feat: deploy config UnionFlow server (Quarkus backend) pour cluster k1 — dépend de lions-app 1.0.0

2026-04-22 14:22:00 +00:00
commit 945a19462c
3 changed files with 387 additions and 0 deletions
--- a/values.yaml
+++ b/values.yaml
@@ -0,0 +1,232 @@
+# ============================================================
+# unionflow-server-impl-quarkus — Values pour cluster k1 (prod)
+# ============================================================
+# Override du chart parent lions-app. Toutes les valeurs non-override
+# héritent des defaults de helm-chart-lions-app/values.yaml.
+
+lions-app:
+
+  # --------------------------------------------------------
+  # Image (mise à jour par lionsctl pipeline après build)
+  # --------------------------------------------------------
+  image:
+    registry: registry.lions.dev
+    repository: lionsdev
+    name: unionflow-server-impl-quarkus
+    tag: "1.0.5-20260418-081420"   # AUTO-UPDATED by lionsctl pipeline
+    pullPolicy: IfNotPresent
+    pullSecrets:
+      - lionsregistry-secret
+
+  # --------------------------------------------------------
+  # Replicas + HPA
+  # --------------------------------------------------------
+  replicaCount: 1
+
+  # Activable quand on aura de la charge (UnionFlow actuel = charge faible)
+  hpa:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 3
+    targetCPUUtilizationPercentage: 70
+
+  # --------------------------------------------------------
+  # Resources
+  # --------------------------------------------------------
+  resources:
+    requests:
+      cpu: 200m
+      memory: 512Mi
+    limits:
+      cpu: "1"
+      memory: 1Gi
+
+  # --------------------------------------------------------
+  # Env non-sensibles (ConfigMap)
+  # --------------------------------------------------------
+  configMap:
+    enabled: true
+    envFrom: true
+    data:
+      QUARKUS_PROFILE: prod
+      APP_ENV: production
+      APP_BASE_URL: https://lions.dev
+      QUARKUS_HTTP_PORT: "8080"
+      QUARKUS_DATASOURCE_DB_KIND: postgresql
+      QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://postgresql-service.postgresql.svc.cluster.local:5432/unionflow-server-impl-quarkus
+      QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
+      KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
+      STORAGE_PATH: /app/storage
+      JAVA_OPTS: -Xms256m -Xmx512m
+
+  # --------------------------------------------------------
+  # Secrets depuis Vault (via External Secrets Operator)
+  # --------------------------------------------------------
+  externalSecret:
+    enabled: true
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: vault-backend
+    refreshInterval: 1h
+    target:
+      creationPolicy: Owner
+      deletionPolicy: Retain
+    data:
+      # Base de données
+      - secretKey: QUARKUS_DATASOURCE_USERNAME
+        remoteRef:
+          key: lions/applications/unionflow-server/db
+          property: username
+      - secretKey: QUARKUS_DATASOURCE_PASSWORD
+        remoteRef:
+          key: lions/applications/unionflow-server/db
+          property: password
+      # Keycloak OIDC
+      - secretKey: KEYCLOAK_CLIENT_SECRET
+        remoteRef:
+          key: lions/applications/unionflow-server/oidc
+          property: client-secret
+      - secretKey: KEYCLOAK_ADMIN_SERVICE_SECRET
+        remoteRef:
+          key: lions/applications/unionflow-server/oidc
+          property: admin-service-secret
+
+  # --------------------------------------------------------
+  # Ingress
+  # --------------------------------------------------------
+  ingress:
+    enabled: true
+    className: nginx
+    clusterIssuer: letsencrypt-prod
+    host: api.lions.dev
+    # UnionFlow est monté sous /unionflow sur api.lions.dev
+    # → mode prefix-strip : /unionflow(/|$)(.*) → backend reçoit /(.*)
+    pathPrefix:
+      enabled: true
+      strip: /unionflow
+    tls:
+      enabled: true
+      # secretName: auto = "unionflow-server-impl-quarkus-tls"
+    rateLimit:
+      enabled: true
+      rpm: 3000
+      connections: 200
+    cors:
+      enabled: true
+      origins: "https://unionflow.lions.dev"
+      methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
+      headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+      nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+      nginx.ingress.kubernetes.io/proxy-buffering: "on"
+
+  # --------------------------------------------------------
+  # NetworkPolicy
+  # --------------------------------------------------------
+  networkPolicy:
+    enabled: true
+    allowIngressFrom:
+      - namespaceSelector:
+          kubernetes.io/metadata.name: ingress-nginx
+      - namespaceSelector:
+          kubernetes.io/metadata.name: monitoring
+    allowEgressDNS: true
+    allowEgressKubeAPI: true
+    allowEgressTo:
+      # PostgreSQL
+      - namespaceSelector:
+          kubernetes.io/metadata.name: postgresql
+        ports:
+          - port: 5432
+            protocol: TCP
+      # Kafka
+      - namespaceSelector:
+          kubernetes.io/metadata.name: kafka
+        ports:
+          - port: 9092
+            protocol: TCP
+      # Keycloak
+      - namespaceSelector:
+          kubernetes.io/metadata.name: keycloak
+        ports:
+          - port: 8080
+            protocol: TCP
+
+  # --------------------------------------------------------
+  # Probes Quarkus SmallRye Health
+  # --------------------------------------------------------
+  probes:
+    liveness:
+      enabled: true
+      httpGet:
+        path: /q/health/live
+        port: 8080
+      initialDelaySeconds: 60
+      periodSeconds: 30
+      timeoutSeconds: 5
+      failureThreshold: 3
+    readiness:
+      enabled: true
+      httpGet:
+        path: /q/health/ready
+        port: 8080
+      initialDelaySeconds: 30
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+    startup:
+      enabled: true
+      httpGet:
+        path: /q/health/started
+        port: 8080
+      initialDelaySeconds: 10
+      periodSeconds: 10
+      failureThreshold: 30         # 5 min de grace
+
+  # --------------------------------------------------------
+  # Volumes (nécessaires avec readOnlyRootFilesystem)
+  # --------------------------------------------------------
+  volumes:
+    tmp:
+      enabled: true
+      sizeLimit: 200Mi
+    logs:
+      enabled: true
+      sizeLimit: 1Gi
+      mountPath: /app/logs
+    extra:
+      # Storage pour /app/storage (uploads KYC, PDFs, etc.)
+      - name: app-storage
+        emptyDir:
+          sizeLimit: 2Gi
+
+  volumeMounts:
+    - name: app-storage
+      mountPath: /app/storage
+
+  # --------------------------------------------------------
+  # ServiceMonitor (activer quand quarkus-micrometer sera ajouté à l'app)
+  # --------------------------------------------------------
+  serviceMonitor:
+    enabled: false
+    path: /q/metrics
+    interval: 30s
+
+  # --------------------------------------------------------
+  # Scheduling (single-node cluster k1)
+  # --------------------------------------------------------
+  tolerations:
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+
+  # --------------------------------------------------------
+  # Annotations additionnelles
+  # --------------------------------------------------------
+  podAnnotations:
+    lionsctl.lions.dev/cluster: k1
+    lionsctl.lions.dev/environment: production