# Production values for tekton-cicd Helm chart
# This file overrides values.yaml for production deployment
#
# Installation:
#   helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
#     -n tekton-pipelines \
#     -f infrastructure/cicd/tekton-helm/values.yaml \
#     -f infrastructure/cicd/tekton-helm/values-prod.yaml \
#     --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
#     --set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
#     --set secrets.git.password=$GITEA_ADMIN_PASSWORD
#
# Required environment variables:
#   TEKTON_WEBHOOK_TOKEN - Secure webhook token (generate with: openssl rand -hex 32)
#   GITEA_ADMIN_PASSWORD - Gitea admin password (must match gitea-admin-secret)

# Global settings for production
global:
  # Registry configuration - use external HTTPS URL for image references
  # containerd/Docker requires HTTPS for authenticated registries
  registry:
    url: "registry.bakewise.ai/bakery-admin"

  # Git configuration
  git:
    userEmail: "ci@bakewise.ai"

# Pipeline configuration for production
pipeline:
  # Build configuration
  build:
    verbosity: "warn"  # Less verbose in production
    # Use external registry URL for base images (HTTPS required)
    baseRegistry: "registry.bakewise.ai/bakery-admin"

  # Test configuration
  test:
    skipTests: "false"
    skipLint: "false"

  # Workspace configuration - ensure storage class exists in production cluster
  workspace:
    size: "10Gi"
    storageClass: "standard"  # Adjust to your production storage class

# Tekton controller settings - increased resources for production
controller:
  replicas: 2
  resources:
    limits:
      cpu: 2000m
      memory: 2Gi
    requests:
      cpu: 200m
      memory: 256Mi

# Tekton webhook settings - increased resources for production
webhook:
  replicas: 2
  resources:
    limits:
      cpu: 1000m
      memory: 1Gi
    requests:
      cpu: 100m
      memory: 128Mi

# Secrets configuration
# IMPORTANT: These MUST be overridden via --set flags during deployment
# DO NOT commit actual secrets to this file
secrets:
  # Webhook secret for validating incoming webhooks
  # Override with: --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN
  webhook:
    token: ""  # MUST be set via --set flag

  # Registry credentials for pushing images
  # Override with: --set secrets.registry.password=$GITEA_ADMIN_PASSWORD
  registry:
    username: "bakery-admin"
    password: ""  # MUST be set via --set flag
    # Use external HTTPS URL for image references (containerd requires HTTPS for auth)
    # Kaniko can still push via HTTP internally, but image refs must use HTTPS
    registryUrl: "registry.bakewise.ai"

  # Git credentials for GitOps updates
  # Override with: --set secrets.git.password=$GITEA_ADMIN_PASSWORD
  git:
    username: "bakery-admin"
    password: ""  # MUST be set via --set flag