# Default values for radar.

replicaCount: 1

image:
  repository: ghcr.io/skyhook-io/radar
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

# RBAC configuration
rbac:
  # Create ClusterRole and ClusterRoleBinding
  create: true
  # Additional rules to add to the ClusterRole
  additionalRules: []

  # Privileged permissions (disabled by default for security)
  # Enable these based on features you need:

  # Allow Helm write operations (install, upgrade, rollback, uninstall, apply values)
  # Requires broad permissions - grants create/update/patch/delete on all resource types,
  # since Helm charts can create any kind of Kubernetes resource.
  # Automatically enables secrets read access (needed for Helm release storage).
  helm: false

  # Allow reading secrets (shows secrets in resource list)
  secrets: false

  # Allow pod exec (enables terminal feature)
  podExec: false

  # Allow pod logs (enables log viewer)
  # This is relatively safe - only reads logs, no write access
  podLogs: true

  # Allow port forwarding (enables port forward feature)
  portForward: false

  # Traffic visibility (Hubble/Cilium integration)
  # Grants read access ONLY to hubble-relay-client-certs secret for TLS auth
  traffic: true

  # CRD access - all common groups enabled by default
  # Granting RBAC for CRDs that don't exist has no effect.
  crdGroups:
    # Set to true to grant read access to ALL CRDs (overrides individual settings below)
    # Simpler but broader permissions - some orgs may not allow this
    all: false

    argo: true              # argoproj.io
    awx: true               # awx.ansible.com
    certManager: true       # cert-manager.io
    cloudnativePg: true     # cloudnative-pg.io
    crossplane: true        # crossplane.io, pkg.crossplane.io
    descheduler: true       # descheduler.alpha.kubernetes.io
    envoyGateway: true      # gateway.envoyproxy.io
    externalDns: true       # externaldns.k8s.io
    externalSecrets: true   # external-secrets.io
    flux: true              # *.toolkit.fluxcd.io
    gatewayApi: true        # gateway.networking.k8s.io
    gcpMonitoring: true     # monitoring.googleapis.com
    grafana: true           # monitoring.grafana.com, tempo/loki/grafana.integreatly.org
    istio: true             # networking.istio.io, security.istio.io
    karpenter: true         # karpenter.sh, karpenter.k8s.aws
    keda: true              # keda.sh
    knative: true           # serving.knative.dev, eventing.knative.dev
    kubeshark: true         # kubeshark.io
    kured: true             # kured.io
    kyverno: true           # kyverno.io, wgpolicyk8s.io, reports.kyverno.io
    mariadb: true           # mariadb.mmontes.io
    nginx: true             # nginx.org
    openshift: true         # observability.openshift.io
    opentelemetry: true     # opentelemetry.io
    prometheus: true        # monitoring.coreos.com
    reflector: true         # reflector.v1.k8s.emberstack.com
    reloader: true          # reloader.stakater.com
    sealedSecrets: true     # sealed-secrets.bitnami.com
    strimzi: true           # strimzi.io, kafka.strimzi.io
    tekton: true            # tekton.dev
    traefik: true           # traefik.io, traefik.containo.us
    velero: true            # velero.io

  # Additional CRD API groups for custom/unlisted CRDs
  # Example: ["mycompany.io", "custom.example.com"]
  additionalCrdGroups: []

podAnnotations: {}

podSecurityContext:
  runAsNonRoot: true
  runAsUser: 65532
  runAsGroup: 65532
  fsGroup: 65532

securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 65532
  capabilities:
    drop:
      - ALL

service:
  type: ClusterIP
  port: 9280

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: radar.example.com
      paths:
        - path: /
          pathType: Prefix
  tls: []
  #  - secretName: radar-tls
  #    hosts:
  #      - radar.example.com

resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi

# Timeline storage configuration
timeline:
  # Storage backend: "memory" or "sqlite"
  storage: memory
  # Path to SQLite database (only used when storage is "sqlite")
  # Note: Requires a PVC when using sqlite
  dbPath: /data/timeline.db
  # Maximum number of events to retain
  historyLimit: 10000

# Traffic source configuration
traffic:
  # Manual Prometheus/VictoriaMetrics URL (bypasses auto-discovery)
  # Use this when auto-discovery doesn't find your metrics service.
  # Examples:
  #   http://prometheus-server.monitoring:80
  #   http://vmsingle.victoria-metrics:8428
  #   http://vmselect.victoria-metrics:8481/select/0/prometheus
  prometheusUrl: ""

# Persistence for SQLite timeline storage
# Required when timeline.storage is "sqlite" (readOnlyRootFilesystem prevents local writes)
persistence:
  enabled: false
  # storageClassName: ""
  accessMode: ReadWriteOnce
  size: 1Gi

nodeSelector: {}

tolerations: []

affinity: {}

# Additional environment variables
env: []
#  - name: DEBUG
#    value: "true"

# Liveness and readiness probes
probes:
  liveness:
    enabled: true
    initialDelaySeconds: 10
    periodSeconds: 30
    timeoutSeconds: 5
    failureThreshold: 3
  readiness:
    enabled: true
    initialDelaySeconds: 5
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3