feat: chart Helm parent lions-app v1.0.0 — templates hardened (secretKeyRef, readOnlyRootFS, NetworkPolicy, ExternalSecret, PDB, SM, HPA)

2026-04-22 14:22:00 +00:00
commit ab865631fe
16 changed files with 1074 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,178 @@
+# helm-chart-lions-app
+
+Chart Helm standard pour toutes les applications Lions Dev.
+
+## Ce que ce chart déploie
+
+- **Deployment** hardened (securityContext non-root, readOnlyRootFS, drop capabilities)
+- **Service** ClusterIP
+- **Ingress** nginx avec cert-manager + rate-limit + CORS optionnels
+- **ConfigMap** (env non-sensibles)
+- **ExternalSecret** (Vault → K8s Secret via External Secrets Operator)
+- **NetworkPolicy** default-deny + allow list paramétrable
+- **ServiceAccount** dédié par app
+- **PodDisruptionBudget** (si replicas > 1)
+- **ServiceMonitor** Prometheus (optionnel)
+- **HorizontalPodAutoscaler** (optionnel)
+
+## Installation / consommation
+
+### Via dependency Helm (recommandé)
+
+Chaque app crée un repo deploy minimaliste qui dépend de ce chart :
+
+```yaml
+# Chart.yaml de l'app consommatrice
+apiVersion: v2
+name: unionflow-server-impl-quarkus
+version: 1.0.0
+dependencies:
+  - name: lions-app
+    version: "1.0.0"
+    repository: "https://git.lions.dev/api/packages/lionsdev/helm"
+```
+
+```bash
+helm dependency update .
+helm upgrade --install unionflow-server-impl-quarkus . \
+  --namespace applications --create-namespace \
+  --values values.yaml
+```
+
+### Via package OCI local (dev)
+
+```bash
+helm package .
+helm upgrade --install myapp lions-app-1.0.0.tgz \
+  --namespace applications \
+  --set image.name=myapp --set image.tag=1.0.5
+```
+
+## Overrides usuels (values.yaml de l'app)
+
+```yaml
+lions-app:
+  # Image
+  image:
+    name: unionflow-server-impl-quarkus
+    tag: "1.0.5-20260418-081420"
+
+  # Replicas + HPA
+  replicaCount: 1
+  hpa:
+    enabled: false
+
+  # Resources
+  resources:
+    requests: { cpu: 200m, memory: 512Mi }
+    limits:   { cpu: "1",  memory: 1Gi }
+
+  # Env non-sensibles
+  configMap:
+    data:
+      QUARKUS_PROFILE: prod
+      APP_ENV: production
+      QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
+      KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
+      APP_BASE_URL: https://unionflow.lions.dev
+
+  # Secrets depuis Vault
+  externalSecret:
+    enabled: true
+    data:
+      - secretKey: QUARKUS_DATASOURCE_USERNAME
+        remoteRef:
+          key: lions/applications/unionflow-server/db
+          property: username
+      - secretKey: QUARKUS_DATASOURCE_PASSWORD
+        remoteRef:
+          key: lions/applications/unionflow-server/db
+          property: password
+      - secretKey: KEYCLOAK_CLIENT_SECRET
+        remoteRef:
+          key: lions/applications/unionflow-server/oidc
+          property: client-secret
+
+  # Ingress
+  ingress:
+    host: api.lions.dev
+    pathPrefix:
+      enabled: true
+      strip: /unionflow          # /unionflow/(.*) → /(.*) backend
+    rateLimit:
+      enabled: true
+      rpm: 3000
+    cors:
+      enabled: true
+      origins: "https://unionflow.lions.dev"
+
+  # Egress vers services externes
+  networkPolicy:
+    enabled: true
+    allowEgressTo:
+      - namespaceSelector:
+          kubernetes.io/metadata.name: postgresql
+        ports:
+          - port: 5432
+            protocol: TCP
+      - namespaceSelector:
+          kubernetes.io/metadata.name: kafka
+        ports:
+          - port: 9092
+            protocol: TCP
+      - namespaceSelector:
+          kubernetes.io/metadata.name: keycloak
+        ports:
+          - port: 8080
+            protocol: TCP
+
+  # Probes Quarkus
+  probes:
+    liveness:
+      httpGet:
+        path: /q/health/live
+        port: 8080
+    readiness:
+      httpGet:
+        path: /q/health/ready
+        port: 8080
+```
+
+## Conventions Lions
+
+1. **Release name = app name** (`{{ .Release.Name }}` partout)
+2. **Namespace = environnement** (`applications` pour prod, `applications-dev`, etc.)
+3. **Image** : `registry.lions.dev/lionsdev/<release-name>:<tag>`
+4. **Secrets** : toujours via ExternalSecret → Vault. Jamais de plaintext dans le values.yaml.
+5. **TLS** : Let's Encrypt via cert-manager (`letsencrypt-prod`)
+6. **NetworkPolicy** : activée par défaut (zero-trust)
+7. **SecurityContext** : non-root, readOnlyRootFilesystem, capabilities drop all
+
+## Publication du chart (pour les mainteneurs)
+
+```bash
+# Incrémenter version dans Chart.yaml
+helm package .
+# Upload vers Gitea Helm registry (avec token lionsctl-bot)
+curl -u lionsctl-bot:$LIONS_GIT_ACCESS_TOKEN \
+  --upload-file lions-app-1.0.0.tgz \
+  https://git.lions.dev/api/packages/lionsdev/helm/api/charts
+```
+
+## Validation locale
+
+```bash
+helm lint .
+helm template test-release . --namespace applications \
+  --set image.name=unionflow-server-impl-quarkus \
+  --set image.tag=1.0.5 \
+  --set ingress.host=api.lions.dev
+```
+
+## Changelog
+
+### 1.0.0 (2026-04-22)
+- Chart initial
+- Templates : Deployment, Service, Ingress, ConfigMap, ExternalSecret,
+  NetworkPolicy, ServiceAccount, PDB, ServiceMonitor, HPA
+- Compatible Kubernetes ≥ 1.28