# values.yaml.example — zddc-server-prod # # Copy to values.yaml (or pass via --values) and customize for your # environment. Contains NO secrets — secrets like the .zddc admin email # list, TLS certs (if used), and image-pull credentials must be # materialised from your secret-management system (sealed-secrets, # external-secrets, kubectl create secret, etc.) and referenced by name # below. # Source-build configuration. The init container clones the repo at # `gitRef` and compiles cmd/zddc-server. Pin gitRef to a stable tag # (zddc-server-vX.Y.Z) for production; trying main HEAD risks pulling # unreleased changes. zddc: gitRepo: https://codeberg.org/VARASYS/ZDDC.git gitRef: zddc-server-v0.0.7 # pin to a stable tag # ZDDC environment-variable contract — see zddc/README.md env: # Path inside the container where ZDDC_ROOT data is mounted. # The chart wires the data PVC to this path automatically. rootPath: /srv # Listening address (plain HTTP — ingress terminates TLS). addr: ":8080" # Email-header convention from your authenticating reverse proxy. emailHeader: X-Auth-Request-Email # Comma-separated CORS allowlist. Set to your tools host, or empty # to disable CORS entirely (when tools are same-origin). corsOrigin: "https://zddc.varasys.io" # info / warn / error / debug. Production stays on info; debug logs # every request's full header map (includes cookies/auth tokens). logLevel: info # Index URL segment for the virtual archive index. Default fits # most deployments; only change if you have a tracking-number # collision with a real directory named ".archive". indexPath: ".archive" # Persistent storage for ZDDC_ROOT. Operators provide their own PVC, # typically backed by a shared filesystem (NFS, CephFS, SMB) so multiple # replicas of zddc-server (and your sync tooling) see the same tree. # This chart does NOT create the PVC — it only references it by name. data: pvcName: zddc-root # name of an existing PersistentVolumeClaim subPath: "" # optional subPath within the PVC # Service exposure. zddc-server listens on a plain HTTP port; ingress # (or whatever reverse proxy you put in front) terminates TLS and # enforces authentication, then forwards to this service. service: type: ClusterIP port: 8080 # Ingress is optional — disabled by default since most deployments wire # zddc-server into an existing ingress / auth-proxy stack. Enable here # only if this chart is the only thing in front of the pod. ingress: enabled: false className: "" host: zddc.example.com tls: enabled: false secretName: zddc-tls # secret you create separately # Pod resource limits. Sized for a small/medium archive (~10k files). resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi # Replicas. zddc-server is read-only stateless given a shared filesystem # behind it, so multiple replicas are safe. replicaCount: 1 # Build-stage Go image (init container). Pinned digest is recommended # in production for reproducibility; using a tag means upstream changes # break your deploy. buildImage: repository: docker.io/golang tag: 1.24-alpine # digest: sha256:... # Runtime image (main container). Must contain a basic shell + libc; # the static binary is copied in by the init container. Alpine is fine. runtimeImage: repository: docker.io/alpine tag: "3.19" # digest: sha256:... # Image pull credentials, if your registry requires them. Reference a # secret you've created separately; do not put credentials in values. imagePullSecrets: [] # - name: regcred