image:
  repository: registry.c5ai.ch/pieced/pieced-operator
  tag: "0.1.13"
  pullPolicy: IfNotPresent

imagePullSecrets:
  - name: registry-creds

replicaCount: 1

# Operator configuration
config:
  vault:
    # Internal service URL for OpenBao
    address: "http://openbao.openbao.svc:8200"
    # K8s auth role for the operator (must be pre-created in OpenBao)
    role: "pieced-operator"
    authPath: "kubernetes"
  litellm:
    # Internal service URL for LiteLLM
    url: "http://litellm.inference.svc:4000"

# Security context — non-root, read-only rootfs, no privileges
securityContext:
  runAsNonRoot: true
  runAsUser: 65532
  runAsGroup: 65532
  fsGroup: 65532

containerSecurityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault

resources:
  requests:
    cpu: 50m
    memory: 128Mi
  limits:
    cpu: 200m
    memory: 256Mi

# Leader election ensures only one instance reconciles
leaderElection:
  enabled: true

# Service account — the operator's identity for RBAC and Vault K8s auth
serviceAccount:
  name: pieced-operator
  annotations: {}

# Network policy — restrict operator egress to only what it needs
networkPolicy:
  enabled: true