# Shared ConfigMaps for La Suite Numérique application pods.
# App Helm values reference these via configMapKeyRef so no value is duplicated.
# DOMAIN_SUFFIX is substituted by sed at deploy time.

# ── PostgreSQL connection (non-secret values) ────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-postgres
  namespace: lasuite
data:
  DB_HOST:   postgres-rw.data.svc.cluster.local
  DB_PORT:   "5432"
  DB_ENGINE: django.db.backends.postgresql_psycopg2
---
# ── Valkey (Redis-compatible) ────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-valkey
  namespace: lasuite
data:
  REDIS_URL:         redis://valkey.data.svc.cluster.local:6379/1
  CELERY_BROKER_URL: redis://valkey.data.svc.cluster.local:6379/0
---
# ── SeaweedFS S3 API (non-secret values) ────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-s3
  namespace: lasuite
data:
  AWS_S3_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
  AWS_S3_REGION_NAME:  us-east-1
  AWS_DEFAULT_ACL:     private
---
# ── Hydra OIDC provider endpoints ───────────────────────────────────────────
# All La Suite apps use mozilla-django-oidc. These vars point to Hydra public
# endpoints via the proxy, so external DOMAIN_SUFFIX URLs work from inside the
# cluster without split-DNS.
# DOMAIN_SUFFIX is substituted by sed at deploy time.
apiVersion: v1
kind: ConfigMap
metadata:
  name: lasuite-oidc-provider
  namespace: lasuite
data:
  OIDC_OP_JWKS_ENDPOINT:          https://auth.DOMAIN_SUFFIX/.well-known/jwks.json
  OIDC_OP_AUTHORIZATION_ENDPOINT: https://auth.DOMAIN_SUFFIX/oauth2/auth
  OIDC_OP_TOKEN_ENDPOINT:         https://auth.DOMAIN_SUFFIX/oauth2/token
  OIDC_OP_USER_ENDPOINT:          https://auth.DOMAIN_SUFFIX/userinfo
  OIDC_OP_LOGOUT_ENDPOINT:        https://auth.DOMAIN_SUFFIX/oauth2/sessions/logout
  OIDC_RP_SIGN_ALGO:              RS256
  OIDC_RP_SCOPES:                 openid email profile
  OIDC_VERIFY_SSL:                "true"