# cluster-platform-v3 — defaults.
#
# Most knobs you'd flip live here so customer-cluster overlays can
# tune sizing without forking the chart.

namespace: odoosky-system

# tenant — per-tenant identity injected by Tower as helm.values on
# the per-cluster Argo Application. Empty defaults are safe to lint
# but a real deploy MUST set domain + wildcardHost (the Certificate
# template fails with `required` on an empty value).
tenant:
  # Domain the Cloudflare zone covers, e.g. "acme-erp.com".
  domain: ""
  # Wildcard hostname the cluster-wide tenants-wildcard cert covers,
  # e.g. "*.tenants.acme-erp.com". Every tenant instance Ingress
  # references the resulting Secret (`tenants-wildcard-tls` in the
  # `tenants` namespace) by name.
  wildcardHost: ""

# acme — Let's Encrypt registration. Operator email is per-platform,
# not per-tenant.
acme:
  email: m@havari.me
  server: https://acme-v02.api.letsencrypt.org/directory

# certManager — the upstream jetstack chart, pinned at v1.16.1 by
# Chart.yaml's dependency. We turn on CRDs + force the namespace so
# the ClusterIssuer template below can reference solver Secrets in
# `cert-manager` ns.
certManager:
  enabled: true
  installCRDs: true

# traefik — upstream chart. LoadBalancer Service so the customer's
# k3s servicelb maps :80/:443 to the host. Tower currently doesn't
# rely on Traefik's IngressRoute features here; instances are on
# their own per-tenant Traefik later. This Traefik gives the cluster
# a default ingress for the registry + future platform endpoints.
traefik:
  enabled: true
  service:
    type: LoadBalancer

# secrets — Tower applies these out-of-band via the registered
# kubeconfig at Connect time (B2). The chart references them by
# name only; values never enter Git.
secrets:
  cloudflareTokenSecret:
    namespace: cert-manager
    name: cloudflare-api-token
    key: api-token
  s3CredentialsSecret:
    namespace: tenants
    name: s3-backup-creds

registry:
  enabled: true
  image:
    repository: registry
    tag: "2.8"
    pullPolicy: IfNotPresent
  # ClusterIP service hostname:
  #   registry.odoosky-system.svc.cluster.local:5000
  # Used internally by build Jobs (push) and the Odoo Deployment's
  # image volumes (pull). Plain HTTP — the registry never sees
  # off-cluster traffic; node-side k3s registries.yaml whitelists
  # the hostname for HTTP image pulls.
  service:
    port: 5000
    # NodePort the kubelet on each node uses to reach the registry
    # (via the host-side 127.0.0.1:<nodePort> mirror entry in
    # /etc/rancher/k3s/registries.yaml). Picked outside the default
    # 30000-32767 NodePort range's busy zone; change if the cluster
    # already uses 30500 for something else.
    nodePort: 30500
  # Storage. The registry survives node restarts but is recreatable —
  # if the PVC is wiped, Tower's ensureAddonImage will rebuild any
  # missing images from Gitea source on demand. So we don't need a
  # large or replicated PV here.
  persistence:
    enabled: true
    size: 10Gi
    storageClass: ""  # "" = use the cluster's default; on k3s that's local-path
  resources:
    requests:
      cpu: 50m
      memory: 64Mi
    limits:
      cpu: 500m
      memory: 256Mi