replicaCount: 1

global:
  librechat:
    existingSecretName: "librechat-credentials-env"
    existingSecretApiKey: OPENAI_API_KEY
{{- if eq .Env.TAVILY_MCP_ENABLED "true" }}
    env:
      - name: TAVILY_API_KEY
        valueFrom:
          secretKeyRef:
            name: tavily-api-key
            key: TAVILY_API_KEY
{{- end }}

librechat:
  configEnv:
    # Domain configuration (required for OIDC redirects)
    DOMAIN_CLIENT: "https://{{ .Env.LIBRECHAT_HOST }}"
    DOMAIN_SERVER: "https://{{ .Env.LIBRECHAT_HOST }}"

    # Ollama endpoint (internal k8s service)
    OLLAMA_BASE_URL: "http://{{ .Env.OLLAMA_HOST }}:11434"

    # OpenID Connect / Keycloak
    ALLOW_SOCIAL_LOGIN: "true"
    OPENID_BUTTON_LABEL: "Login with Keycloak"
    OPENID_ISSUER: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
    OPENID_CALLBACK_URL: "/oauth/openid/callback"
    OPENID_SCOPE: "openid profile email"

    # Optional: Role-based access control
    # OPENID_REQUIRED_ROLE_PARAMETER_PATH: "realm_access.roles"
    # OPENID_REQUIRED_ROLE_TOKEN_KIND: "access"

    # Optional: Group sync from Keycloak roles
    # OPENID_SYNC_GROUPS_FROM_TOKEN: "true"
    # OPENID_GROUPS_CLAIM_PATH: "realm_access.roles"
    # OPENID_GROUPS_TOKEN_KIND: "access"

    # Disable email registration (use Keycloak only)
    ALLOW_EMAIL_LOGIN: "false"
    ALLOW_REGISTRATION: "false"
    ALLOW_SOCIAL_REGISTRATION: "true"

    # Debug (set to true for troubleshooting)
    DEBUG_OPENID_REQUESTS: "false"
    DEBUG_PLUGINS: "false"

  existingSecretName: "librechat-credentials-env"

  # Use external configmap for librechat.yaml
  existingConfigYaml: "librechat-config"

  imageVolume:
    enabled: true
    size: 10Gi
    accessModes: ReadWriteOnce

image:
  repository: danny-avila/librechat
  registry: ghcr.io
  pullPolicy: IfNotPresent

podSecurityContext:
  fsGroup: 2000

securityContext:
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault

service:
  type: ClusterIP
  port: 3080

ingress:
  enabled: true
  className: "traefik"
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: {{ .Env.LIBRECHAT_HOST }}
      paths:
        - path: /
          pathType: Prefix
  tls: []

resources:
  requests:
    cpu: 25m
    memory: 512Mi
  limits:
    cpu: 100m
    memory: 1Gi

mongodb:
  enabled: true
  auth:
    enabled: false
  databases:
    - LibreChat
  image:
    tag: "latest"
  persistence:
    size: 8Gi
  resources:
    requests:
      cpu: 75m
      memory: 512Mi
    limits:
      cpu: 500m
      memory: 2Gi
  podSecurityContext:
    fsGroup: 1001
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    runAsUser: 1001
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL

meilisearch:
  enabled: true
  persistence:
    enabled: true
  image:
    tag: "v1.7.3"
  auth:
    existingMasterKeySecret: "librechat-credentials-env"
  resources:
    requests:
      cpu: 25m
      memory: 256Mi
    limits:
      cpu: 100m
      memory: 1Gi
  podSecurityContext:
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containerSecurityContext:
    runAsUser: 1000
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL

librechat-rag-api:
  enabled: false