helm-chart-lions-app/README.md

# helm-chart-lions-app

Chart Helm standard pour toutes les applications Lions Dev.

## Ce que ce chart déploie

- **Deployment** hardened (securityContext non-root, readOnlyRootFS, drop capabilities)
- **Service** ClusterIP
- **Ingress** nginx avec cert-manager + rate-limit + CORS optionnels
- **ConfigMap** (env non-sensibles)
- **ExternalSecret** (Vault → K8s Secret via External Secrets Operator)
- **NetworkPolicy** default-deny + allow list paramétrable
- **ServiceAccount** dédié par app
- **PodDisruptionBudget** (si replicas > 1)
- **ServiceMonitor** Prometheus (optionnel)
- **HorizontalPodAutoscaler** (optionnel)

## Installation / consommation

### Via dependency Helm (recommandé)

Chaque app crée un repo deploy minimaliste qui dépend de ce chart :

```yaml
# Chart.yaml de l'app consommatrice
apiVersion: v2
name: unionflow-server-impl-quarkus
version: 1.0.0
dependencies:
  - name: lions-app
    version: "1.0.0"
    repository: "https://git.lions.dev/api/packages/lionsdev/helm"
```

```bash
helm dependency update .
helm upgrade --install unionflow-server-impl-quarkus . \
  --namespace applications --create-namespace \
  --values values.yaml
```

### Via package OCI local (dev)

```bash
helm package .
helm upgrade --install myapp lions-app-1.0.0.tgz \
  --namespace applications \
  --set image.name=myapp --set image.tag=1.0.5
```

## Overrides usuels (values.yaml de l'app)

```yaml
lions-app:
  # Image
  image:
    name: unionflow-server-impl-quarkus
    tag: "1.0.5-20260418-081420"

  # Replicas + HPA
  replicaCount: 1
  hpa:
    enabled: false

  # Resources
  resources:
    requests: { cpu: 200m, memory: 512Mi }
    limits:   { cpu: "1",  memory: 1Gi }

  # Env non-sensibles
  configMap:
    data:
      QUARKUS_PROFILE: prod
      APP_ENV: production
      QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
      KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
      APP_BASE_URL: https://unionflow.lions.dev

  # Secrets depuis Vault
  externalSecret:
    enabled: true
    data:
      - secretKey: QUARKUS_DATASOURCE_USERNAME
        remoteRef:
          key: lions/applications/unionflow-server/db
          property: username
      - secretKey: QUARKUS_DATASOURCE_PASSWORD
        remoteRef:
          key: lions/applications/unionflow-server/db
          property: password
      - secretKey: KEYCLOAK_CLIENT_SECRET
        remoteRef:
          key: lions/applications/unionflow-server/oidc
          property: client-secret

  # Ingress
  ingress:
    host: api.lions.dev
    pathPrefix:
      enabled: true
      strip: /unionflow          # /unionflow/(.*) → /(.*) backend
    rateLimit:
      enabled: true
      rpm: 3000
    cors:
      enabled: true
      origins: "https://unionflow.lions.dev"

  # Egress vers services externes
  networkPolicy:
    enabled: true
    allowEgressTo:
      - namespaceSelector:
          kubernetes.io/metadata.name: postgresql
        ports:
          - port: 5432
            protocol: TCP
      - namespaceSelector:
          kubernetes.io/metadata.name: kafka
        ports:
          - port: 9092
            protocol: TCP
      - namespaceSelector:
          kubernetes.io/metadata.name: keycloak
        ports:
          - port: 8080
            protocol: TCP

  # Probes Quarkus
  probes:
    liveness:
      httpGet:
        path: /q/health/live
        port: 8080
    readiness:
      httpGet:
        path: /q/health/ready
        port: 8080
```

## Conventions Lions

1. **Release name = app name** (`{{ .Release.Name }}` partout)
2. **Namespace = environnement** (`applications` pour prod, `applications-dev`, etc.)
3. **Image** : `registry.lions.dev/lionsdev/<release-name>:<tag>`
4. **Secrets** : toujours via ExternalSecret → Vault. Jamais de plaintext dans le values.yaml.
5. **TLS** : Let's Encrypt via cert-manager (`letsencrypt-prod`)
6. **NetworkPolicy** : activée par défaut (zero-trust)
7. **SecurityContext** : non-root, readOnlyRootFilesystem, capabilities drop all

## Publication du chart (pour les mainteneurs)

```bash
# Incrémenter version dans Chart.yaml
helm package .
# Upload vers Gitea Helm registry (avec token lionsctl-bot)
curl -u lionsctl-bot:$LIONS_GIT_ACCESS_TOKEN \
  --upload-file lions-app-1.0.0.tgz \
  https://git.lions.dev/api/packages/lionsdev/helm/api/charts
```

## Validation locale

```bash
helm lint .
helm template test-release . --namespace applications \
  --set image.name=unionflow-server-impl-quarkus \
  --set image.tag=1.0.5 \
  --set ingress.host=api.lions.dev
```

## Changelog

### 1.0.0 (2026-04-22)
- Chart initial
- Templates : Deployment, Service, Ingress, ConfigMap, ExternalSecret,
  NetworkPolicy, ServiceAccount, PDB, ServiceMonitor, HPA
- Compatible Kubernetes ≥ 1.28