# openshift-values.yaml
#
# Example overrides for deploying SeaweedFS on OpenShift (or any cluster
# enforcing the Kubernetes "restricted" Pod Security Standard).
#
# OpenShift's default "restricted" SCC blocks containers that:
#   - Run as UID 0 (root)
#   - Request privilege escalation
#   - Use hostPath volumes
#   - Omit a seccompProfile
#
# These overrides satisfy all four requirements by:
#   1. Replacing hostPath volumes with PersistentVolumeClaims (or emptyDir for logs)
#   2. Enabling runAsNonRoot: true. By omitting runAsUser, OpenShift will
#      automatically assign a valid UID from the namespace's allocated range.
#   3. Dropping all Linux capabilities and setting allowPrivilegeEscalation: false
#   4. Enabling RuntimeDefault seccompProfile
#
# Usage:
#   helm install seaweedfs seaweedfs/seaweedfs \
#     -n seaweedfs --create-namespace \
#     -f openshift-values.yaml
#
# Adjust storageClass and sizes to match your cluster's available StorageClasses.
# On OpenShift you can discover them with: oc get storageclass

master:
  data:
    type: "persistentVolumeClaim"
    size: "10Gi"
    storageClass: ""        # leave empty to use the cluster default StorageClass

  logs:
    type: "emptyDir"        # avoids hostPath; use persistentVolumeClaim if you need log persistence

  podSecurityContext:
    enabled: true
    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

volume:
  dataDirs:
    - name: data1
      type: "persistentVolumeClaim"
      size: "100Gi"
      storageClass: ""      # leave empty to use the cluster default StorageClass
      maxVolumes: 0

  logs:
    type: "emptyDir"

  podSecurityContext:
    enabled: true
    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

filer:
  data:
    type: "persistentVolumeClaim"
    size: "25Gi"
    storageClass: ""        # leave empty to use the cluster default StorageClass

  logs:
    type: "emptyDir"

  podSecurityContext:
    enabled: true
    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault

# S3 gateway (if enabled)
s3:
  podSecurityContext:
    enabled: true
    # On OpenShift, we omit runAsUser/runAsGroup/fsGroup to let the admission
    # controller assign them automatically based on the namespace's SCC.
    runAsNonRoot: true

  containerSecurityContext:
    enabled: true
    allowPrivilegeEscalation: false
    capabilities:
      drop: ["ALL"]
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault