# ============================================================
# unionflow-server-impl-quarkus — Values pour cluster k1 (prod)
# ============================================================
# Override du chart parent lions-app. Toutes les valeurs non-override
# héritent des defaults de helm-chart-lions-app/values.yaml.

lions-app:

  # --------------------------------------------------------
  # Image (mise à jour par lionsctl pipeline après build)
  # --------------------------------------------------------
  image:
    registry: registry.lions.dev
    repository: lionsdev
    name: unionflow-server-impl-quarkus
    tag: "1.0.5-20260418-081420"   # AUTO-UPDATED by lionsctl pipeline
    pullPolicy: IfNotPresent
    pullSecrets:
      - lionsregistry-secret

  # --------------------------------------------------------
  # Replicas + HPA
  # --------------------------------------------------------
  replicaCount: 1

  # Activable quand on aura de la charge (UnionFlow actuel = charge faible)
  hpa:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 70

  # --------------------------------------------------------
  # Resources
  # --------------------------------------------------------
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: "1"
      memory: 1Gi

  # --------------------------------------------------------
  # Env non-sensibles (ConfigMap)
  # --------------------------------------------------------
  configMap:
    enabled: true
    envFrom: true
    data:
      QUARKUS_PROFILE: prod
      APP_ENV: production
      APP_BASE_URL: https://lions.dev
      QUARKUS_HTTP_PORT: "8080"
      QUARKUS_DATASOURCE_DB_KIND: postgresql
      QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://postgresql-service.postgresql.svc.cluster.local:5432/unionflow-server-impl-quarkus
      QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
      KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
      STORAGE_PATH: /app/storage
      JAVA_OPTS: -Xms256m -Xmx512m

  # --------------------------------------------------------
  # Secrets — phase de transition : référencer les Secrets K8s existants
  #
  # TODO: quand Vault root token sera disponible, migrer vers externalSecret.
  # Les Secrets existants (db-secret, oidc-secret) seront alors
  # régénérés par ESO depuis Vault automatiquement.
  # --------------------------------------------------------
  extraEnvFrom:
    - secretRef:
        name: unionflow-server-impl-quarkus-db-secret
    - secretRef:
        name: unionflow-server-oidc-secret

  externalSecret:
    enabled: false
    # Configuration prête pour activation future :
    secretStoreRef:
      kind: ClusterSecretStore
      name: vault-backend
    refreshInterval: 1h
    target:
      creationPolicy: Owner
      deletionPolicy: Retain
    data:
      - secretKey: QUARKUS_DATASOURCE_USERNAME
        remoteRef: { key: lions/applications/unionflow-server/db, property: username }
      - secretKey: QUARKUS_DATASOURCE_PASSWORD
        remoteRef: { key: lions/applications/unionflow-server/db, property: password }
      - secretKey: KEYCLOAK_CLIENT_SECRET
        remoteRef: { key: lions/applications/unionflow-server/oidc, property: client-secret }
      - secretKey: KEYCLOAK_ADMIN_SERVICE_SECRET
        remoteRef: { key: lions/applications/unionflow-server/oidc, property: admin-service-secret }

  # --------------------------------------------------------
  # Ingress
  # --------------------------------------------------------
  ingress:
    enabled: true
    className: nginx
    clusterIssuer: letsencrypt-prod
    host: api.lions.dev
    # UnionFlow est monté sous /unionflow sur api.lions.dev
    # → mode prefix-strip : /unionflow(/|$)(.*) → backend reçoit /(.*)
    pathPrefix:
      enabled: true
      strip: /unionflow
    tls:
      enabled: true
      # secretName: auto = "unionflow-server-impl-quarkus-tls"
    rateLimit:
      enabled: true
      rpm: 3000
      connections: 200
    cors:
      enabled: true
      origins: "https://unionflow.lions.dev"
      methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
      headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "50m"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
      nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
      nginx.ingress.kubernetes.io/proxy-buffering: "on"

  # --------------------------------------------------------
  # NetworkPolicy
  # TEMPORAIREMENT DÉSACTIVÉE : à reactiver après validation POC et affinage
  # des règles egress (notamment egress vers node IP pour OIDC public URL)
  # --------------------------------------------------------
  networkPolicy:
    enabled: false
    allowIngressFrom:
      - namespaceSelector:
          kubernetes.io/metadata.name: ingress-nginx
      - namespaceSelector:
          kubernetes.io/metadata.name: monitoring
    allowEgressDNS: true
    allowEgressKubeAPI: true
    allowEgressTo:
      # PostgreSQL
      - namespaceSelector:
          kubernetes.io/metadata.name: postgresql
        ports:
          - port: 5432
            protocol: TCP
      # Kafka
      - namespaceSelector:
          kubernetes.io/metadata.name: kafka
        ports:
          - port: 9092
            protocol: TCP
      # Keycloak
      - namespaceSelector:
          kubernetes.io/metadata.name: keycloak
        ports:
          - port: 8080
            protocol: TCP

  # --------------------------------------------------------
  # Probes Quarkus SmallRye Health
  # --------------------------------------------------------
  probes:
    liveness:
      enabled: true
      httpGet:
        path: /q/health/live
        port: 8080
      initialDelaySeconds: 60
      periodSeconds: 30
      timeoutSeconds: 5
      failureThreshold: 3
    readiness:
      enabled: true
      httpGet:
        path: /q/health/ready
        port: 8080
      initialDelaySeconds: 30
      periodSeconds: 10
      timeoutSeconds: 5
      failureThreshold: 3
    startup:
      enabled: true
      httpGet:
        path: /q/health/started
        port: 8080
      initialDelaySeconds: 10
      periodSeconds: 10
      failureThreshold: 30         # 5 min de grace

  # --------------------------------------------------------
  # Volumes (nécessaires avec readOnlyRootFilesystem)
  # --------------------------------------------------------
  volumes:
    tmp:
      enabled: true
      sizeLimit: 200Mi
    logs:
      enabled: true
      sizeLimit: 1Gi
      mountPath: /app/logs
    extra:
      # Storage pour /app/storage (uploads KYC, PDFs, etc.)
      - name: app-storage
        emptyDir:
          sizeLimit: 2Gi

  volumeMounts:
    - name: app-storage
      mountPath: /app/storage

  # --------------------------------------------------------
  # ServiceMonitor (activer quand quarkus-micrometer sera ajouté à l'app)
  # --------------------------------------------------------
  serviceMonitor:
    enabled: false
    path: /q/metrics
    interval: 30s

  # --------------------------------------------------------
  # Scheduling (single-node cluster k1)
  # --------------------------------------------------------
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      operator: Exists
      effect: NoSchedule

  # --------------------------------------------------------
  # Annotations additionnelles
  # --------------------------------------------------------
  podAnnotations:
    lionsctl.lions.dev/cluster: k1
    lionsctl.lions.dev/environment: production