orchard/helm/orchard/values-dev.yaml

# Values for feature branch deployments (ephemeral dev environments)
# Hostnames are overridden by CI pipeline via --set flags
replicaCount: 1

image:
  repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
  pullPolicy: Always
  tag: "latest"  # Overridden by CI

imagePullSecrets:
  - name: orchard-pull-secret

initContainer:
  image:
    repository: containers.global.bsf.tools/busybox
    tag: "1.36"
    pullPolicy: IfNotPresent

serviceAccount:
  create: true
  automount: true
  annotations: {}
  name: ""  # Auto-generated based on release name

podAnnotations: {}
podLabels: {}

podSecurityContext: {}

securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000

service:
  type: ClusterIP
  port: 8080

# Ingress - hostnames overridden by CI pipeline
ingress:
  enabled: true
  className: "nginx"
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"  # Disable body size limit for uploads
  hosts:
    - host: orchard-dev.common.global.bsf.tools  # Overridden by CI
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: orchard-tls  # Overridden by CI
      hosts:
        - orchard-dev.common.global.bsf.tools  # Overridden by CI

# Resources for dev/feature environments
# Bumped to handle concurrent integration tests
# Note: memory requests must equal limits per cluster policy
resources:
  limits:
    cpu: 500m
    memory: 1Gi
  requests:
    cpu: 200m
    memory: 1Gi

livenessProbe:
  httpGet:
    path: /health
    port: http
  initialDelaySeconds: 10
  periodSeconds: 10

readinessProbe:
  httpGet:
    path: /health
    port: http
  initialDelaySeconds: 5
  periodSeconds: 5

autoscaling:
  enabled: false

nodeSelector: {}
tolerations: []
affinity: {}

orchard:
  env: "development"  # Allows seed data for testing
  server:
    host: "0.0.0.0"
    port: 8080

  # Authentication settings
  # Admin password is set via CI variable (DEV_ADMIN_PASSWORD) passed as --set flag
  # This keeps the password out of version control

  database:
    host: ""
    port: 5432
    user: orchard
    password: ""
    dbname: orchard
    sslmode: disable
    existingSecret: ""
    existingSecretPasswordKey: "password"
    # Increased pool settings for concurrent integration tests
    poolSize: 10
    maxOverflow: 20
    poolTimeout: 60

  s3:
    endpoint: ""
    region: us-east-1
    bucket: orchard-artifacts
    accessKeyId: ""
    secretAccessKey: ""
    usePathStyle: true
    existingSecret: ""
    existingSecretAccessKeyKey: "access-key-id"
    existingSecretSecretKeyKey: "secret-access-key"

  download:
    mode: "presigned"
    presignedUrlExpiry: 3600

  # PyPI Cache Worker settings (reduced workers to limit memory usage)
  pypiCache:
    workers: 1
    maxDepth: 10
    maxAttempts: 3

  # Relaxed rate limits for dev/feature environments (allows integration tests to run)
  rateLimit:
    login: "1000/minute"  # Default is 5/minute, relaxed for CI integration tests

# PostgreSQL - ephemeral, no persistence
postgresql:
  enabled: true
  image:
    registry: containers.global.bsf.tools
    repository: bitnami/postgresql
    tag: "15"
    pullPolicy: IfNotPresent
  auth:
    username: orchard
    password: orchard-password
    database: orchard
  primary:
    persistence:
      enabled: false
    # Bumped resources for concurrent integration tests
    # Note: memory requests must equal limits per cluster policy
    resourcesPreset: "none"
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 200m
        memory: 512Mi
  # Volume permissions init container
  volumePermissions:
    resourcesPreset: "none"
    resources:
      limits:
        cpu: 50m
        memory: 64Mi
      requests:
        cpu: 10m
        memory: 64Mi

# MinIO - ephemeral, no persistence
minio:
  enabled: true
  image:
    registry: containers.global.bsf.tools
    repository: bitnami/minio
    tag: "latest"
    pullPolicy: IfNotPresent
  auth:
    rootUser: minioadmin
    rootPassword: minioadmin
  defaultBuckets: "orchard-artifacts"
  persistence:
    enabled: false
  # Bumped resources for concurrent integration tests
  # Note: memory requests must equal limits per cluster policy
  resourcesPreset: "none"  # Disable preset to use explicit resources
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 200m
      memory: 512Mi
  # Init container resources
  defaultInitContainers:
    volumePermissions:
      resourcesPreset: "none"
      resources:
        limits:
          cpu: 50m
          memory: 64Mi
        requests:
          cpu: 10m
          memory: 64Mi
  # Provisioning job resources
  provisioning:
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 50m
        memory: 128Mi

# MinIO ingress - hostname overridden by CI
minioIngress:
  enabled: true
  className: "nginx"
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt"
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
  host: "minio-dev.common.global.bsf.tools"  # Overridden by CI
  tls:
    enabled: true
    secretName: minio-tls  # Overridden by CI

redis:
  enabled: true

waitForDatabase: true

global:
  security:
    allowInsecureImages: true