# SPDX-FileCopyrightText: 2023 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---

extraIngresses:
  redirects:
    # Using "stack-gateway" currently.
    enabled: false
    # The TLS configuration is on the "master" Ingress, see below.
    tls:
      enabled: false
  master:
    # Using "stack-gateway" currently.
    enabled: false
    tls:
      enabled: {{ .Values.ingress.tls.enabled }}
      secretName: {{ .Values.ingress.tls.secretName | quote }}

  # See "extraVolumeMounts" below
  custom-favicon:
    # Using "stack-gateway" at the moment
    enabled: false
    annotations:
      nginx.org/mergeable-ingress-type: "minion"
    paths:
      - pathType: "Exact"
        path: "/favicon.ico"
    tls: {}

extraVolumes:
  - name: "opendesk-branding"
    configMap:
      name: "ums-stack-data-swp-branding"

extraVolumeMounts:
  - name: "opendesk-branding"
    mountPath: "/var/www/html/favicon.ico"
    subPath: "favicon.ico"
  - name: "opendesk-branding"
    mountPath: "/var/www/html/css/custom.css"
    subPath: "custom.css"
  - name: "opendesk-branding"
    mountPath: "/var/www/html/icons/logo.svg"
    subPath: "logo.svg"
  - name: "opendesk-branding"
    mountPath: "/var/www/html/icons/logo_small_border.svg"
    subPath: "logo_small_border.svg"
  - name: "opendesk-branding"
    mountPath: "/var/www/html/custom/portal_background_image.png"
    subPath: "portal_background_image.png"
  - name: "opendesk-branding"
    mountPath: "/var/www/html/custom/portal_background_image.svg"
    subPath: "portal_background_image.svg"

image:
  registry: {{ .Values.global.imageRegistry | default .Values.images.umsPortalFrontend.registry | quote }}
  repository: {{ .Values.images.umsPortalFrontend.repository | quote }}
  pullPolicy: {{ .Values.global.imagePullPolicy | quote }}
  tag: {{ .Values.images.umsPortalFrontend.tag | quote }}
  pullSecrets:
    {{- range .Values.global.imagePullSecrets }}
    - name: {{ . | quote }}
    {{- end }}

  # See "extraVolumeMounts" below
  custom-branding:
    # Using "stack-gateway" at the moment
    enabled: false
    annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |
        rewrite ^/univention/portal(/.*)$ $1 break;
      nginx.org/location-snippets: |
        rewrite ^/univention/portal(/.*)$ $1 break;
      nginx.org/mergeable-ingress-type: "minion"
    paths:
      # This relies on the correct implementation of the matching for paths of
      # type "Prefix" since "/univention/portal/icons/entries/" is owned by
      # store-dav.
      # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches
      - pathType: "Prefix"
        path: "/univention/portal/icons/"
      - pathType: "Prefix"
        path: "/univention/portal/custom/"
    tls: {}

resources:
  {{ .Values.resources.umsPortalFrontend | toYaml | nindent 2 }}

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - "ALL"
    add:
      - "CHOWN"
      - "DAC_OVERRIDE"
      - "FOWNER"
      - "FSETID"
      - "KILL"
      - "SETGID"
      - "SETUID"
      - "SETPCAP"
      - "NET_BIND_SERVICE"
      - "NET_RAW"
      - "SYS_CHROOT"
  privileged: false
  seccompProfile:
    type: "RuntimeDefault"
  readOnlyRootFilesystem: false
  runAsUser: 0
  runAsGroup: 0
  runAsNonRoot: false
  seLinuxOptions: {{ .Values.seLinuxOptions.umsPortalFrontend }}
...