existingSecret: ""

# Backend Configuration
backend:
  replicaCount: 1

  image:
    repository: git.simon-franken.de/simonfranken/timetracker-backend
    tag: latest
    pullPolicy: IfNotPresent

  service:
    type: ClusterIP
    port: 3001

  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 128Mi

  # OIDC Configuration (REQUIRED - must be set)
  oidc:
    issuerUrl: ""
    clientId: ""
    # Redirect URI registered in the IDP for the iOS native app.
    # Must match the custom URL scheme configured in the iOS app.
    iosRedirectUri: "timetracker://oauth/callback"

  # Session configuration
  session:
    secret: "change-this-secret-in-production"

  # JWT configuration (for iOS Bearer token auth)
  # jwt.secret is used to sign backend-issued JWTs for the iOS app.
  # If left empty it falls back to session.secret.
  # Set this to a dedicated secret in production.
  jwt:
    secret: ""

  env:
    nodeEnv: production
    port: 3001

# Frontend Configuration
frontend:
  replicaCount: 1

  image:
    repository: git.simon-franken.de/simonfranken/timetracker-frontend
    tag: latest
    pullPolicy: IfNotPresent

  service:
    type: ClusterIP
    port: 8080

  resources:
    limits:
      cpu: 200m
      memory: 256Mi
    requests:
      cpu: 50m
      memory: 64Mi

# Ingress Configuration
ingress:
  enabled: true
  className: nginx
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2

  hosts:
    - host: timetracker.local
      paths:
        - path: /
          pathType: ImplementationSpecific
          service: frontend
          port: 8080
        - path: /api(/|$)(.*)
          pathType: ImplementationSpecific
          service: backend
          port: 3001

  tls:
    enabled: false
    secretName: timetracker-tls

# Image pull secrets
imagePullSecrets: []

# Pod annotations
podAnnotations: {}

# Pod security context
podSecurityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

# Service account
serviceAccount:
  create: true
  annotations: {}
  name: ""