All the deploy

deploy/helm/pieced-operator/values.yaml

@@ -0,0 +1,55 @@
+image:
+  repository: registry.c5ai.ch/pieced/pieced-operator
+  tag: latest
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+
+# Operator configuration
+config:
+  vault:
+    # Internal service URL for OpenBao
+    address: "http://openbao.openbao.svc:8200"
+    # K8s auth role for the operator (must be pre-created in OpenBao)
+    role: "pieced-operator"
+    authPath: "kubernetes"
+  litellm:
+    # Internal service URL for LiteLLM
+    url: "http://litellm.inference.svc:4000"
+
+# Security context — non-root, read-only rootfs, no privileges
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  fsGroup: 65532
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+      - ALL
+  seccompProfile:
+    type: RuntimeDefault
+
+resources:
+  requests:
+    cpu: 50m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi
+
+# Leader election ensures only one instance reconciles
+leaderElection:
+  enabled: true
+
+# Service account — the operator's identity for RBAC and Vault K8s auth
+serviceAccount:
+  name: pieced-operator
+  annotations: {}
+
+# Network policy — restrict operator egress to only what it needs
+networkPolicy:
+  enabled: true