1. Get the application URL by running these commands:
{{- if .Values.frontendWeb.ingress.enabled }}
{{- range $host := .Values.frontendWeb.ingress.hosts }}
  {{- range .paths }}
  http{{ if $.Values.frontendWeb.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
  {{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.frontendWeb.service.type }}
  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "flow.serviceName" (dict "root" . "service" "frontend-web") }})
  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.frontendWeb.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "flow.serviceName" (dict "root" . "service" "frontend-web") }}'
  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "flow.serviceName" (dict "root" . "service" "frontend-web") }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.frontendWeb.service.port }}
{{- else if contains "ClusterIP" .Values.frontendWeb.service.type }}
  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name=frontend-web,app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

2. Flow Platform Services Deployed:
{{- if .Values.workflowEngine.enabled }}
   ? Workflow Engine
{{- end }}
{{- if .Values.activityRegistry.enabled }}
   ? Activity Registry
{{- end }}
{{- if .Values.definitionStore.enabled }}
   ? Definition Store
{{- end }}
{{- if .Values.workflowLogging.enabled }}
   ? Workflow Logging
{{- end }}
{{- if .Values.connectionStore.enabled }}
   ? Connection Store
{{- end }}
{{- if .Values.tenantRegistry.enabled }}
   ? Tenant Registry
{{- end }}
{{- if .Values.frontendWeb.enabled }}
   ? Frontend Web
{{- end }}

3. Infrastructure Services:
   
   PostgreSQL:
{{- if .Values.global.database.postgres.external }}
   ? External: {{ .Values.global.database.postgres.host }}:{{ .Values.global.database.postgres.port }}
{{- else if .Values.postgresql.enabled }}
   {{- if eq .Values.postgresql.mode "ha" }}
   ? Deployed (HA Mode - Primary + {{ .Values.postgresql.replica.replicaCount }} Replicas)
     Primary: {{ .Release.Name }}-postgresql-primary:5432
     Read Replicas: {{ .Release.Name }}-postgresql-read:5432
   {{- else }}
   ? Deployed (Standalone Mode)
     Host: {{ .Release.Name }}-postgresql:5432
   {{- end }}
{{- else }}
   ? Not configured
{{- end }}

   RabbitMQ:
{{- if .Values.global.rabbitmq.external }}
   ? External: {{ .Values.global.rabbitmq.host }}:{{ .Values.global.rabbitmq.port }}
{{- else if .Values.rabbitmq.enabled }}
   {{- if eq .Values.rabbitmq.mode "ha" }}
   ? Deployed (HA Mode - {{ .Values.rabbitmq.replicaCount }} node cluster)
   {{- else }}
   ? Deployed (Standalone Mode)
   {{- end }}
     AMQP: {{ .Release.Name }}-rabbitmq:5672
     Management: {{ .Release.Name }}-rabbitmq:15672
{{- else }}
   ? Not configured
{{- end }}

   Redis:
{{- if not .Values.global.redis.enabled }}
   ? Disabled
{{- else if .Values.global.redis.external }}
   ? External: {{ .Values.global.redis.host }}:{{ .Values.global.redis.port }}
{{- else if .Values.redis.enabled }}
   {{- if eq .Values.redis.mode "ha" }}
   ? Deployed (HA Mode - Master + {{ .Values.redis.replica.replicaCount }} Replicas + Sentinel)
   {{- else }}
   ? Deployed (Standalone Mode)
   {{- end }}
{{- else }}
   ? Not configured
{{- end }}
   Keycloak (Identity Provider):
{{- if not .Values.global.keycloak.enabled }}
   ✗ Disabled (using Azure AD only)
{{- else if .Values.global.keycloak.external }}
   ✓ External: {{ .Values.global.keycloak.url }}
     Realm: {{ .Values.global.keycloak.realm }}
{{- else if .Values.keycloak.enabled }}
   ✓ Deployed ({{ .Values.keycloak.mode }} mode)
     Internal URL: http://{{ .Release.Name }}-keycloak:{{ .Values.keycloak.httpPort }}
     Realm: {{ .Values.global.keycloak.realm }}
   {{- if .Values.keycloak.ingress.enabled }}
     External URL: http{{ if .Values.keycloak.ingress.tls }}s{{ end }}://{{ .Values.keycloak.ingress.host }}
   {{- end }}
{{- else }}
   ✗ Not configured
{{- end }}

   Authentication Mode:
{{- if and .Values.global.azureAd.enabled .Values.global.keycloak.enabled }}
   ⚡ Dual-Auth (Entra + Keycloak) — migration period
{{- else if .Values.global.keycloak.enabled }}
   ✓ Keycloak only
{{- else if .Values.global.azureAd.enabled }}
   ✓ Azure AD / Entra only
{{- else }}
   ✗ Authentication disabled
{{- end }}
4. Security & Compliance Status:

   Network Policies:
{{- if .Values.networkPolicy.enabled }}
   ? Enabled (Zero-trust networking active)
   {{- if .Values.networkPolicy.defaultDenyIngress }}
     - Default deny ingress: ENABLED
   {{- end }}
{{- else }}
   ? Disabled
   ??  Consider enabling network policies for SOC2/NIS2 compliance
{{- end }}

   TLS/Encryption:
{{- if .Values.tls.enabled }}
   ? Internal TLS: Enabled (min version: {{ .Values.tls.minVersion }})
{{- else }}
   ? Internal TLS: Disabled
{{- end }}
{{- if .Values.global.rabbitmq.tls.enabled }}
   ? RabbitMQ TLS: Enabled
{{- end }}
{{- if .Values.global.redis.tls.enabled }}
   ? Redis TLS: Enabled
{{- end }}

   Audit Logging:
{{- if .Values.auditLogging.enabled }}
   ? Enabled
     - API Requests: {{ .Values.auditLogging.logApiRequests }}
     - Auth Events: {{ .Values.auditLogging.logAuthEvents }}
     - Data Access: {{ .Values.auditLogging.logDataAccess }}
     - Retention: {{ .Values.auditLogging.retentionDays }} days
   {{- if .Values.auditLogging.export.enabled }}
     - Export: {{ .Values.auditLogging.export.type }}
   {{- end }}
{{- else }}
   ? Disabled
   ??  Consider enabling audit logging for SOC2/NIS2 compliance
{{- end }}

5. Backup Status:
{{- if .Values.backup.enabled }}
   ? Backups Enabled
   
   {{- if and .Values.backup.postgresql.enabled .Values.postgresql.enabled }}
   PostgreSQL Backup:
     Schedule: {{ .Values.backup.postgresql.schedule }}
     Retention: {{ .Values.backup.postgresql.retentionCount }} backups
     {{- if .Values.backup.global.encryption.enabled }}
     Encryption: ? Enabled
     {{- end }}
   {{- end }}
   
   {{- if and .Values.backup.rabbitmq.enabled .Values.rabbitmq.enabled }}
   RabbitMQ Backup:
     Schedule: {{ .Values.backup.rabbitmq.schedule }}
     Type: {{ .Values.backup.rabbitmq.backupType }}
     Retention: {{ .Values.backup.rabbitmq.retentionCount }} backups
   {{- end }}
   
   {{- if and .Values.backup.redis.enabled .Values.redis.enabled }}
   Redis Backup:
     Schedule: {{ .Values.backup.redis.schedule }}
     Retention: {{ .Values.backup.redis.retentionCount }} backups
   {{- end }}
   
   Storage: {{ .Values.backup.global.storageType }}
   {{- if .Values.backup.global.encryption.enabled }}
   Encryption: ? AES-256 Encrypted
   {{- end }}
   
   To view backup jobs:
   kubectl get cronjobs --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
   
   To view backup history:
   kubectl get jobs --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
{{- else }}
   ? Backups Disabled
   ??  Consider enabling backups for SOC2/NIS2 compliance
{{- end }}

6. Management Interfaces:
{{- if and .Values.rabbitmq.enabled (not .Values.global.rabbitmq.external) }}

   RabbitMQ Management UI:
   kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-rabbitmq 15672:15672
   Then visit: http://localhost:15672
{{- end }}
{{- if and .Values.global.keycloak.enabled .Values.keycloak.enabled (not .Values.global.keycloak.external) }}

   Keycloak Admin Console:
   kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ .Release.Name }}-keycloak {{ .Values.keycloak.httpPort }}:{{ .Values.keycloak.httpPort }}
   Then visit: http://localhost:{{ .Values.keycloak.httpPort }}
   Admin user: {{ .Values.global.keycloak.adminUsername }}
{{- end }}

7. Compliance Checklist:
{{- $compliant := true }}
{{- if not .Values.networkPolicy.enabled }}
   ? Network Policies (not enabled)
   {{- $compliant = false }}
{{- else }}
   ? Network Policies
{{- end }}
{{- if not .Values.backup.enabled }}
   ? Automated Backups (not enabled)
   {{- $compliant = false }}
{{- else }}
   ? Automated Backups
{{- end }}
{{- if not .Values.auditLogging.enabled }}
   ? Audit Logging (not enabled)
   {{- $compliant = false }}
{{- else }}
   ? Audit Logging
{{- end }}
{{- if not .Values.tls.enabled }}
   ? Internal TLS (not enabled)
   {{- $compliant = false }}
{{- else }}
   ? Internal TLS
{{- end }}
{{- if and .Values.postgresql.enabled (eq .Values.postgresql.mode "standalone") }}
   ? PostgreSQL HA (running in standalone mode)
   {{- $compliant = false }}
{{- else if .Values.postgresql.enabled }}
   ? PostgreSQL HA
{{- end }}
{{- if and .Values.rabbitmq.enabled (eq .Values.rabbitmq.mode "standalone") }}
   ? RabbitMQ HA (running in standalone mode)
   {{- $compliant = false }}
{{- else if .Values.rabbitmq.enabled }}
   ? RabbitMQ HA
{{- end }}

{{- if not $compliant }}

   ??  Some compliance requirements are not met.
   See examples/values-soc2-nis2-compliance.yaml for a fully compliant configuration.
{{- else }}

   ? All compliance requirements met!
{{- end }}

For more information, visit: https://git.kn.entit.eu/EntitAB/Flow
