{{- include "sie-cluster.validateNats" . -}}
{{- include "sie-cluster.validateTls" . -}}
{{- $tls := include "sie-cluster.ingressTlsConfig" . | fromYaml -}}
{{- $kubePrometheusStack := index .Values "kube-prometheus-stack" -}}
SIE Cluster {{ .Chart.Version }} deployed to namespace {{ include "sie-cluster.namespace" . }}.

Gateway: http://{{ include "sie-cluster.gateway.serviceName" . }}.{{ include "sie-cluster.namespace" . }}.svc:{{ .Values.gateway.service.port }}

{{- if $kubePrometheusStack.install }}
Prometheus: enabled - kubectl port-forward -n {{ include "sie-cluster.namespace" . }} svc/{{ include "sie-cluster.kubePrometheusStack.prometheusServiceName" . }} 9090
{{- end }}
{{- if and $kubePrometheusStack.install $kubePrometheusStack.grafana.enabled }}
Grafana:    enabled - kubectl port-forward -n {{ include "sie-cluster.namespace" . }} svc/{{ .Release.Name }}-grafana 3000:80
Grafana password: kubectl get secret -n {{ include "sie-cluster.namespace" . }} {{ .Release.Name }}-grafana -o jsonpath="{.data.admin-password}" | base64 -d
{{- end }}
{{- if .Values.keda.install }}
KEDA:       enabled
{{- end }}
{{- if and $tls.enabled (eq (default "byo" $tls.mode) "cert-manager") }}

TLS via cert-manager: certificate is being issued via ACME HTTP-01 challenge.
This typically takes 30–120s on first install. Track progress with:
  kubectl -n {{ include "sie-cluster.namespace" . }} get certificate -w
The gateway will return TLS errors briefly until the certificate is Ready.
{{- end }}
{{- if and $tls.enabled (eq (default "byo" $tls.mode) "self-signed") }}

TLS via self-signed CA: a root CA, CA ClusterIssuer, and leaf cert are being issued by cert-manager.
This typically takes 10-30s on first install. Track progress with:
  kubectl -n {{ include "sie-cluster.namespace" . }} get certificate -w
Export the root CA (e.g. to trust on a client machine):
  kubectl -n {{ include "sie-cluster.namespace" . }} get secret {{ $tls.selfSigned.rootCA.secretName }} \
    -o jsonpath='{.data.ca\.crt}' | base64 -d > sie-root-ca.crt
{{- if .Values.certManagerBundle.trustBundle.enabled }}
The root CA is also replicated to selected namespaces as ConfigMap {{ .Values.certManagerBundle.trustBundle.name | quote }}
(key: {{ .Values.certManagerBundle.trustBundle.target.configMapKey | quote }}) via trust-manager.
{{- end }}
{{- end }}
