helm-chart-lions-app
Chart Helm standard pour toutes les applications Lions Dev.
Ce que ce chart déploie
- Deployment hardened (securityContext non-root, readOnlyRootFS, drop capabilities)
- Service ClusterIP
- Ingress nginx avec cert-manager + rate-limit + CORS optionnels
- ConfigMap (env non-sensibles)
- ExternalSecret (Vault → K8s Secret via External Secrets Operator)
- NetworkPolicy default-deny + allow list paramétrable
- ServiceAccount dédié par app
- PodDisruptionBudget (si replicas > 1)
- ServiceMonitor Prometheus (optionnel)
- HorizontalPodAutoscaler (optionnel)
Installation / consommation
Via dependency Helm (recommandé)
Chaque app crée un repo deploy minimaliste qui dépend de ce chart :
# Chart.yaml de l'app consommatrice
apiVersion: v2
name: unionflow-server-impl-quarkus
version: 1.0.0
dependencies:
- name: lions-app
version: "1.0.0"
repository: "https://git.lions.dev/api/packages/lionsdev/helm"
helm dependency update .
helm upgrade --install unionflow-server-impl-quarkus . \
--namespace applications --create-namespace \
--values values.yaml
Via package OCI local (dev)
helm package .
helm upgrade --install myapp lions-app-1.0.0.tgz \
--namespace applications \
--set image.name=myapp --set image.tag=1.0.5
Overrides usuels (values.yaml de l'app)
lions-app:
# Image
image:
name: unionflow-server-impl-quarkus
tag: "1.0.5-20260418-081420"
# Replicas + HPA
replicaCount: 1
hpa:
enabled: false
# Resources
resources:
requests: { cpu: 200m, memory: 512Mi }
limits: { cpu: "1", memory: 1Gi }
# Env non-sensibles
configMap:
data:
QUARKUS_PROFILE: prod
APP_ENV: production
QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
APP_BASE_URL: https://unionflow.lions.dev
# Secrets depuis Vault
externalSecret:
enabled: true
data:
- secretKey: QUARKUS_DATASOURCE_USERNAME
remoteRef:
key: lions/applications/unionflow-server/db
property: username
- secretKey: QUARKUS_DATASOURCE_PASSWORD
remoteRef:
key: lions/applications/unionflow-server/db
property: password
- secretKey: KEYCLOAK_CLIENT_SECRET
remoteRef:
key: lions/applications/unionflow-server/oidc
property: client-secret
# Ingress
ingress:
host: api.lions.dev
pathPrefix:
enabled: true
strip: /unionflow # /unionflow/(.*) → /(.*) backend
rateLimit:
enabled: true
rpm: 3000
cors:
enabled: true
origins: "https://unionflow.lions.dev"
# Egress vers services externes
networkPolicy:
enabled: true
allowEgressTo:
- namespaceSelector:
kubernetes.io/metadata.name: postgresql
ports:
- port: 5432
protocol: TCP
- namespaceSelector:
kubernetes.io/metadata.name: kafka
ports:
- port: 9092
protocol: TCP
- namespaceSelector:
kubernetes.io/metadata.name: keycloak
ports:
- port: 8080
protocol: TCP
# Probes Quarkus
probes:
liveness:
httpGet:
path: /q/health/live
port: 8080
readiness:
httpGet:
path: /q/health/ready
port: 8080
Conventions Lions
- Release name = app name (
{{ .Release.Name }}partout) - Namespace = environnement (
applicationspour prod,applications-dev, etc.) - Image :
registry.lions.dev/lionsdev/<release-name>:<tag> - Secrets : toujours via ExternalSecret → Vault. Jamais de plaintext dans le values.yaml.
- TLS : Let's Encrypt via cert-manager (
letsencrypt-prod) - NetworkPolicy : activée par défaut (zero-trust)
- SecurityContext : non-root, readOnlyRootFilesystem, capabilities drop all
Publication du chart (pour les mainteneurs)
# Incrémenter version dans Chart.yaml
helm package .
# Upload vers Gitea Helm registry (avec token lionsctl-bot)
curl -u lionsctl-bot:$LIONS_GIT_ACCESS_TOKEN \
--upload-file lions-app-1.0.0.tgz \
https://git.lions.dev/api/packages/lionsdev/helm/api/charts
Validation locale
helm lint .
helm template test-release . --namespace applications \
--set image.name=unionflow-server-impl-quarkus \
--set image.tag=1.0.5 \
--set ingress.host=api.lions.dev
Changelog
1.0.0 (2026-04-22)
- Chart initial
- Templates : Deployment, Service, Ingress, ConfigMap, ExternalSecret, NetworkPolicy, ServiceAccount, PDB, ServiceMonitor, HPA
- Compatible Kubernetes ≥ 1.28