helm-charts/charts/gohoarder/templates/configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "gohoarder.fullname" . }}-config
  labels:
    {{- include "gohoarder.labels" . | nindent 4 }}
data:
  config.yaml: |
    server:
      host: {{ .Values.server.host | quote }}
      port: {{ .Values.server.port }}
      read_timeout: {{ .Values.server.readTimeout | quote }}
      write_timeout: {{ .Values.server.writeTimeout | quote }}
      idle_timeout: {{ .Values.server.idleTimeout | quote }}
      tls:
        enabled: false

    storage:
      backend: {{ .Values.storage.backend | quote }}
      {{- if eq .Values.storage.backend "filesystem" }}
      path: "/var/cache/gohoarder"
      filesystem:
        base_path: "/var/cache/gohoarder"
      {{- else if eq .Values.storage.backend "s3" }}
      s3:
        endpoint: {{ .Values.storage.s3.endpoint | quote }}
        region: {{ .Values.storage.s3.region | quote }}
        bucket: {{ .Values.storage.s3.bucket | quote }}
        {{- if .Values.storage.s3.existingSecret }}
        access_key_id: "${S3_ACCESS_KEY_ID}"
        secret_access_key: "${S3_SECRET_ACCESS_KEY}"
        {{- else }}
        access_key_id: {{ .Values.storage.s3.accessKeyId | quote }}
        secret_access_key: {{ .Values.storage.s3.secretAccessKey | quote }}
        {{- end }}
        use_ssl: {{ .Values.storage.s3.useSSL }}
      {{- else if eq .Values.storage.backend "smb" }}
      smb:
        host: {{ .Values.storage.smb.host | quote }}
        share: {{ .Values.storage.smb.share | quote }}
        {{- if .Values.storage.smb.existingSecret }}
        username: "${SMB_USERNAME}"
        password: "${SMB_PASSWORD}"
        {{- else }}
        username: {{ .Values.storage.smb.username | quote }}
        password: {{ .Values.storage.smb.password | quote }}
        {{- end }}
        domain: {{ .Values.storage.smb.domain | quote }}
      {{- end }}

    metadata:
      backend: {{ .Values.metadata.backend | quote }}
      {{- if eq .Values.metadata.backend "sqlite" }}
      connection: "file:/var/lib/gohoarder/metadata/gohoarder.db?cache=shared&mode=rwc"
      sqlite:
        path: "/var/lib/gohoarder/metadata/gohoarder.db"
        wal_mode: {{ .Values.metadata.sqlite.walMode }}
      {{- else if eq .Values.metadata.backend "postgresql" }}
      postgresql:
        host: {{ .Values.metadata.postgresql.host | quote }}
        port: {{ .Values.metadata.postgresql.port }}
        database: {{ .Values.metadata.postgresql.database | quote }}
        {{- if .Values.metadata.postgresql.existingSecret }}
        user: "${POSTGRES_USER}"
        password: "${POSTGRES_PASSWORD}"
        {{- else }}
        user: {{ .Values.metadata.postgresql.username | quote }}
        password: {{ .Values.metadata.postgresql.password | quote }}
        {{- end }}
        ssl_mode: {{ .Values.metadata.postgresql.sslMode | quote }}
      {{- end }}

    cache:
      default_ttl: {{ .Values.cache.defaultTTL | quote }}
      cleanup_interval: {{ .Values.cache.cleanupInterval | quote }}
      max_size_bytes: {{ .Values.cache.maxSizeBytes }}
      per_project_quota: {{ .Values.cache.perProjectQuota }}
      ttl_overrides:
        {{- range $key, $value := .Values.cache.ttlOverrides }}
        {{ $key }}: {{ $value | quote }}
        {{- end }}

    security:
      enabled: {{ .Values.security.enabled }}
      block_on_severity: {{ .Values.security.blockOnSeverity | quote }}
      scan_on_download: {{ .Values.security.scanOnDownload }}
      rescan_interval: {{ .Values.security.rescanInterval | quote }}
      update_db_on_startup: {{ .Values.security.updateDbOnStartup }}
      block_thresholds:
        critical: {{ .Values.security.blockThresholds.critical }}
        high: {{ .Values.security.blockThresholds.high }}
        medium: {{ .Values.security.blockThresholds.medium }}
        low: {{ .Values.security.blockThresholds.low }}
      scanners:
        trivy:
          # Disabled in server config (no trivy binary), enabled via env var in scanner pod
          enabled: false
          timeout: {{ .Values.security.scanners.trivy.timeout | quote }}
          cache_db: {{ .Values.security.scanners.trivy.cacheDb | quote }}
        osv:
          # API-based scanner - works in both server and scanner pods
          enabled: {{ .Values.security.scanners.osv.enabled }}
          api_url: {{ .Values.security.scanners.osv.apiUrl | quote }}
          timeout: {{ .Values.security.scanners.osv.timeout | quote }}
        grype:
          # Disabled in server config (no grype binary), enabled via env var in scanner pod
          enabled: false
          timeout: {{ .Values.security.scanners.grype.timeout | quote }}
        govulncheck:
          # Disabled in server config (no go/govulncheck binary), enabled via env var in scanner pod
          enabled: false
          timeout: {{ .Values.security.scanners.govulncheck.timeout | quote }}
        npm_audit:
          # Disabled in server config (no npm binary), enabled via env var in scanner pod
          enabled: false
          timeout: {{ .Values.security.scanners.npmAudit.timeout | quote }}
        pip_audit:
          # Disabled in server config (no pip binary), enabled via env var in scanner pod
          enabled: false
          timeout: {{ .Values.security.scanners.pipAudit.timeout | quote }}
        ghsa:
          enabled: {{ .Values.security.scanners.ghsa.enabled }}
          timeout: {{ .Values.security.scanners.ghsa.timeout | quote }}
          {{- if or .Values.security.scanners.ghsa.token .Values.security.scanners.ghsa.existingSecret }}
          token: "${GHSA_TOKEN}"
          {{- end }}
        static:
          enabled: {{ .Values.security.scanners.static.enabled }}
          max_package_size: {{ .Values.security.scanners.static.maxPackageSize }}
          check_checksums: {{ .Values.security.scanners.static.checkChecksums }}
          block_suspicious: {{ .Values.security.scanners.static.blockSuspicious }}

    auth:
      enabled: {{ .Values.auth.enabled }}
      key_expiration: {{ .Values.auth.keyExpiration | quote }}
      bcrypt_cost: {{ .Values.auth.bcryptCost }}
      audit_log: {{ .Values.auth.auditLog }}

    network:
      connect_timeout: {{ .Values.network.connectTimeout | quote }}
      read_timeout: {{ .Values.network.readTimeout | quote }}
      write_timeout: {{ .Values.network.writeTimeout | quote }}
      max_idle_conns: {{ .Values.network.maxIdleConns }}
      max_conns_per_host: {{ .Values.network.maxConnsPerHost }}
      rate_limit:
        per_api_key: {{ .Values.network.rateLimit.perApiKey }}
        per_ip: {{ .Values.network.rateLimit.perIp }}
        burst_size: {{ .Values.network.rateLimit.burstSize }}
      circuit_breaker:
        threshold: {{ .Values.network.circuitBreaker.threshold }}
        timeout: {{ .Values.network.circuitBreaker.timeout | quote }}
        reset_interval: {{ .Values.network.circuitBreaker.resetInterval | quote }}
      retry:
        max_attempts: {{ .Values.network.retry.maxAttempts }}
        initial_backoff: {{ .Values.network.retry.initialBackoff | quote }}
        max_backoff: {{ .Values.network.retry.maxBackoff | quote }}

    logging:
      level: {{ .Values.logging.level | quote }}
      format: {{ .Values.logging.format | quote }}

    handlers:
      go:
        enabled: {{ .Values.handlers.go.enabled }}
        upstream_proxy: {{ .Values.handlers.go.upstreamProxy | quote }}
        checksum_db: {{ .Values.handlers.go.checksumDb | quote }}
        verify_checksums: {{ .Values.handlers.go.verifyChecksums }}
      npm:
        enabled: {{ .Values.handlers.npm.enabled }}
        upstream_registry: {{ .Values.handlers.npm.upstreamRegistry | quote }}
      pypi:
        enabled: {{ .Values.handlers.pypi.enabled }}
        upstream_url: {{ .Values.handlers.pypi.upstreamUrl | quote }}
        simple_api_url: {{ .Values.handlers.pypi.simpleApiUrl | quote }}