affinity: {}
autoscaling:
  enabled: false
  maxReplicas: 100
  minReplicas: 1
  targetCPUUtilizationPercentage: 80

config:
  apiUrl: 'wss://api.gate.calegix.net'  # Matches Docker example; adjust as needed
  telemetry:
    enabled: true                   # Matches Docker default (telemetry on unless disabled)
  token:
    existingSecret: null            # Set to a secret name if using an existing one
    key: FIREZONE_TOKEN             # Matches Helm chart expectation
    value: null                     # Set this to your token if not using a secret, e.g., ".SFMyNTY..."

dnsConfig: {}
dnsPolicy: ClusterFirst           # Default OpenShift policy; explicit for clarity

envFrom: []
extraEnv:
  - name: FIREZONE_NAME           # Override chart's default to use hostname
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName    # Closest to `hostname` in OpenShift

fullnameOverride: ''
image:
  pullPolicy: Always              # Matches Docker --pull=always
  repository: ghcr.io/firezone/gateway
  tag: '1'                        # Matches Docker version; adjust as needed
imagePullSecrets: []

logLevel: info                    # Matches Docker RUST_LOG=info; adjust to trace if desired

nameOverride: ''
nodeSelector: {}
pdb:
  annotations: {}
  enabled: false
  labels: {}
  maxUnavailable: ''
  minAvailable: 1                 # Reasonable default for availability

podAnnotations: {}
podLabels: {}
podSecurityContext:
  fsGroup: null                   # Arbitrary non-root group ID for volume access
  runAsNonRoot: true              # OpenShift best practice
  runAsUser: null                 # Arbitrary non-root user ID

replicas: 1
resources:
  requests:                       # Suggested defaults; adjust based on workload
    cpu: 100m
    memory: 256Mi
  limits:
    cpu: 500m
    memory: 512Mi

revisionHistoryLimit: 10

securityContext:
  privileged: false               # Avoid privileged; use capabilities instead
  readOnlyRootFilesystem: false   # Required for /var/lib/firezone writes
  capabilities:
    add:
      - NET_ADMIN                 # Required for TUN device and networking
  runAsNonRoot: true              # OpenShift best practice
  runAsUser: null                 # Match podSecurityContext

serviceAccount:
  annotations: {}
  automount: false
  create: true
  name: ''                        # Auto-generated if empty

tolerations: []

# Custom additions for Firezone Gateway
volumes:
  - name: firezone-data           # Persistent storage for /var/lib/firezone
    emptyDir: {}                  # Use PVC if persistence is needed
  - name: tun-device              # Mount for TUN device
    hostPath:
      path: /dev/net/tun

containers:
  - name: firezone-gateway        # Matches chart's expected name
    volumeMounts:
      - mountPath: /var/lib/firezone
        name: firezone-data
      - mountPath: /dev/net/tun
        name: tun-device
    livenessProbe:
      exec:
        command:
          - ip
          - link
          - grep
          - tun-firezone        # Matches Docker health check
        initialDelaySeconds: 10
        periodSeconds: 10
        failureThreshold: 3
    readinessProbe:
      exec:
        command:
          - ip
          - link
          - grep
          - tun-firezone        # Matches Docker health check
        initialDelaySeconds: 5
        periodSeconds: 10
        failureThreshold: 3