replicaCount: 1

image:
  repository: gitea.arcodange.lab/arcodange/telegram-gateway
  pullPolicy: Always
  # Le registry ne produit que :latest et la branch ref (:main) via le
  # workflow Gitea Actions ; appVersion (0.1.0) n'existe pas comme tag.
  # Image Updater écrira ensuite le digest réel dans le manifest in-cluster.
  tag: "latest"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  create: true
  automount: true
  annotations: {}
  name: ""

podAnnotations: {}
podLabels: {}

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65532
  runAsGroup: 65532
  fsGroup: 65532
  seccompProfile:
    type: RuntimeDefault

securityContext:
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

service:
  type: ClusterIP
  port: 8080

# Public exposure via Traefik. Cloudflare routes *.arcodange.fr to the home lab
# already, so we just declare the hostname here. CF terminates TLS, Traefik
# receives plain HTTP on entrypoint `web`.
ingress:
  enabled: true
  className: ""
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
  hosts:
    - host: tg.arcodange.fr
      paths:
        - path: /
          pathType: Prefix
  tls: []

resources:
  limits:
    cpu: 200m
    memory: 256Mi
  requests:
    cpu: 50m
    memory: 64Mi

livenessProbe:
  httpGet:
    path: /healthz
    port: http
readinessProbe:
  httpGet:
    path: /readyz
    port: http

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 3
  targetCPUUtilizationPercentage: 80

# Bot routing config — non-secret, becomes the bots.yaml ConfigMap entry.
# Tokens & secret_token values live in a k8s Secret named `secret.name`.
# In Phase 1 the Secret is created out-of-band (kubectl create secret); in a
# later phase Vault will produce it via VSO (toggle `vault.enabled`).
bots:
  factory:
    handler: echo

# k8s Secret consumed by `envFrom`. Phase 1: create it manually with kubectl.
#   kubectl -n telegram-gateway create secret generic telegram-gateway-bots \
#     --from-literal=BOT_FACTORY_TOKEN=…   --from-literal=BOT_FACTORY_SECRET=…
secret:
  name: telegram-gateway-bots

# Vault Secrets Operator integration (Phase 2+). When enabled, VSO writes the
# secret named `secret.name` automatically from `kvv2/telegram-gateway/config`.
vault:
  enabled: false
  role: telegram-gateway
  mount: kvv2
  path: telegram-gateway/config
  refreshAfter: 30s

nodeSelector:
  kubernetes.io/hostname: pi1

tolerations: []
affinity: {}