# Gravitee APIM OSS - prod-like single-node k3s deployment
# - Domain: gravitee.sttlab.pc
# - Ingress: nginx
# - TLS everywhere (ingress + internal component HTTPS)
# - Credentials resolved at runtime via Gravitee Secret Manager (kubernetes provider)

adminAccountEnable: true
adminPasswordBcrypt: "secret://kubernetes/gravitee-admin:admin-password-bcrypt"

jwtSecret: "secret://kubernetes/gravitee-jwt:GRAVITEE_JWT_SECRET"

# ============================================================
# MongoDB (management + ratelimit, same URI)
# ============================================================
mongo:
  uri: "secret://kubernetes/gravitee-mongodb-uri:GRAVITEE_MANAGEMENT_MONGODB_URI"

# ============================================================
# Elasticsearch
# ============================================================
es:
  endpoints:
    - "https://gravitee-es-master.gravitee-apim.svc.cluster.local:9200"
  security:
    enabled: true
    username: "secret://kubernetes/gravitee-es-master-credentials:username"
    password: "secret://kubernetes/gravitee-es-master-credentials:password"

# ============================================================
# Kubernetes Secret Provider
# ============================================================
secrets:
  kubernetes:
    enabled: true
    namespace: gravitee-apim
    timeoutMs: 3000

# ============================================================
# API Gateway (data plane) - 2 replicas
# ============================================================
gateway:
  enabled: true
  replicaCount: 2

  api:
    properties:
      encryption:
        secret: "secret://kubernetes/gravitee-encryption:api-properties-encryption-secret"

  extraVolumes: |
    - name: gateway-internal-tls
      secret:
        secretName: gateway-internal-tls
        items:
          - key: keystore.p12
            path: keystore.p12
          - key: truststore.p12
            path: truststore.p12
  extraVolumeMounts: |
    - name: gateway-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true

  env:
    - name: JKS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on the gateway listener (port 8082)
  ssl:
    enabled: true
    keystore:
      type: pkcs12
      path: /run/secrets/tls/keystore.p12
      password: "secret://kubernetes/gravitee-jks-password:password"

  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 1000m
      memory: 1Gi

  service:
    type: ClusterIP
    externalPort: 443
    internalPort: 8082

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
      nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
      nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_ssl_name gateway.gravitee.sttlab.pc;
    hosts:
      - gateway.gravitee.sttlab.pc
    path: /
    pathType: Prefix
    tls:
      - hosts:
          - gateway.gravitee.sttlab.pc
        secretName: gateway-tls

  autoscaling:
    enabled: false

# ============================================================
# Management API (control plane) - 1 replica
# ============================================================
api:
  enabled: true
  replicaCount: 1

  api:
    properties:
      encryption:
        secret: "secret://kubernetes/gravitee-encryption:api-properties-encryption-secret"

  extraVolumes: |
    - name: api-internal-tls
      secret:
        secretName: api-internal-tls
        items:
          - key: keystore.p12
            path: keystore.p12
          - key: truststore.p12
            path: truststore.p12
  extraVolumeMounts: |
    - name: api-internal-tls
      mountPath: /run/secrets/tls
      readOnly: true

  env:
    - name: JKS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: gravitee-jks-password
          key: password
    - name: JAVA_OPTS
      value: "-Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.trustStore=/run/secrets/tls/truststore.p12 -Djavax.net.ssl.trustStorePassword=$(JKS_PASSWORD)"

  # Enable HTTPS on Management API + Portal API listeners
  http:
    services:
      core:
        http:
          enabled: true
          port: 18083
          host: 0.0.0.0

  ssl:
    enabled: true
    keystore:
      type: pkcs12
      path: /run/secrets/tls/keystore.p12
      password: "secret://kubernetes/gravitee-jks-password:password"

  resources:
    requests:
      cpu: 200m
      memory: 2Gi
    limits:
      cpu: 1000m
      memory: 2Gi

  ingress:
    management:
      enabled: true
      ingressClassName: nginx
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_ssl_name api.gravitee.sttlab.pc;
      path: /management
      pathType: Prefix
      hosts:
        - api.gravitee.sttlab.pc
      tls:
        - hosts:
            - api.gravitee.sttlab.pc
          secretName: api-tls
    portal:
      enabled: true
      ingressClassName: nginx
      annotations:
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
        nginx.ingress.kubernetes.io/proxy-ssl-secret: "gravitee-apim/gravitee-ca-trust"
        nginx.ingress.kubernetes.io/configuration-snippet: |
          proxy_ssl_name api.gravitee.sttlab.pc;
      path: /portal
      pathType: Prefix
      hosts:
        - api.gravitee.sttlab.pc
      tls:
        - hosts:
            - api.gravitee.sttlab.pc
          secretName: api-tls

# ============================================================
# Management UI (Console) - 1 replica
# ============================================================
ui:
  enabled: true
  replicaCount: 1

  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
    hosts:
      - console.gravitee.sttlab.pc
    path: /(.*)
    pathType: ImplementationSpecific
    tls:
      - hosts:
          - console.gravitee.sttlab.pc
        secretName: console-tls


# ============================================================
# Developer Portal UI - 1 replica
# ============================================================
portal:
  enabled: true
  replicaCount: 1

  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      cpu: 500m
      memory: 256Mi

  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: /$1
    hosts:
      - portal.gravitee.sttlab.pc
    path: /(.*)
    pathType: ImplementationSpecific
    tls:
      - hosts:
          - portal.gravitee.sttlab.pc
        secretName: portal-tls