apiVersion: v1
kind: ConfigMap
metadata:
  name: workclub-config
  labels:
    app: workclub
data:
  log-level: "Information"
  cors-origins: "http://localhost:3000,http://192.168.240.200:30080"
  api-base-url: "http://192.168.240.200:30081"
  keycloak-url: "http://192.168.240.200:30082"
  keycloak-authority: "http://192.168.240.200:30082/realms/workclub"
  keycloak-audience: "workclub-api"
  keycloak-realm: "workclub"
  
  # Database configuration
  database-host: "workclub-postgres"
  database-port: "5432"
  database-name: "workclub"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: postgres-init
  labels:
    app: workclub-postgres
data:
  init.sql: |
    -- Create keycloak database and user
    CREATE DATABASE keycloak;
    CREATE USER keycloak WITH PASSWORD 'keycloakpass';
    GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
    
    -- Keycloak database permissions
    \c keycloak
    GRANT ALL PRIVILEGES ON SCHEMA public TO keycloak;
    ALTER SCHEMA public OWNER TO keycloak;
    
    -- Application database permissions
    \c workclub
    GRANT ALL PRIVILEGES ON SCHEMA public TO app;
    ALTER SCHEMA public OWNER TO app;

    -- App admin role for RLS bypass policies used by API startup seed
    DO $$
    BEGIN
      IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'app_admin') THEN
        CREATE ROLE app_admin;
      END IF;
    END
    $$;
    GRANT app_admin TO app WITH INHERIT FALSE, SET TRUE;
    GRANT USAGE ON SCHEMA public TO app_admin;
    GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO app_admin;
    GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO app_admin;
    ALTER DEFAULT PRIVILEGES FOR ROLE app IN SCHEMA public GRANT ALL ON TABLES TO app_admin;
    ALTER DEFAULT PRIVILEGES FOR ROLE app IN SCHEMA public GRANT ALL ON SEQUENCES TO app_admin;