# Default values for temporal-worker.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Enable/disable the temporal worker deployment
enabled: true

# Image configuration
image:
  repository: ""  # Set to your container registry and image name
  tag: latest
  pullPolicy: Always
  is_private: true
  credentials: ""  # Set to your registry credentials secret name

# Number of replicas
replicaCount: 2

# Rolling update configuration
rollingUpdate:
  maxSurge: 1
  maxUnavailable: 0

# Service configuration
service:
  type: ClusterIP
  port: 8080

# Temporal configuration
temporal:
  # Address of the Temporal frontend service
  address: temporal-frontend.temporal.svc.cluster.local:7233
  # Temporal namespace to use
  namespace: default
  # Task queue name (comma-separated for multiple queues)
  taskQueue: tenant-workflows,portal-domain-workflows,email-domain-workflows
  # Maximum concurrent activity executions
  maxConcurrentActivityExecutions: 10
  # Maximum concurrent workflow task executions
  maxConcurrentWorkflowTaskExecutions: 10

# NM Store configuration
nm_store:
  baseUrl: ""  # Set to your NM Store service URL

# Logging configuration
logLevel: info

# Encryption configuration (should match main application)
encryption:
  saltBytes: "12"
  iterations: "10000"
  keyLength: "64"
  algorithm: sha512

# Vault configuration for secret management
vault:
  enabled: false  # Enable in production
  role: temporal-worker
  secretPath: secret/data/app/temporal-worker
  sharedSecretPath: secret/data/app/shared

# Local secrets (used when Vault is disabled)
# IMPORTANT: Change these in production!
secrets:
  internalApiSharedSecret: "change-me-in-production"
  algaAuthKey: "change-me-in-production"
  nextauthSecret: "change-me-in-production"

# Service Account configuration
serviceAccount:
  # Annotations to add to the service account
  annotations: {}
  # Automatically mount service account token
  automountServiceAccountToken: true

# Resource limits and requests
resources:
  limits:
    cpu: 1000m
    memory: 1Gi
  requests:
    cpu: 200m
    memory: 512Mi

# Horizontal Pod Autoscaler configuration
autoscaling:
  enabled: true
  minReplicas: 2
  maxReplicas: 10
  targetCPUUtilizationPercentage: 70
  targetMemoryUtilizationPercentage: 80
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 10
        periodSeconds: 60
      - type: Pods
        value: 1
        periodSeconds: 60
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
      - type: Percent
        value: 100
        periodSeconds: 60
      - type: Pods
        value: 2
        periodSeconds: 60

# Pod Disruption Budget configuration
podDisruptionBudget:
  enabled: true
  minAvailable: 1

# Health check probe configuration
livenessProbe:
  initialDelaySeconds: 60
  periodSeconds: 30
  timeoutSeconds: 10
  failureThreshold: 3
  successThreshold: 1

readinessProbe:
  initialDelaySeconds: 30
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1

# Pod annotations
podAnnotations: {}

# Pod security context
podSecurityContext: {}
  # fsGroup: 2000

# Security context
securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

# Node selector for pod assignment
nodeSelector: {}

# Tolerations for pod assignment
tolerations: []

# Affinity rules for pod assignment
affinity: {}

# Additional environment variables
extraEnv: []
  # - name: EXTRA_VAR
  #   value: "extra-value"

# Auth configuration
auth:
  nextauthSecretSecret:
    name: ""
    key: NEXTAUTH_SECRET

# Portal domain management configuration
portalDomain:
  # Namespace where TLS certificates are issued (source secrets)
  certificateNamespace: ""  # Set to your certificate namespace
  # Namespace where gateway resources (and replicated TLS secrets) live when secret replication is enabled
  gatewayNamespace: ""
  # Whether to create RBAC bindings that allow the worker to sync TLS secrets
  secretReplicationEnabled: false
  # Optional base VirtualService reference (<namespace>/<name>) for portal-domain workflows.
  # Leave empty when portal-domain routing is not managed in this environment.
  baseVirtualService: ""

# Additional volumes
extraVolumes: []
  # - name: extra-volume
  #   configMap:
  #     name: extra-configmap

# Additional volume mounts
extraVolumeMounts: []
  # - name: extra-volume
  #   mountPath: /extra
  #   readOnly: true

# Database configuration
# These values should be provided by the parent chart or overridden in production
db:
  host: "postgresql.default.svc.cluster.local"
  port: "5432"
  serverDatabase: "app_server"
  user: "app_user_pgbouncer"
  # Secret references for passwords
  serverPasswordSecret:
    name: "db-secrets"
    key: "pgbouncer-password"
  adminPasswordSecret:
    name: "db-secrets"
    key: "admin-password"

# Email configuration
email:
  resendApiKeySecret:
    name: "app-secrets"
    key: "RESEND_API_KEY"

# Stripe configuration (for billing integration during tenant creation)
stripe:
  # Stripe API secret key - should be provided via Kubernetes secret
  secretKeySecret:
    name: "stripe-credentials"
    key: "STRIPE_SECRET_KEY"
  # Master billing tenant ID (organization tenant ID for billing operations)
  masterBillingTenantId: ""  # Should be set via override or secret

# Application configuration
applicationUrl: ""  # Set to your application URL (e.g., https://example.com)

# Namespace override (optional)
namespace: ""

# Name overrides
nameOverride: ""
fullnameOverride: ""

# Pod labels
podLabels: {}