image:
  registry: ""
  # IMPORTANT:
  # The default image used by the Gitea Helm chart is the *rootless* variant.
  # Rootless Gitea does NOT include an SSH server, so enabling SSH in the chart
  # will NOT work unless you explicitly switch to the rootful image.
  #
  # Default chart image (rootless, SSH disabled):
  #   registry: "docker.gitea.com"
  #   repository: gitea
  #
  # Correct rootful image (SSH enabled):
  #   repository: gitea/gitea
  #
  # This ensures the container includes OpenSSH and can expose the SSH port.
  repository: gitea/gitea
  pullPolicy: Always
  tag: 1
# dependency: 
# https://github.com/bitnami/charts/blob/main/bitnami/valkey-cluster/Chart.yaml
valkey-cluster:
  enabled: false

# dependency:
# https://github.com/bitnami/charts/blob/main/bitnami/valkey/Chart.yaml
valkey:
  enabled: true
  architecture: standalone
  global:
    valkey:
      password: "???"

  # Disable NetworkPolicy creation in the Bitnami valkey subchart.
  # This deployment runs inside a controlled namespace where network
  # boundaries are enforced by the platform (Infra team), not by Helm.
  #
  # CI/CD pipelines use a restricted ServiceAccount that is intentionally
  # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
  # would cause Helm upgrades to fail with RBAC errors.
  #
  # Infra-owned NetworkPolicies are applied separately and independently
  # of application charts to maintain a clean separation of responsibilities.
  networkPolicy:
    enabled: false

  serviceAccount:
    # serviceAccount resources are owned and managed by the Infrastructure layer.
    # The CI/CD ServiceAccount used for application deployments does not have
    # permissions to create or modify serviceAccounts, by design.
    #
    # In this setup Valkey does not require its own ServiceAccount, so enabling
    # this would provide no benefit and would cause Helm upgrades to fail due
    # to RBAC restrictions. 
    create: false 
    name: "default"

  primary:
    pdb:
      # Disable the PodDisruptionBudget for PostgreSQL.
      #
      # This deployment uses a single‑instance (non‑HA) valkey, so a PDB
      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
      #
      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
      # permissions to create or modify PDBs, and enabling this would cause
      # Helm upgrades to fail with RBAC errors.
      #
      # The platform team applies disruption policies separately at the
      # infrastructure layer, keeping a clean separation of responsibilities.
      create: false 
    



# dependency:
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
postgresql-ha:
  enabled: false

# dependency:
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql
postgresql:
  enabled: true
  image:
    repository: bitnami/postgresql
    tag: 16
    imagePullPolicy: IfNotPresent
  global:
    postgresql:
      auth:
        postgresPassword: "???"
        password: "???"
        database: "???"
        username: "???"

  serviceAccount:
    # serviceAccount resources are owned and managed by the Infrastructure layer.
    # The CI/CD ServiceAccount used for application deployments does not have
    # permissions to create or modify serviceAccounts, by design.
    # In this setup postgresql does not require its own ServiceAccount, so enabling
    # this would provide no benefit and would cause Helm upgrades to fail due
    # to RBAC restrictions. 
    create: false


  primary:
    networkPolicy:
     # Disable NetworkPolicy creation in the Bitnami PostgreSQL subchart.
      # This deployment runs inside a controlled namespace where network
      # boundaries are enforced by the platform (Infra team), not by Helm.
      #
      # CI/CD pipelines use a restricted ServiceAccount that is intentionally
      # NOT allowed to create or modify NetworkPolicies. Leaving this enabled
      # would cause Helm upgrades to fail with RBAC errors.
      #
      # Infra-owned NetworkPolicies are applied separately and independently
      # of application charts to maintain a clean separation of responsibilities.
      enabled: false 
    pdb:
      # Disable the PodDisruptionBudget for PostgreSQL.
      #
      # This deployment uses a single‑instance (non‑HA) PostgreSQL, so a PDB
      # provides no real benefit — Kubernetes cannot evict the only pod anyway.
      #
      # More importantly, PodDisruptionBudgets are considered an Infra‑owned
      # resource in this cluster. The CI/CD ServiceAccount intentionally lacks
      # permissions to create or modify PDBs, and enabling this would cause
      # Helm upgrades to fail with RBAC errors.
      #
      # The platform team applies disruption policies separately at the
      # infrastructure layer, keeping a clean separation of responsibilities.
      create: false 


    persistence:
      size: 10Gi
  metrics:
    enabled: false

persistence:
  enabled: true

service:
  ssh:
    type: LoadBalancer
    enabled: true
    port: 2222
    externalTrafficPolicy: Local
  http:
    clusterIP: ""   # empty string → Kubernetes assigns a routable ClusterIP
    type: ClusterIP
    port: 3000
gitea:
  admin:
    username: "???"
    password: "???"
    email: "???"
  config:
    oauth2:
      JWT_SECRET: "???"
    actions:
      ENABLED: true
    database:
      DB_TYPE: postgres
    indexer:
      ISSUE_INDEXER_TYPE: bleve
      REPO_INDEXER_ENABLED: true
    picture:
      AVATAR_UPLOAD_PATH: /data/avatars
    server:
      DOMAIN: git.limbosolutions.com
      SSH_DOMAIN: git.limbosolutions.com
      ROOT_URL: https://git.limbosolutions.com
      DISABLE_SSH: false
      SSH_PORT: 2222
      SSH_LISTEN_PORT: 2222
      LFS_START_SERVER: true
      START_SSH_SERVER: true
      LFS_PATH: /data/git/lfs
      LFS_JWT_SECRET: "???"
      OFFLINE_MODE: false
      #MFF 03/08/2024
      REPO_INDEXER_ENABLED: true
      REPO_INDEXER_PATH: indexers/repos.bleve
      MAX_FILE_SIZE: 1048576
      REPO_INDEXER_INCLUDE:
      REPO_INDEXER_EXCLUDE: resources/bin/**
      ####
    
    service:
      DISABLE_REGISTRATION: true
      REQUIRE_SIGNIN_VIEW: false
      REGISTER_EMAIL_CONFIRM: false
      ENABLE_NOTIFY_MAIL: false
      ALLOW_ONLY_EXTERNAL_REGISTRATION: false
      ENABLE_CAPTCHA: true
      DEFAULT_KEEP_EMAIL_PRIVATE : true
      DEFAULT_ALLOW_CREATE_ORGANIZATION: true
      DEFAULT_ENABLE_TIMETRACKING:  true
      NO_REPLY_ADDRESS: noreply.localhost
      oauth2:
          JWT_SECRET: "???"
    mailer:
      ENABLED: false

    openid:
      ENABLE_OPENID_SIGNIN: false
      ENABLE_OPENID_SIGNUP: false
    

    security:
      INSTALL_LOCK: true
      SECRET_KEY: "???"
      REVERSE_PROXY_LIMIT: 1
      REVERSE_PROXY_TRUSTED_PROXIES: "???"
      INTERNAL_TOKEN: "???"
      PASSWORD_HASH_ALGO: "???"

  # Ingress resources are owned and managed by the Infrastructure layer.
  # The CI/CD ServiceAccount used for application deployments does not have
  # permissions to create or modify Ingress objects, by design.
  # for ingress setup check infra folder
ingress:
  enabled: false