apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: cnpg
  namespace: cnpg-system
spec:
  interval: 10m
  releaseName: cnpg
  chart:
    spec:
      chart: cloudnative-pg
      sourceRef:
        kind: HelmRepository
        name: cloudnative-pg
        namespace: flux-system
  install:
    createNamespace: true
  values:
    # CloudNative-PG Operator resource limits
    operator:
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 50m
          memory: 64Mi
      # Security context
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 65534
        capabilities:
          drop:
            - ALL
      # Pod security context
      podSecurityContext:
        runAsNonRoot: true
        runAsUser: 65534
        fsGroup: 65534
        seccompProfile:
          type: RuntimeDefault
    
    # Webhook configuration
    webhook:
      resources:
        limits:
          cpu: 50m
          memory: 64Mi
        requests:
          cpu: 25m
          memory: 32Mi
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 65534
        capabilities:
          drop:
            - ALL
    
    # Monitoring configuration
    monitoring:
      enabled: true
      # Set to true if you have Prometheus
      serviceMonitor:
        enabled: false
    
    # Additional configuration
    config:
      # Default storage class for PostgreSQL clusters
      # storageClass: ""
      
      # Default monitoring configuration
      monitoring:
        enabled: true