# Helm values for the Sema4.ai Deployment on Azure AKS
#
# Only chart-default overrides and the name-derived/shared-infra fields are
# listed below. The image (registry/repository/tag) comes from the chart — tag
# is supplied via --set on helm install. The Replicated SDK injects the proxy
# pull secret from its license, so no imagePullSecrets entry is needed.

# The chart creates the service account. Its name and namespace must match the
# federated identity credential on the user-assigned managed identity, and the
# annotation points at that identity's client ID.
serviceAccount:
  create: true
  name: REPLACE_ME
  annotations:
    azure.workload.identity/client-id: "REPLACE_ME"

# Opts the pods into Azure Workload Identity so the application can reach Blob
# Storage and Key Vault with the federated managed identity.
podLabels:
  azure.workload.identity/use: "true"

# Ingress is YOUR responsibility: the application serves plain HTTP on port
# 8001 with a /health/live health probe — expose it with your ingress
# controller or load balancer, terminate TLS there, and decide whether it is
# internet-facing or internal. Below is a generic example for an ingress
# controller routing to a ClusterIP service (the chart default is NodePort);
# adapt className, annotations, and the service type to your environment.
service:
  type: ClusterIP

ingress:
  enabled: true
  className: REPLACE_ME
  annotations: {}
  hosts:
    - host: "REPLACE_ME"
      paths:
        - path: /
          pathType: Prefix
          port: http
  tls: []

# Starting point for the AKS application routing add-on (managed NGINX) —
# replace the generic className/annotations/tls above with these. The
# tls-cert-keyvault-uri annotation syncs the TLS certificate from Key Vault;
# it requires the vault to be attached to the add-on
# (az aks approuting update --attach-kv). The add-on's default NGINX is
# public — for an internal (private) deployment, create an internal
# controller via its NginxIngressController resource and use that class.
#
#  className: webapprouting.kubernetes.azure.com
#  annotations:
#    kubernetes.azure.com/tls-cert-keyvault-uri: "https://<vault>.vault.azure.net/certificates/<name>"
#  tls:
#    - hosts:
#        - "<hostname>"
#      # The add-on syncs the Key Vault certificate into this secret, named
#      # keyvault-<ingress-name>; with the release named 'spar' this is:
#      secretName: keyvault-spar

config:
  infrastructurePlatform: "azure"

  azure:
    storageAccountName: "REPLACE_ME"
    storageContainerName: "REPLACE_ME"
    blobKeyPrefix: "REPLACE_ME"
    # Versioned Key Vault key identifier of the RSA KEK, in the form
    # https://<vault>.vault.azure.net/keys/<name>/<version>
    keyVaultKeyUrl: "REPLACE_ME"

  postgres:
    host: "REPLACE_ME"
    port: "5432"
    user: "REPLACE_ME"
    password: "REPLACE_ME"
    database: "REPLACE_ME"

  # Public base URL (drives OAuth callback + MCP public-API base URLs).
  externalUrl: "REPLACE_ME"

  # authMode defaults to 'oidc' in the chart.
  workroom:
    # Register redirect URI <externalUrl>/oidc/login/callback with your IdP.
    oidcClientId: "REPLACE_ME"
    oidcClientSecret: "REPLACE_ME"
    oidcServer: "REPLACE_ME"

# Installs the Sema4.ai MCP Gallery container
mcpGallery:
  enabled: true