repositories:
  - name: zitadel
    url: https://charts.zitadel.com

environments:
  default:
    values:
      - zitadel:
          mainKey: ref+azurekeyvault://a-vault/main-key
          database:
            host: ref+azurekeyvault://a-vault/host
            port: ref+azurekeyvault://a-vault/port
            name: ref+azurekeyvault://a-vault/database
            username: ref+azurekeyvault://a-vault/username
            password: ref+azurekeyvault://a-vault/password

releases:
  - name: zitadel
    chart: zitadel/zitadel
    namespace: zitadel
    version: 5.0.0
    createNamespace: true
    wait: false
    values:
      - replicaCount: 2
        ingress:
          enabled: true
          className: nginx-internal
          annotations:
            external-dns.alpha.kubernetes.io/hostname: id.yourdomain.tld
            nginx.ingress.kubernetes.io/ssl-redirect: "true"
            nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
            cert-manager.io/cluster-issuer: letsencrypt
          hosts:
            - host: id.yourdomain.tld
              paths:
                - path: /
                  pathType: ImplementationSpecific
          tls:
            - secretName: zitadel-tls
              hosts:
                - id.yourdomain.tld
        zitadel:
          # This cert is public - DigiCert Global Root CA
          # https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl#applications-that-require-certificate-verification-for-tlsssl-connectivity
          dbSslRootCrt: |
            -----BEGIN CERTIFICATE-----
            MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
            MQswCQYDVQ[SHORTENED FOR BREVITY]uXclVzDAGySj4dzp30d8tbQk
            CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
            -----END CERTIFICATE-----
          dbSslRootCrtSecret: null # This must be nullified or it mounts crdb secrets that do not exists and crashes
          dbSslClientCrtSecret: null  # This must be nullified or it mounts crdb secrets that do not exists and crashes

          masterkey: {{ .Values.zitadel.mainKey | fetchSecretValue | quote }}
          configmapConfig:
            ExternalDomain: id.yourdomain.tld # ! Changing this breaks the system
            ExternalPort: 443 # ! Changing this breaks the system
            ExternalSecure: true # ! Changing this breaks the system
            Log:
              Level: 'info'
            LogStore:
              Access:
                Stdout:
                  Enabled: true
            TLS:
              Enabled: false # Ingress does this
            Database:
              postgres:
                Host: {{ .Values.zitadel.database.host | fetchSecretValue | quote }}
                Port: {{ .Values.zitadel.database.port | fetchSecretValue | quote }}
                Database: {{ .Values.zitadel.database.name | fetchSecretValue | quote }}
                MaxOpenConns: 50
                MaxConnLifetime: 1h
                MaxConnIdleTime: 5m
                Options:
                User:
                  Username: zitadel
                  Password: zitadel
                  SSL:
                    Mode: verify-full
                    RootCert: /.secrets/ca.crt
                    Cert:
                    Key:
                Admin:
                  Username: {{ .Values.zitadel.database.username | fetchSecretValue | quote }}
                  Password: {{ .Values.zitadel.database.password | fetchSecretValue | quote }}
                  SSL:
                    Mode: verify-full
                    RootCert: /.secrets/ca.crt
                    Cert:
                    Key:
            DefaultInstance:
              ...
            FirstInstance:
              ...