# -- number of replicas to deploy
replicaCount: 1

image:
  # -- registry where the HAPI FHIR server image is hosted
  registry: docker.io
  # -- the path inside the repository
  repository: hapiproject/hapi
  # -- defaults to `Chart.appVersion`
  tag: ""
  # -- the flavor or variant of the image to use.
  # appended to the image tag by `-`.
  flavor: "distroless"
  # -- image pullPolicy to use
  pullPolicy: IfNotPresent

# -- image pull secrets to use when pulling the image
imagePullSecrets: []

# -- override the chart name
nameOverride: ""

# -- override the chart fullname
fullnameOverride: ""

# -- annotations applied to the server deployment
deploymentAnnotations: {}

# -- annotations applied to the server pod
podAnnotations: {}

# -- pod security context
podSecurityContext:
  {}
  # fsGroup: 2000

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 65532

# service to expose the server
service:
  # -- service type
  type: ClusterIP
  # -- port where the server will be exposed at
  port: 8080

ingress:
  # -- whether to create an Ingress to expose the FHIR server HTTP endpoint
  enabled: false
  # -- provide any additional annotations which may be required. Evaluated as a template.
  annotations:
    {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: fhir-server.127.0.0.1.nip.io
      pathType: ImplementationSpecific
      paths: ["/"]
  # -- ingress TLS config
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

# -- configure the FHIR server's resource requests and limits
resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

# -- node selector for the pod
nodeSelector: {}

# -- pod tolerations
tolerations: []

# -- pod affinity
affinity: {}

postgresql:
  # -- enable an included PostgreSQL DB.
  # see <https://github.com/bitnami/charts/tree/master/bitnami/postgresql> for details
  # if set to `false`, the values under `externalDatabase` are used
  enabled: true
  # -- name of the database to create
  # see: <https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run>
  postgresqlDatabase: "fhir"
  # -- Name of existing secret to use for PostgreSQL passwords.
  # The secret has to contain the keys `postgresql-password`
  # which is the password for `postgresqlUsername` when it is
  # different of `postgres`, `postgresql-postgres-password` which
  # will override `postgresqlPassword`, `postgresql-replication-password`
  # which will override `replication.password` and `postgresql-ldap-password`
  # which will be sed to authenticate on LDAP. The value is evaluated as a template.
  existingSecret: ""
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

readinessProbe:
  failureThreshold: 5
  initialDelaySeconds: 30
  periodSeconds: 20
  successThreshold: 1
  timeoutSeconds: 20

startupProbe:
  failureThreshold: 10
  initialDelaySeconds: 60
  periodSeconds: 30
  successThreshold: 1
  timeoutSeconds: 30

externalDatabase:
  # -- external database host used with `postgresql.enabled=false`
  host: localhost
  # -- database port number
  port: 5432
  # -- username for the external database
  user: fhir
  # -- database password
  password: ""
  # -- name of an existing secret resource containing the DB password in the `existingSecretKey` key
  existingSecret: ""
  # -- name of the key inside the `existingSecret`
  existingSecretKey: "postgresql-password"
  # -- database name
  database: fhir

networkPolicy:
  # -- enable NetworkPolicy
  enabled: false
  # -- a Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed
  explicitNamespacesSelector:
    {}
    # matchLabels:
    #   team: one
    #   test: foo

  # -- Additional allowed NetworkPolicyPeer specs
  # Evaluated as a template so you could do:
  #
  # Example:
  # allowedFrom:
  #   - podSelector:
  #       matchLabels:
  #         app.kubernetes.io/name: {{ $.Release.Name }}
  allowedFrom: []

# -- extra environment variables to set on the server container
extraEnv:
  []
  # - name: SPRING_FLYWAY_BASELINE_ON_MIGRATE
  #   value: "true"