values.yaml

# =============================================================================
# BunkerWeb Helm Chart Values
# =============================================================================
# This file contains all configurable values for the BunkerWeb Helm chart.
# For more information about BunkerWeb configuration, visit:
# https://docs.bunkerweb.io/

# =============================================================================
# GLOBAL CONFIGURATION
# =============================================================================
# These settings apply to all components unless overridden

# Global image pull secrets for private registries
# Example: imagePullSecrets: [{"name": "myregistry-secret"}]
imagePullSecrets: []

# Override the chart name (default: chart name)
nameOverride: ""

# Override the namespace (default: release namespace)
namespaceOverride: ""

# Override the full resource name (default: release-chart)
fullnameOverride: ""

# Node selector for all pods (can be overridden per component)
# Example: nodeSelector: {"kubernetes.io/arch": "amd64"}
nodeSelector: {}

# Tolerations for all pods (can be overridden per component)
# Example: tolerations: [{"key": "node-role", "operator": "Equal", "value": "master", "effect": "NoSchedule"}]
tolerations: []

# Topology spread constraints for better pod distribution
# Example: topologySpreadConstraints: [{"maxSkew": 1, "topologyKey": "kubernetes.io/hostname", "whenUnsatisfiable": "DoNotSchedule"}]
topologySpreadConstraints: []

# =============================================================================
# BUNKERWEB CORE SETTINGS
# =============================================================================
# Configuration for BunkerWeb behavior in Kubernetes environment

settings:
  # ----- SECRET MANAGEMENT -----
  # Specify the name of an existing secret containing sensitive parameters.
  # When using this, the following keys should be present:
  #   - database-uri      : Database connection string
  #   - redis-username    : Redis username (if authentication enabled)
  #   - redis-password    : Redis password
  #   - admin-username    : UI admin username
  #   - admin-password    : UI admin password
  #   - flask-secret      : Flask session secret
  #   - totp-secrets      : TOTP secrets for 2FA
  #   - mariadb-user      : MariaDB username
  #   - mariadb-password  : MariaDB password
  #   - pro-license-key   : BunkerWeb Pro license key
  #   - api-token         : API Bearer token
  #   - api-username      : API username, also require api-password
  #   - api-password      : API password, also require api-username
  existingSecret: ""

  # ----- KUBERNETES INTEGRATION -----
  kubernetes:
    # Comma-separated list of namespaces to monitor for Ingress resources
    # Empty string means all namespaces (requires cluster-wide permissions)
    # Example: "default,production,staging"
    namespaces: ""

    # Ingress class name that BunkerWeb will handle
    # Must match the IngressClass resource name
    ingressClass: ""

    # Kubernetes cluster domain name for service discovery
    domainName: "cluster.local"

    # Annotations to be ignored by bunkerweb-controller when multiple ingress controllers (comma-separated)
    ignoreAnnotations: ""

  # ----- GENERAL CONFIGURATION -----
  misc:
    # Database connection URI (auto-generated if using internal MariaDB)
    # Format: mysql+pymysql://user:password@host:port/database
    databaseUri: ""

    # DNS resolvers for BunkerWeb (space-separated)
    # Default uses CoreDNS service in kube-system namespace
    dnsResolvers: "coredns.kube-system.svc.cluster.local"

    # IP ranges allowed to access BunkerWeb API (space-separated CIDR blocks)
    # Includes common Kubernetes and private network ranges
    apiWhitelistIp: "127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

  # ----- REDIS CONFIGURATION -----
  redis:
    # Enable Redis for caching and persistence
    # Recommended for production environments
    useRedis: "yes"

    # Redis hostname (auto-configured if using internal Redis)
    redisHost: ""

    # Redis authentication (leave empty if not using auth)
    redisUsername: ""
    redisPassword: ""

  # ----- WEB UI CONFIGURATION -----
  ui:
    # Enable the setup wizard on first launch
    wizard: true

    # if using new Gateway API integration instead of ingress resources
    # HTTP routes configuration for UI access
    httpRoutes:
      # Enable HTTP routes for UI access
      enabled: false
      # GatewayClass name to use
      gatewayClassName: ""
      # Domain name for UI access
      # Example: "bunkerweb-ui.example.com"
      serverName: ""
      # Path for UI access
      serverPath: "/"
      # Additional annotations for the httpRoute resource
      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
      extraAnnotations: {}
      # Secret name containing TLS certificate
      # Leave empty to disable HTTPS
      tlsSecretName: ""

    # Ingress configuration for UI access
    ingress:
      # Set to true to create an Ingress resource for the UI
      enabled: false
      # IngressClass name to use
      ingressClassName: ""
      # Domain name for UI access
      # Example: "bunkerweb-ui.example.com"
      serverName: ""
      # Path for UI access (usually "/")
      serverPath: "/"
      # Additional annotations for the Ingress resource
      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
      extraAnnotations: {}
      # Secret name containing TLS certificate
      # Leave empty to disable HTTPS
      tlsSecretName: ""

    # UI authentication settings
    adminUsername: ""
    adminPassword: ""

    # Override admin credentials on startup
    # Set to "yes" to reset admin credentials to the values above
    overrideAdminCreds: "no"

    # Flask session secret (auto-generated if empty)
    flaskSecret: ""

    # TOTP secrets for two-factor authentication
    totpSecrets: ""

    # Maximum upload size in bytes (default: 50MB)
    maxContentLength: ""
    # Max requests before Gunicorn worker restart
    maxRequests: ""

  api:
    # Authentication settings
    # https://docs.bunkerweb.io/latest/api/#authentication
    # Choose at least one method of authentication
    # API Bearer Token
    useBearerToken:
      # If enable, it will use settings.existingSecret
      fromExistingSecret: false
      # If not using existingSecret, set the token here
      token: ""
    # Username and Password
    useUserPass:
      # If enable, it will use settings.existingSecret
      fromExistingSecret: false
      # If not using existingSecret, set the credentials here
      apiUsername: ""
      apiPassword: ""
    # OR/AND ConfigMap name that includes ACL based JSON File
    # https://docs.bunkerweb.io/latest/api/#permissions-acl
    apiAclBootstrapFile: ""

    # API Configuration
    # https://docs.bunkerweb.io/latest/api/#configuration
    # Root path for the API
    rootPath: ""
    # URL for API documentation, set to an empty value to disable
    docsUrl: "/docs"
    # URL for ReDoc API documentation, set to an empty value to disable
    redocUrl: "/redoc"
    # URL for OpenAPI specification, set to an empty value to disable
    openApiUrl: "/openapi.json"
    # Max requests before Gunicorn worker restart
    maxRequests: ""
    # Forwarded allow IPs for correct client IP detection
    forwardedAllowIps: "*"
    # Whitelist configuration for API access
    whitelist:
      # Enable API whitelist functionality
      enabled: true
      # space-separated list of IPs/CIDR allowed to access the API
      whitelistIps: "10.0.0.0/8 127.0.0.1/32 127.0.0.0/8"

    # Rate limiting configuration for API access
    # https://docs.bunkerweb.io/latest/api/#rate-limiting
    rateLimit:
      # Enable request rate limiting
      enabled: false
      # Strategy: "fixed-window" or "moving-window" or "sliding-window"
      # https://limits.readthedocs.io/en/stable/strategies.html
      strategy: "fixed-window"
      # Rate limit per period,
      # Supported formats: "[10/seconde]", "[100/minute]", "[1000/day]"
      # https://limits.readthedocs.io/en/stable/quickstart.html#rate-limit-string-notation
      defaults: ["100/minute"]

    # if using new Gateway API integration instead of ingress resources
    # HTTP routes configuration for API access
    httpRoutes:
      # Enable HTTP routes for API access
      enabled: false
      # GatewayClass name to use
      gatewayClassName: ""
      # Domain name for API access
      # Example: "bunkerweb-api.example.com"
      serverName: ""
      # Path for API access
      serverPath: "/admin"
      # Additional annotations for the Ingress resource
      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
      extraAnnotations: {}
      # Secret name containing TLS certificate
      # Leave empty to disable HTTPS
      tlsSecretName: ""

    # Ingress configuration for API access
    ingress:
      # Set to true to create an Ingress resource for the API
      enabled: false
      # IngressClass name to use
      ingressClassName: ""
      # Domain name for API access
      # Example: "bunkerweb-api.example.com"
      serverName: ""
      # Path for API access (usually "/")
      serverPath: "/"
      # Additional annotations for the Ingress resource
      # Example: {"cert-manager.io/cluster-issuer": "letsencrypt-prod"}
      extraAnnotations: {}
      # Secret name containing TLS certificate
      # Leave empty to disable HTTPS
      tlsSecretName: ""

# =============================================================================
# SERVICE CONFIGURATION
# =============================================================================
# External service for BunkerWeb (LoadBalancer/NodePort)

service:
  # Enable external service creation
  enabled: true

  # Service type: LoadBalancer, NodePort, or ClusterIP
  # LoadBalancer: Exposes service externally using cloud provider's load balancer
  # NodePort: Exposes service on each node's IP at a static port
  # ClusterIP: Only accessible within the cluster
  type: LoadBalancer

  # Set defined NodePorts if using Service type NodePort, if not set, random ports will be assigned
  # nodePortHttp: 30080
  # nodePortHttps: 30443

  # External traffic policy: Local or Cluster
  # Local: Preserves client IP but may cause uneven distribution
  # Cluster: Better distribution but loses client IP
  externalTrafficPolicy: Local

  # Additional service annotations
  # Example: {"service.beta.kubernetes.io/aws-load-balancer-type": "nlb"}
  annotations: {}

# =============================================================================
# BUNKERWEB COMPONENT
# =============================================================================
# Main reverse proxy and WAF component

bunkerweb:
  # Enable BunkerWeb component, should always be true except for sidecar use cases
  enabled: true
  # Deployment type: "DaemonSet" or "Deployment" or "StatefulSet"
  # DaemonSet: Runs one pod per node (recommended for ingress)
  # Deployment: Runs specified number of replicas
  # StatefulSet: For stable network IDs and storage (not typical for ingress)
  kind: Deployment

  # Pod annotations for Kubernetes integration (required)
  # This enables BunkerWeb to be managed by the controller
  enableInstance: true

  # Use host ports for direct traffic (only for DaemonSet)
  # Allows binding to ports 80/443 on each node
  hostPorts: true

  # Number of replicas (for Deployment & StatefulSet kind)
  # Minimum 2 for high availability and PodDisruptionBudget
  replicas: 1

  # Container image configuration
  # Also available at ghcr.io/bunkerity/bunkerweb
  repository: docker.io/bunkerity/bunkerweb
  tag: 1.6.9
  pullPolicy: IfNotPresent

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "2000m"
  #     memory: "4096Mi"
  #   limits:
  #     cpu: "4000m"
  #     memory: "8192Mi"

  # Horizontal Pod Autoscaler (HPA) configuration
  # Make sure to set resources.requests for CPU and/or memory
  hpa:
    # Enable HPA for bunkerweb component
    enabled: false
    # Target kind for scaling (Deployment or StatefulSet)
    targetKind: "Deployment"
    # Optional name override for the target resource
    # If empty, uses the default release fullname
    nameOverride: ""
    # Minimum number of replicas (ignored for DaemonSet)
    minReplicas: 2
    # Maximum number of replicas
    maxReplicas: 10
    # CPU-based scaling configuration
    cpu:
      enabled: true
      targetAverageUtilization: 90
    # Memory-based scaling configuration
    memory:
      enabled: false
      targetAverageUtilization: 90
    # HPA behavior configuration
    # Controls the scaling speed and stabilization
    behavior:
      scaleUp:
        # Stabilization before scale up: waits for constant threshold crossing
        stabilizationWindowSeconds: 60
        policies:
          # Policy 1: Max +100% of current replicas per minute
          - type: Percent
            value: 100
            periodSeconds: 60
          # Policy 2: Max +2 pods per minute
          - type: Pods
            value: 2
            periodSeconds: 60
        # Takes the MOST CONSERVATIVE of the 2 policies
        selectPolicy: Min
      scaleDown:
        # Stabilization before scale down: waits for under-utilization
        stabilizationWindowSeconds: 300
        policies:
          # Policy 1: Max -50% of current replicas per minute
          - type: Percent
            value: 50
            periodSeconds: 60
          # Policy 2: Max -1 pod per minute
          - type: Pods
            value: 1
            periodSeconds: 60
        # Takes the MOST CONSERVATIVE of the 2 policies
        selectPolicy: Min

  # Internal service configuration (for inter-pod communication)
  service:
    # Use headless service (clusterIP: None) for service discovery
    # If false, creates a ClusterIP service with BWAPI port 5000
    headless: true

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Pod affinity rules
  affinity: {}

  # Anti-affinity preset: "soft" or "hard"
  # soft: Prefers not to schedule pods on same node
  # hard: Never schedules pods on same node
  podAntiAffinityPreset: "soft"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for BunkerWeb container
  securityContext:
    runAsUser: 101
    runAsGroup: 101
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # Additional environment variables
  # Example: extraEnvs: [{"name": "DEBUG", "value": "true"}]
  extraEnvs: []

  # Liveness probe configuration
  livenessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck.sh
    initialDelaySeconds: 30
    periodSeconds: 5
    timeoutSeconds: 1
    failureThreshold: 3

  # Readiness probe configuration
  readinessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck.sh
        - ok
    initialDelaySeconds: 30
    periodSeconds: 1
    timeoutSeconds: 1
    failureThreshold: 3

  # Custom volumes configuration
  # Allows mounting additional volumes to the BunkerWeb container
  volumes: []
  # Example:
  # volumes:
  #   - name: shared-data
  #     persistentVolumeClaim:
  #       claimName: shared-pvc

  # Custom volume mounts configuration
  # Defines where to mount the custom volumes in the container
  volumeMounts: []
  # Example:
  # volumeMounts:
  #   - name: shared-data
  #     mountPath: /var/lib/bunkerweb/shared

  ## PodDisruptionBudget for default backend
  ## bunkerweb Pod Disruption Budget configuration
  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  ##
  pdb:
    # Enable creation of Pod Disruption Budget
    # Make sure you have at least 2 replicas if enabled
    create: true

    # Minimum number/percentage of pods that must remain available
    # Example: minAvailable: 1 or minAvailable: "50%"
    minAvailable: ""

    # Maximum number/percentage of pods that can be unavailable
    # Example: maxUnavailable: 1 or maxUnavailable: "25%"
    maxUnavailable: ""

# =============================================================================
# SCHEDULER COMPONENT
# =============================================================================
# Manages BunkerWeb configuration and coordination

scheduler:
  # Container image configuration
  # Also available at ghcr.io/bunkerity/bunkerweb-scheduler
  repository: docker.io/bunkerity/bunkerweb-scheduler
  tag: 1.6.9
  pullPolicy: IfNotPresent

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "250m"
  #     memory: "256Mi"
  #   limits:
  #     cpu: "500m"
  #     memory: "512Mi"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for scheduler container
  securityContext:
    runAsUser: 101
    runAsGroup: 101
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # PRO Features configuration
  # BunkerWeb PRO license key for advanced features
  proLicenseKey: ""
  # Enable Prometheus metrics exporter and creates a service for it
  # Requires BunkerWeb PRO license
  usePrometheusExporter: false
  # ==================================================== #

  # BunkerWeb feature configuration
  # These settings control the behavior of BunkerWeb security features
  # These features will be applied by default on any new services, but could be overwritten on a per service basis
  # For more details, visit: https://docs.bunkerweb.io/latest/features/
  features:
    # =============================================================================
    # GLOBAL SETTINGS
    # =============================================================================
    global:
      # Security mode: "detect" for monitoring only, "block" for active protection
      securityMode: ""
      # Default server protection
      disableDefaultServer: ""
      disableDefaultServerStrictSni: ""

    # =============================================================================
    # NGINX TIMEOUTS
    # =============================================================================
    timeouts:
      # Timeout for reading client request body
      clientBodyTimeout: ""
      # Timeout for reading client request header
      clientHeaderTimeout: ""
      # Timeout for keep-alive client connections
      keepaliveTimeout: ""
      # Timeout for transmitting response to client
      sendTimeout: ""

    # =============================================================================
    # DATABASE CONNECTION POOL
    # =============================================================================
    databasePool:
      # Number of connections in the pool
      databasePoolSize: ""
      # Max connections above pool size
      databasePoolMaxOverflow: ""
      # Seconds to wait for a connection from pool
      databasePoolTimeout: ""
      # Seconds after which connection is recycled (-1 to disable)
      databasePoolRecycle: ""
      # Test connections for liveness on checkout
      databasePoolPrePing: ""
      # How to reset connection on return (auto/none/rollback)
      databasePoolResetOnReturn: ""
      # Max seconds to wait for database on startup
      databaseRetryTimeout: ""
      # Retry attempts for transient errors
      databaseRequestRetryAttempts: ""
      # Delay between retry attempts (seconds)
      databaseRequestRetryDelay: ""

    # =============================================================================
    # MODSECURITY WAF
    # =============================================================================
    modsecurity:
      # Enable ModSecurity Web Application Firewall
      useModsecurity: ""
      # Enable OWASP Core Rule Set
      useModsecurityCrs: ""
      # CRS version: "3", "4", or "nightly"
      modsecurityCrsVersion: ""
      # Rule engine: "On", "DetectionOnly", or "Off"
      modsecuritySecRuleEngine: ""
      # Enable CRS plugins for enhanced protection
      useModsecurityCrsPlugins: ""
      # List of CRS plugins to install (space-separated)
      modsecurityCrsPlugins: ""

    # =============================================================================
    # ANTIBOT PROTECTION
    # =============================================================================
    antibot:
      # Antibot challenge type: "no", "cookie", "javascript", "captcha", "recaptcha", "hcaptcha", "turnstile", "mcaptcha"
      useAntibot: ""
      # Challenge URI (must be unique and not used by your application)
      antibotUri: ""
      # Time limit to complete challenge (seconds)
      antibotTimeResolve: ""
      # Challenge validity duration (seconds)
      antibotTimeValid: ""
      # IPs to bypass antibot challenges (space-separated)
      antibotIgnoreIp: ""
      # URIs to bypass antibot challenges (regex patterns, space-separated)
      antibotIgnoreUri: ""
      # Use classic reCAPTCHA instead of newer version
      antibotRecaptchaClassic: ""

    # =============================================================================
    # RATE LIMITING
    # =============================================================================
    rateLimit:
      # Enable request rate limiting
      useLimitReq: ""
      # Rate limit (e.g., "2r/s", "60r/m")
      limitReqRate: ""
      # URL pattern to apply rate limiting
      limitReqUrl: ""
      # Enable connection limiting
      useLimitConn: ""
      # Max HTTP/1.1 connections per IP
      limitConnMaxHttp1: ""
      # Max HTTP/2 connections per IP
      limitConnMaxHttp2: ""
      # Max HTTP/3 connections per IP
      limitConnMaxHttp3: ""

    # =============================================================================
    # BLACKLIST/WHITELIST
    # =============================================================================
    blacklist:
      # Enable blacklist functionality
      useBlacklist: ""
      # Community blacklists to use
      blacklistCommunityLists: ""
      # Manual IP blacklist (space-separated)
      blacklistIp: ""
      # Blacklist URLs for automatic updates
      blacklistIpUrls: ""

    whitelist:
      # Enable whitelist functionality
      useWhitelist: ""
      # Manual IP whitelist (space-separated CIDR)
      whitelistIp: ""
      # Whitelist URLs for automatic updates
      whitelistIpUrls: ""

    # =============================================================================
    # COUNTRY BLOCKING
    # =============================================================================
    geoBlocking:
      # Allowed countries (ISO 3166-1 alpha-2 codes or group tokens like @EU, @G7, @FIVE_EYES, space-separated)
      whitelistCountry: ""
      # Blocked countries (ISO 3166-1 alpha-2 codes or group tokens like @EU, @G7, @FIVE_EYES, space-separated)
      blacklistCountry: ""

    # =============================================================================
    # BAD BEHAVIOR DETECTION
    # =============================================================================
    badBehavior:
      # Enable bad behavior detection
      useBadBehavior: ""
      # HTTP status codes considered "bad" (space-separated)
      badBehaviorStatusCodes: ""
      # Threshold before banning IP
      badBehaviorThreshold: ""
      # Time window for counting bad requests (seconds)
      badBehaviorCountTime: ""
      # Ban duration (seconds, 0 = permanent)
      badBehaviorBanTime: ""

    # =============================================================================
    # SSL/TLS CONFIGURATION
    # =============================================================================
    ssl:
      # Enable HTTPS listening
      listenHttps: ""
      # SSL protocols to support
      sslProtocols: ""
      # Cipher security level: "old", "intermediate", "modern"
      sslCiphersLevel: ""
      # Auto-redirect HTTP to HTTPS
      autoRedirectHttpToHttps: ""

    # Let's Encrypt configuration
    letsEncrypt:
      # Enable automatic Let's Encrypt certificates
      autoLetsEncrypt: ""
      # Email for Let's Encrypt notifications
      emailLetsEncrypt: ""
      # Challenge type: "http" or "dns"
      letsEncryptChallenge: ""
      # DNS provider for DNS challenges
      letsEncryptDnsProvider: ""
      # Enable wildcard certificates (DNS challenges only)
      useLetsEncryptWildcard: ""
      # Certificate authority server: "letsencrypt" or "zerossl"
      letsEncryptServer: ""
      # Certificate profile: "classic" or other profiles
      letsEncryptProfile: ""
      # Custom certificate profile (overrides letsEncryptProfile)
      letsEncryptCustomProfile: ""
      # ZeroSSL API key (optional, falls back to email)
      letsEncryptZerosslApiKey: ""
      # ZeroSSL API connection timeout (seconds)
      letsEncryptZerosslApiConnectTimeout: ""
      # ZeroSSL API max time (seconds)
      letsEncryptZerosslApiMaxTime: ""
      # ZeroSSL API retry count
      letsEncryptZerosslApiRetry: ""
      # ZeroSSL API retry delay (seconds)
      letsEncryptZerosslApiRetryDelay: ""

    # Custom SSL certificate
    customSsl:
      # Use custom SSL certificates
      useCustomSsl: ""
      # Certificate priority: "file" or "data"
      customSslCertPriority: ""
      # Certificate file path
      customSslCert: ""
      # Private key file path
      customSslKey: ""

    # =============================================================================
    # COMPRESSION
    # =============================================================================
    compression:
      # Enable GZIP compression
      useGzip: ""
      # GZIP compression level (1-9)
      gzipCompLevel: ""
      # Minimum response size for compression (bytes)
      gzipMinLength: ""
      # Enable Brotli compression
      useBrotli: ""
      # Brotli compression level (0-11)
      brotliCompLevel: ""

    # =============================================================================
    # CLIENT CACHING
    # =============================================================================
    clientCache:
      # Enable client-side caching
      useClientCache: ""
      # File extensions to cache (pipe-separated)
      clientCacheExtensions: ""
      # Cache-Control header value
      clientCacheControl: ""
      # Enable ETags
      clientCacheEtag: ""

    # =============================================================================
    # REVERSE PROXY
    # =============================================================================
    reverseProxy:
      # Enable reverse proxy functionality
      useReverseProxy: ""
      # Backend server URLs (multiple values supported with suffix _1, _2, etc.)
      reverseProxyHost: ""
      # URL paths to proxy (multiple values supported with suffix _1, _2, etc.)
      reverseProxyUrl: ""
      # Connection timeout
      reverseProxyConnectTimeout: ""
      # Send timeout
      reverseProxySendTimeout: ""
      # Read timeout
      reverseProxyReadTimeout: ""

    # =============================================================================
    # GRPC REVERSE PROXY
    # =============================================================================
    grpc:
      # Enable gRPC reverse proxy mode
      useGrpc: ""
      # Location URL to proxy to gRPC upstream
      grpcUrl: ""
      # Upstream value (e.g., grpc://app:50051 or grpcs://app:443)
      grpcHost: ""
      # Timeout when connecting to gRPC upstream
      grpcConnectTimeout: ""
      # Timeout when reading from gRPC upstream
      grpcReadTimeout: ""
      # Timeout when sending to gRPC upstream
      grpcSendTimeout: ""
      # Override Host header sent to gRPC upstream
      grpcCustomHost: ""
      # Headers to send to gRPC upstream (semicolon-separated)
      grpcHeaders: ""
      # Headers to hide from clients
      grpcHideHeaders: ""
      # Intercept and rewrite gRPC upstream errors
      grpcInterceptErrors: ""
      # Enable keepalive for gRPC upstream sockets
      grpcSocketKeepalive: ""
      # Enable SNI for gRPC upstream
      grpcSslSni: ""
      # SNI host name for gRPC upstream
      grpcSslSniName: ""
      # Conditions for selecting next gRPC upstream server
      grpcNextUpstream: ""
      # Time limit for passing request to next server
      grpcNextUpstreamTimeout: ""
      # Max attempts to pass request to next server
      grpcNextUpstreamTries: ""
      # Additional config for gRPC location block
      grpcIncludes: ""

    # =============================================================================
    # REAL IP DETECTION
    # =============================================================================
    realIp:
      # Enable real IP detection (behind proxy/load balancer)
      useRealIp: ""
      # Trusted proxy IPs (space-separated CIDR)
      realIpFrom: ""
      # Header containing real IP
      realIpHeader: ""
      # Enable recursive IP detection
      realIpRecursive: ""
      # Enable PROXY protocol support
      useProxyProtocol: ""

    # =============================================================================
    # SECURITY HEADERS
    # =============================================================================
    headers:
      # HSTS header
      strictTransportSecurity: ""
      # Content Security Policy
      contentSecurityPolicy: ""
      # CSP report-only mode
      contentSecurityPolicyReportOnly: ""
      # X-Frame-Options header
      xFrameOptions: ""
      # X-Content-Type-Options header
      xContentTypeOptions: ""
      # Referrer Policy
      referrerPolicy: ""
      # Headers to remove (space-separated)
      removeHeaders: ""
      # Custom headers (multiple values supported with suffix _1, _2, etc.)
      customHeader: ""

    # =============================================================================
    # CORS CONFIGURATION
    # =============================================================================
    cors:
      # Enable CORS
      useCors: ""
      # Allowed origins (regex pattern or "self" or "*")
      corsAllowOrigin: ""
      # Allowed HTTP methods
      corsAllowMethods: ""
      # Allowed headers
      corsAllowHeaders: ""
      # Allow credentials
      corsAllowCredentials: ""

    # =============================================================================
    # DNSBL CHECKING
    # =============================================================================
    dnsbl:
      # Enable DNSBL checking
      useDnsbl: ""
      # DNSBL servers to query (space-separated)
      dnsblList: ""

    # =============================================================================
    # BUNKERNET THREAT INTELLIGENCE
    # =============================================================================
    bunkerNet:
      # Enable BunkerNet threat intelligence
      useBunkernet: ""
      # BunkerNet API server
      bunkernetServer: ""

    # =============================================================================
    # SESSION MANAGEMENT
    # =============================================================================
    sessions:
      # Session secret key (leave empty to auto-generate)
      sessionsSecret: ""
      # Session cookie name
      sessionsName: ""
      # Idle timeout (seconds)
      sessionsIdlingTimeout: ""
      # Rolling timeout (seconds)
      sessionsRollingTimeout: ""
      # Absolute timeout (seconds)
      sessionsAbsoluteTimeout: ""
      # Check IP address consistency
      sessionsCheckIp: ""
      # Check User-Agent consistency
      sessionsCheckUserAgent: ""

    # =============================================================================
    # METRICS AND MONITORING
    # =============================================================================
    metrics:
      # Enable metrics collection
      useMetrics: ""
      # Memory size for metrics storage
      metricsMemorySize: ""
      # Max blocked requests per worker
      metricsMaxBlockedRequests: ""
      # Save metrics to Redis
      metricsSaveToRedis: ""

    # =============================================================================
    # AUTH BASIC
    # =============================================================================
    authBasic:
      # Enable HTTP Basic Authentication
      useAuthBasic: ""
      # Protection scope: "sitewide" or specific path
      authBasicLocation: ""
      # Username (multiple values supported with suffix _1, _2, etc.)
      authBasicUser: ""
      # Password (multiple values supported with suffix _1, _2, etc.)
      authBasicPassword: ""
      # Authentication prompt text
      authBasicText: ""

    # =============================================================================
    # REDIRECTS
    # =============================================================================
    redirect:
      # Path to redirect from
      redirectFrom: ""
      # Destination URL
      redirectTo: ""
      # Preserve request URI
      redirectToRequestUri: ""
      # HTTP status code for redirect
      redirectToStatusCode: ""

    # =============================================================================
    # ERROR PAGES
    # =============================================================================
    errors:
      # Custom error page mappings (ERROR_CODE=/path/to/file.html)
      errors: ""
      # HTTP error codes to intercept
      interceptedErrorCodes: ""

    # =============================================================================
    # HTML INJECTION
    # =============================================================================
    htmlInjection:
      # HTML to inject in <head> section
      injectHead: ""
      # HTML to inject before </body>
      injectBody: ""

    # =============================================================================
    # ROBOTS.TXT
    # =============================================================================
    robotsTxt:
      # Enable robots.txt generation
      useRobotsTxt: ""
      # DarkVisitors API token
      robotsTxtDarkvisitorsToken: ""
      # Community lists to include
      robotsTxtCommunityLists: ""
      # Manual robots.txt rules (multiple values supported)
      robotsTxtRule: ""
      # Sitemap URLs (multiple values supported)
      robotsTxtSitemap: ""

    # =============================================================================
    # SECURITY.TXT
    # =============================================================================
    securityTxt:
      # Enable security.txt file
      useSecurityTxt: ""
      # Contact information (multiple values supported)
      securityTxtContact: ""
      # Expiration date (ISO 8601 format)
      securityTxtExpires: ""
      # Security policy URL
      securityTxtPolicy: ""

    # =============================================================================
    # CROWDSEC INTEGRATION
    # =============================================================================
    crowdSec:
      # Enable CrowdSec integration
      useCrowdSec: ""
      # CrowdSec Local API URL
      crowdSecApi: ""
      # CrowdSec API key
      crowdSecApiKey: ""
      # Operation mode: "live" or "stream"
      crowdSecMode: ""
      # AppSec component URL (optional)
      crowdSecAppsecUrl: ""

    # =============================================================================
    # PHP INTEGRATION
    # =============================================================================
    php:
      # Remote PHP-FPM host
      remotePhp: ""
      # Remote PHP-FPM port
      remotePhpPort: ""
      # Remote PHP-FPM path
      remotephpPath: ""
      # Local PHP-FPM socket
      localPhp: ""
      # Local PHP-FPM path
      localPhpPath: ""

    # =============================================================================
    # GREYLIST (CONDITIONAL ACCESS)
    # =============================================================================
    greylist:
      # Enable greylist functionality
      useGreylist: ""
      # IP addresses to greylist (space-separated CIDR)
      greylistIp: ""
      # Greylist URLs for automatic updates
      greylistIpUrls: ""

    # =============================================================================
    # REVERSE SCAN
    # =============================================================================
    reverseScan:
      # Enable client port scanning
      useReverseScan: ""
      # Ports to scan on client (space-separated)
      reverseScanPorts: ""
      # Scan timeout (milliseconds)
      reverseScanTimeout: ""

    # =============================================================================
    # BACKUP CONFIGURATION
    # =============================================================================
    backup:
      # Enable backup functionality
      useBackup: ""
      # Backup frequency: "daily", "weekly", "monthly"
      backupSchedule: ""
      # Number of backups to retain
      backupRotation: ""
      # Backup directory
      backupDirectory: ""

    # =============================================================================
    # STREAM/PASSTHROUGH
    # =============================================================================
    stream:
      # Enable non-ssl passthrough listening
      listenStream: ""
      # Port for non-ssl passthrough (empty to disable)
      listenStreamPort: ""
      # Port for ssl passthrough (empty to disable)
      listenStreamPortSsl: ""

  # Additional environment variables for advanced configuration
  # These will be merged with the feature configuration above
  extraEnvs: []

  # Liveness probe configuration
  livenessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-scheduler.sh
    initialDelaySeconds: 180
    periodSeconds: 10
    timeoutSeconds: 1
    failureThreshold: 3

# =============================================================================
# CONTROLLER COMPONENT
# =============================================================================
# Kubernetes controller for automatic Ingress management

controller:
  # Enable the controller (required for Ingress integration)
  enabled: true

  # Container image configuration
  # Also available at ghcr.io/bunkerity/bunkerweb-autoconf
  repository: docker.io/bunkerity/bunkerweb-autoconf
  tag: 1.6.9
  pullPolicy: IfNotPresent

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "100m"
  #     memory: "128Mi"
  #   limits:
  #     cpu: "250m"
  #     memory: "256Mi"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for controller container
  securityContext:
    runAsUser: 101
    runAsGroup: 101
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # Additional environment variables
  extraEnvs: []

  # Liveness probe configuration
  livenessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-autoconf.sh
    initialDelaySeconds: 30
    periodSeconds: 5
    timeoutSeconds: 1
    failureThreshold: 3

  # Readiness probe configuration
  readinessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-autoconf.sh
    initialDelaySeconds: 120
    periodSeconds: 1
    timeoutSeconds: 1
    failureThreshold: 3

# =============================================================================
# WEB UI COMPONENT
# =============================================================================
# Web interface for BunkerWeb management and monitoring

ui:
  # Enable the web UI
  enabled: true

  # Container image configuration
  # Also available at ghcr.io/bunkerity/bunkerweb-ui
  repository: docker.io/bunkerity/bunkerweb-ui
  tag: 1.6.9
  pullPolicy: IfNotPresent

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "100m"
  #     memory: "256Mi"
  #   limits:
  #     cpu: "250m"
  #     memory: "512Mi"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for UI container
  securityContext:
    runAsUser: 101
    runAsGroup: 101
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # Additional environment variables
  extraEnvs: []

  # Log collection configuration
  logs:
    # Enable log collection sidecar
    # ONLY WORKING FROM BunkerWeb version 1.6.7 and later
    enabled: false

    # Syslog address for log forwarding
    # Automatically set to Sidecar service if empty
    # Format: HOST:PORT "syslog-server:514" do not append Protocol, it's set to UDP by default and port 514.
    syslogAddress: ""

    # Syslog-ng container for log collection
    repository: docker.io/balabit/syslog-ng
    pullPolicy: IfNotPresent
    tag: 4.8.0

    # Timezone for the syslog-ng container
    # If empty, uses the container default (UTC)
    # Example: "Europe/Paris", "America/New_York"
    timezone: ""

    # Persistent storage for logs
    persistence:
      size: 5Gi
      # Storage class for log persistence
      # Leave empty for default storage class
      storageClass: ""

    # Log rotation and cleanup configuration
    # Periodically rotates UI logs and removes old log files
    logrotate:
      # Enable periodic log rotation for UI logs
      enabled: true

      # Cron schedule for the log rotation job
      # Default: daily at 00:00
      schedule: 0 0 * * *

      # Number of days to keep UI log files
      # Log files older than this value will be automatically removed
      rotate: 2

      # Log file patterns to rotate (required when logrotate.enabled=true).
      #
      # This list is matched against log file names under /var/log/bunkerweb/.
      # You can use glob patterns:
      #   - *.com.log
      #
      # If this list is empty, no logrotate rules are generated and nothing will be rotated.
      files:
        - bw-autoconf.log
        - bw-scheduler.log
        - bw-ui-access.log
        - bw-ui.log
      # - '*.com.log'

  # Liveness probe configuration
  livenessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-ui.sh
    initialDelaySeconds: 30
    periodSeconds: 5
    timeoutSeconds: 1
    failureThreshold: 3

  # Readiness probe configuration
  readinessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-ui.sh
    initialDelaySeconds: 30
    periodSeconds: 1
    timeoutSeconds: 1
    failureThreshold: 3

# =============================================================================
# EXTERNAL API COMPONENT
# =============================================================================
# External API for BunkerWeb that exposes REST interface for automation tools

api:
  # Enable the external API
  enabled: true

  # Container image configuration
  # Also available at ghcr.io/bunkerity/bunkerweb-api
  repository: docker.io/bunkerity/bunkerweb-api
  tag: 1.6.9
  pullPolicy: IfNotPresent

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "100m"
  #     memory: "256Mi"
  #   limits:
  #     cpu: "250m"
  #     memory: "512Mi"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for API container
  securityContext:
    runAsUser: 101
    runAsGroup: 101
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # Additional environment variables
  extraEnvs: []

  # Liveness probe configuration
  livenessProbe:
    exec:
      command:
        - /usr/share/bunkerweb/helpers/healthcheck-api.sh
    initialDelaySeconds: 30
    periodSeconds: 5
    timeoutSeconds: 1
    failureThreshold: 3

# =============================================================================
# BunkerWeb MCP COMPONENT
# =============================================================================
# Model Context Protocol (MCP) server for BunkerWeb
# Requires BunkerWeb API component to be enabled

mcp:
  # Enable the BunkerWeb MCP server
  enabled: false

  # Container image configuration
  repository: docker.io/bunkerity/bunkerweb-mcp
  tag: 0.1.0
  pullPolicy: IfNotPresent

  # Number of replicas
  replicas: 1

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "250m"
  #     memory: "256Mi"
  #   limits:
  #     cpu: "1000m"
  #     memory: "512Mi"

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for MCP container
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  # Additional environment variables
  extraEnvs: []

  # ----- MCP SERVER CONFIGURATION -----
  config:
    # Number of workers for the MCP server
    workers: "4"

    # BunkerWeb API Configuration
    # Base URL will be auto-configured to use internal API service if empty
    bunkerwebBaseUrl: ""
    bunkerwebRequestTimeoutSeconds: "30"
    bunkerwebMaxRetries: "3"
    bunkerwebRetryBackoffInitial: "0.5"
    bunkerwebRetryBackoffMax: "5"

    # Logging
    logLevel: "INFO"

    # MCP Transport Security (DNS Rebinding Protection)
    enableDnsRebindingProtection: "false"
    # Allowed hosts (auto-configured based on service names if empty)
    allowedHosts: ""
    # Allowed origins for CORS
    allowedOrigins: ""

    # Performance Configuration
    rateLimitEnabled: "false"
    rateLimitTools: "30/minute"
    rateLimitRpc: "100/minute"
    rateLimitWs: "500/minute"
    cacheEnabled: "true"

    # Semantic Search Configuration
    # Released in the future, currently non-functional
    searchMode: "disabled"
    searchApiUrl: ""
    searchTimeout: "10.0"

  # ----- SECRETS CONFIGURATION -----
  secrets:
    # Use existing secret for sensitive data
    # If set, the following keys should be present:
    #   - BUNKERWEB_API_TOKEN: Bearer token for BunkerWeb API
    # OR:
    #   - BUNKERWEB_BASIC_USERNAME: Basic auth username
    #   - BUNKERWEB_BASIC_PASSWORD: Basic auth password
    existingSecret: ""

    # BunkerWeb API Bearer Token (if not using existingSecret)
    # Leave empty to use basic auth instead
    bunkerwebApiToken: ""

    # BunkerWeb API Basic Auth (if not using existingSecret or token)
    bunkerwebBasicUsername: ""
    bunkerwebBasicPassword: ""

    # WebSocket authentication token (optional)
    websocketToken: ""

  # ----- SERVICE CONFIGURATION -----
  service:
    # Service type: ClusterIP, NodePort, or LoadBalancer
    type: ClusterIP
    # Service port
    port: 8080
    # Additional service annotations
    annotations: {}

  # ----- INGRESS CONFIGURATION -----
  ingress:
    # Enable ingress for external access
    # WARNING: The MCP server has no built-in authentication for the /mcp endpoint (used by Claude Code).
    # You MUST secure access using BunkerWeb annotations (whitelist, auth) or network policies.
    enabled: false
    # IngressClass name to use
    ingressClassName: "bunkerweb"
    # Domain name for MCP access
    serverName: ""
    # Path for MCP access
    serverPath: "/"
    # Additional annotations for the Ingress resource
    # SECURITY: Configure whitelist to restrict access to trusted IPs only
    annotations:
      bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
      bunkerweb.io/USE_REVERSE_PROXY: "yes"
      bunkerweb.io/REVERSE_PROXY_URL: "/"
      bunkerweb.io/REVERSE_PROXY_HOST: "http://mcp-bunkerweb.bunkerweb.svc.cluster.local:8080"
      # Whitelist configuration (RECOMMENDED for MCP security)
      # Uncomment and configure to restrict access to trusted IPs/networks
      # bunkerweb.io/USE_WHITELIST: "yes"
      # bunkerweb.io/WHITELIST_IP: "10.0.0.0/8 192.168.0.0/16 YOUR_PUBLIC_IP/32"
    # TLS configuration
    tls:
      enabled: false
      # Secret name containing TLS certificate
      secretName: ""

  # ----- GATEWAY API (HTTPRoute) -----
  # Alternative to Ingress for Kubernetes Gateway API
  httpRoutes:
    # Enable HTTPRoute for external access
    # WARNING: The MCP server has no built-in authentication for the /mcp endpoint (used by Claude Code).
    # You MUST secure access using BunkerWeb annotations (whitelist, auth) or network policies.
    enabled: false
    # GatewayClass name to use
    gatewayClassName: ""
    # Domain name for MCP access
    # Example: "mcp.example.com"
    serverName: ""
    # Path for MCP access
    serverPath: "/"
    # Additional annotations for the HTTPRoute resource
    # SECURITY: Configure whitelist to restrict access to trusted IPs only
    extraAnnotations:
      # Whitelist configuration (RECOMMENDED for MCP security)
      # bunkerweb.io/USE_WHITELIST: "yes"
      # bunkerweb.io/WHITELIST_IP: "10.0.0.0/8 192.168.0.0/16 YOUR_PUBLIC_IP/32"
    # Secret name containing TLS certificate
    # Leave empty to disable HTTPS
    tlsSecretName: ""

  # ----- SERVICE MONITOR (PROMETHEUS) -----
  serviceMonitor:
    # Enable ServiceMonitor for Prometheus Operator
    enabled: false
    # Scrape interval
    interval: 30s
    # Scrape timeout
    scrapeTimeout: 10s
    # Additional labels for ServiceMonitor
    labels: {}

  # ----- PROBES CONFIGURATION -----
  # readinessProbe:
  #   httpGet:
  #     path: /ready
  #     port: http
  #   initialDelaySeconds: 5
  #   periodSeconds: 10
  #   timeoutSeconds: 5
  #   failureThreshold: 2

  # livenessProbe:
  #   httpGet:
  #     path: /health
  #     port: http
  #   initialDelaySeconds: 10
  #   periodSeconds: 30
  #   timeoutSeconds: 5
  #   failureThreshold: 3

  # Termination grace period
  terminationGracePeriodSeconds: 30

# =============================================================================
# DATABASE (MARIADB) COMPONENT
# =============================================================================
# Database backend for BunkerWeb configuration and logs

mariadb:
  # Enable internal MariaDB instance
  # Set to false to use external database
  enabled: true

  # Container image configuration
  repository: docker.io/mariadb
  tag: "11"
  pullPolicy: IfNotPresent

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Deployment update strategy for MariaDB
  # Default: RollingUpdate
  # Uncomment and set to "Recreate" when using single-node block storage
  # (e.g. EBS with ReadWriteOnce) to avoid volume attach conflicts
  # strategy: Recreate

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Persistent storage configuration
  persistence:
    # Storage size for database
    size: 5Gi

    # Storage class for database persistence
    # Leave empty for default storage class
    # Example: "fast-ssd", "standard", "gp2"
    storageClass: ""

  # Database configuration
  config:
    # Generate random root password
    randomRootPassword: "1"

    # BunkerWeb database name
    database: "db"

    # BunkerWeb database user
    user: "bunkerweb"

    # BunkerWeb database password
    # SECURITY: Change this in production or use existingSecret
    password: "changeme"

  # Additional arguments for MariaDB
  # Example: args: ["--character-set-server=utf8mb4"]
  args:
    - "--max-allowed-packet=67108864"

  # Additional environment variables for MariaDB container
  # Example: extraEnvs: [{"name": "MARIADB_AUTO_UPGRADE", "value": "1"}]
  extraEnvs: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "250m"
  #     memory: "512Mi"
  #   limits:
  #     cpu: "500m"
  #     memory: "1024Mi"

# =============================================================================
# REDIS COMPONENT
# =============================================================================
# Cache and session storage for BunkerWeb

redis:
  # Enable internal Redis instance
  # Set to false to use external Redis
  enabled: true

  # Container image configuration
  repository: docker.io/redis
  tag: 7-alpine
  pullPolicy: IfNotPresent
  # Persistent storage configuration
  persistence:
    # Storage size for Redis data
    size: 1Gi

    # Storage class for Redis persistence
    # Leave empty for default storage class
    storageClass: ""

  # Image pull secrets (overrides global setting)
  imagePullSecrets: []

  # Deployment update strategy for Redis
  # Default: RollingUpdate
  # Uncomment and set to "Recreate" when using single-node block storage
  # (e.g. EBS with ReadWriteOnce) to avoid volume attach conflicts
  # strategy: Recreate

  # Node selector (overrides global setting)
  nodeSelector: {}

  # Tolerations (overrides global setting)
  tolerations: []

  # Use custom Redis configuration file
  useConfigFile: true

  # Redis configuration
  config:
    # Redis authentication password
    # SECURITY: Change this in production or use existingSecret
    password: "changeme"

    # Custom Redis configuration
    # Applied when useConfigFile is true
    file: |
      appendonly yes
      save ""
      loglevel verbose
      maxmemory 512mb
      maxmemory-policy allkeys-lru

  # Additional environment variables for Redis container
  # Example: extraEnvs: [{"name": "REDIS_ARGS", "value": "--maxmemory 256mb"}]
  extraEnvs: []

  # Resource requests and limits
  # RECOMMENDED: Uncomment and adjust for production
  # resources:
  #   requests:
  #     cpu: "250m"
  #     memory: "512Mi"
  #   limits:
  #     cpu: "500m"
  #     memory: "1024Mi"

# =============================================================================
# GATEWAY CLASS
# =============================================================================
# Kubernetes GatewayClass resource for BunkerWeb

gatewayClass:
  # Create GatewayClass resource
  # Requires Kubernetes Gateway API CRDs to be installed in the cluster: https://gateway-api.sigs.k8s.io/guides/getting-started/#installing-gateway-api
  enabled: false

  # GatewayClass name (used in gateway resources)
  name: "bunkerweb"

  # Controller identifier for this GatewayClass
  controller: "bunkerweb.io/gateway-controller"

# =============================================================================
# INGRESS CLASS
# =============================================================================
# Kubernetes IngressClass resource for BunkerWeb

ingressClass:
  # Create IngressClass resource
  enabled: true

  # IngressClass name (used in Ingress resources)
  name: "bunkerweb"

  # Controller identifier for this IngressClass
  controller: "bunkerweb.io/ingress-controller"

# =============================================================================
# MONITORING - PROMETHEUS
# =============================================================================
# Metrics collection and storage

prometheus:
  # Enable Prometheus for metrics collection
  # Requires BunkerWeb PRO for advanced metrics
  enabled: false

  # Container image configuration
  repository: docker.io/prom/prometheus
  pullPolicy: IfNotPresent
  tag: v3.3.1

  # Number of Prometheus replicas
  replicas: 1

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for Prometheus
  securityContext:
    fsGroup: 65534

  # Persistent storage configuration
  persistence:
    # Enable persistent storage
    enabled: true

    # Storage size for metrics data
    size: 8Gi

    # Storage class for metrics persistence
    storageClass: ""

    # Access modes for the persistent volume
    accessModes:
      - ReadWriteOnce

# =============================================================================
# MONITORING - GRAFANA
# =============================================================================
# Dashboards and visualization

grafana:
  # Enable Grafana for dashboards
  enabled: false

  # Container image configuration
  repository: docker.io/grafana/grafana
  tag: latest
  pullPolicy: IfNotPresent

  # Number of Grafana replicas
  replicas: 1

  # Admin user configuration
  adminUser: admin

  # Admin password (leave empty to generate random)
  # SECURITY: Set a strong password or use existingSecret
  adminPassword: ""

  # Use existing secret for admin password
  # Secret should contain 'admin-password' key
  # existingSecret: "grafana-admin-secret"
  existingSecret: ""

  # Additional environment variables (missing from values.yaml)
  extraEnvs: []

  # Service configuration
  service:
    type: ClusterIP
    port: 3000

  # Ingress configuration for external access
  ingress:
    enabled: false
    # ingressClassName: "bunkerweb"
    # serverName: "grafana.example.com"
    # serverPath: "/"
    # tlsSecretName: "grafana-tls"
    # annotations:
    #   bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"

  # Persistent storage configuration
  persistence:
    enabled: false
    size: 10Gi

    # Storage class for dashboard persistence
    storageClass: ""

    # Access modes for the persistent volume
    accessModes:
      - ReadWriteOnce

    # Additional annotations for the PVC
    # annotations: {}

  # Prometheus data source configuration
  # Automatically configured when Prometheus is enabled
  prometheusDatasource:
    name: Prometheus
    type: prometheus
    url: 'http://prometheus-{{ include "bunkerweb.fullname" . }}.{{ include "bunkerweb.namespace" . }}.svc:9090'
    access: proxy
    isDefault: true

  # Additional pod annotations
  podAnnotations: {}

  # Additional pod labels
  podLabels: {}

  # Security context for Grafana
  securityContext: {}
    # fsGroup: 472
    # runAsUser: 472
    # runAsGroup: 472

  # Additional environment variables
  # extraEnvs: []

  # Sidecar configuration for dashboard provisioning
  # sidecar:
  #   dashboards:
  #     enabled: false
  #     label: grafana_dashboard
  #     labelValue: "1"
  #     folder: /tmp/dashboards

# =============================================================================
# NETWORK SECURITY
# =============================================================================
# Network policies for micro-segmentation

networkPolicy:
  # Enable network policies for enhanced security
  # Requires a CNI that supports NetworkPolicies (e.g., Calico, Cilium)
  enabled: false

  # Egress traffic configuration
  egress:
    # Allow traffic to pods in the same namespace
    allowSameNamespace: true

    # Allow internet access for updates and external APIs
    allowInternet: true

    # Ports allowed for internet access
    internetPorts: [80, 443]

    # Allow access to database virtual network
    allowDatabaseVNet: true

    # CIDR range for database network
    databaseVNetCIDR: "10.0.0.0/16"

    # Database port for access
    databasePort: 3306