erp/chart/values-sandbox.yaml

# Sandbox overlay — to be combined with values.yaml:
#   helm install erp-sandbox chart/ -f chart/values.yaml -f chart/values-sandbox.yaml \
#                                   --namespace erp-sandbox --create-namespace
#
# Activates Phase D of the multi-env evolution (cf. PR thread). Prerequisites:
#   - factory/postgres/iac/terraform.tfvars: erp has envs = ["prod", "sandbox"]
#   - tools/hashicorp-vault/iac/modules/app_roles: env parameter applied
#   - arcodange-org/erp/iac/main.tf: for_each over local.envs (Phase D commit)
#   - ArgoCD: Application "erp-sandbox" registered (Phase E)
#
# Derived names follow the elision rule: env=sandbox → suffix "-sandbox".

env:      sandbox
instance: erp-sandbox
host:     erp-sandbox.arcodange.lab

db:
  name: erp-sandbox
  ownerRole: erp_sandbox_role

vault:
  k8sRole:     erp-sandbox
  dynamicPath: creds/erp-sandbox
  staticPath:  erp-sandbox/config

# Ingress annotations + hosts — override to point at the sandbox FQDN
ingress:
  enabled: true
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
    traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: erp-sandbox.arcodange.lab
    traefik.ingress.kubernetes.io/router.middlewares: localIp@file
  hosts:
    - host: erp-sandbox.arcodange.lab
      paths:
        - path: /
          pathType: Prefix

# The sandbox is reproducible (iso-prod refresh), so it needs no offsite backup —
# and its env=sandbox Vault policy wasn't granted read on the GCS creds path
# (only prod was, tools#5). Keep the CronJob off here.
backup:
  enabled: false