mode: standalone

clusterDomain: {{ .Env.MINIO_HOST }}

existingSecret: "minio"

oidc:
  enabled: true
  configUrl: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/.well-known/openid-configuration"
  existingClientSecretName: "minio-oidc"
  existingClientIdKey: "clientId"
  existingClientSecretKey: "clientSecret"
  claimName: "minioPolicy"
  scopes: "openid,profile,email"
  redirectUri: "https://{{ .Env.MINIO_CONSOLE_HOST }}/oauth_callback"
  displayName: "Login with Keycloak"

persistence:
  size: {{ .Env.MINIO_STORAGE_SIZE }}

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  hosts:
    - {{ .Env.MINIO_HOST }}
  tls:
    - hosts:
      - {{ .Env.MINIO_HOST }}

consoleIngress:
  enabled: true
  ingressClassName: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  hosts:
    - {{ .Env.MINIO_CONSOLE_HOST }}
  tls:
    - hosts:
      - {{ .Env.MINIO_CONSOLE_HOST }}

# Resource configuration based on Goldilocks/VPA recommendations (rounded to clean values)
resources:
  requests:
    cpu: 50m
    memory: 512Mi
  limits:
    cpu: 100m
    memory: 1Gi

# Security context for Pod Security Standards (restricted)
securityContext:
  enabled: true
  runAsUser: 1000
  runAsGroup: 1000
  fsGroup: 1000
  fsGroupChangePolicy: "OnRootMismatch"
  seccompProfile:
    type: RuntimeDefault

containerSecurityContext:
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: false
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
      - ALL

# Security context for init jobs
makeUserJob:
  securityContext:
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: "OnRootMismatch"
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    readOnlyRootFilesystem: false
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL

makePolicyJob:
  securityContext:
    enabled: true
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: "OnRootMismatch"
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    readOnlyRootFilesystem: false
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL