feat: deploy config UnionFlow server (Quarkus backend) pour cluster k1 — dépend de lions-app 1.0.0

2026-04-22 14:22:00 +00:00
commit 945a19462c
3 changed files with 387 additions and 0 deletions
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -0,0 +1,22 @@
 apiVersion: v2
 name: unionflow-server-impl-quarkus
 description: |
  Deploy config pour UnionFlow Server (backend Quarkus) sur le cluster k1.
  Consomme le chart parent helm-chart-lions-app.
 type: application
 version: 1.0.0
 appVersion: "1.0.5"
 kubeVersion: ">=1.28.0-0"
 maintainers:
  - name: UnionFlow Team
    email: infrastructure@lions.dev
 home: https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus-k1
 sources:
  - https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus       # code source
  - https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus-k1    # ce repo (deploy)
 dependencies:
  - name: lions-app
    version: "1.0.0"
    repository: "https://git.lions.dev/api/packages/lionsdev/helm"
    # Alternative pour dev local sans registry :
    # repository: "file://../helm-chart-lions-app"
--- a/README.md
+++ b/README.md
@@ -0,0 +1,133 @@
 # unionflow-server-impl-quarkus-k1
 Repo de déploiement pour **UnionFlow Server** (backend Quarkus) sur le cluster **k1**.
 ## Qu'est-ce que ce repo ?
 Ce repo contient **uniquement la configuration de déploiement** (Helm values) pour UnionFlow Server
 sur le cluster k1. Le code source de l'application est dans un autre repo :
 [`unionflow-server-impl-quarkus`](https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus).
 Ce repo consomme le chart parent [`helm-chart-lions-app`](https://git.lions.dev/lionsdev/helm-chart-lions-app)
 et fournit juste les overrides spécifiques à UnionFlow.
 ```
 ┌────────────────────────────────────┐
 │  unionflow-server-impl-quarkus     │  ← Code source (Maven, Java 21, Quarkus)
 │  (le repo du code)                 │
 └────────────────────────────────────┘
                │ lionsctl pipeline
                │ build + docker push
                ▼
 ┌────────────────────────────────────┐
 │  registry.lions.dev/lionsdev/      │
 │  unionflow-server-impl-quarkus     │  ← Image Docker buildée
 │  :1.0.5-20260418-081420            │
 └────────────────────────────────────┘
                │ lionsctl pipeline
                │ update values.yaml tag
                │ commit + push
                ▼
 ┌────────────────────────────────────┐
 │  unionflow-server-impl-quarkus-k1  │  ← CE REPO (deploy config)
 │  ├── Chart.yaml                    │
 │  └── values.yaml                   │
 └────────────────────────────────────┘
                │ helm upgrade --install
                ▼
 ┌────────────────────────────────────┐
 │  K8s cluster k1 (namespace         │
 │  applications)                     │
 └────────────────────────────────────┘
 ```
 ## Déploiement manuel
 ```bash
 # Depuis le répertoire du repo
 helm dependency update .
 helm upgrade --install unionflow-server-impl-quarkus . \
  --namespace applications \
  --create-namespace \
  --wait \
  --timeout 5m
 ```
 ## Déploiement via lionsctl (attendu)
 ```bash
 lionsctl pipeline \
  -u https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus \
  -b main -j 21 -e production -c k1 -p prod \
  -m admin@lions.dev
 ```
 Sous le capot, lionsctl :
 1. Clone le repo du code source
 2. `mvn package` (Dagger container)
 3. `docker build` + push → `registry.lions.dev/lionsdev/unionflow-server-impl-quarkus:<tag>`
 4. Clone CE REPO (`-k1` dérivé du nom de l'app + cluster)
 5. Update `values.yaml` : `lions-app.image.tag: <new-tag>`
 6. Commit + push avec le compte `lionsctl-bot`
 7. `helm upgrade --install ...`
 8. Health check + email
 ## Validation locale
 ```bash
 # Lint
 helm lint .
 # Dry-run rendu des manifests
 helm template test . \
  --namespace applications \
  --debug
 # Diff avec l'état live (requires helm-diff plugin)
 helm diff upgrade unionflow-server-impl-quarkus . \
  --namespace applications
 ```
 ## Secrets attendus dans Vault
 Avant le premier déploiement, peupler Vault :
 ```bash
 # Credentials DB (partagés avec lions-shared-db-secret actuel)
 vault kv put lions/applications/unionflow-server/db \
  username=lionsuser \
  password=<mot-de-passe-fort>
 # Credentials Keycloak OIDC
 vault kv put lions/applications/unionflow-server/oidc \
  client-secret=<secret-keycloak> \
  admin-service-secret=<admin-service-secret>
 ```
 L'ExternalSecret synchronisera ces valeurs vers le K8s Secret `unionflow-server-impl-quarkus-secrets`
 toutes les 1h (configurable via `refreshInterval`).
 ## Environnement
 - **Cluster** : k1 (176.57.150.2)
 - **Namespace** : `applications`
 - **Hostname** : `api.lions.dev/unionflow`
 - **Image** : `registry.lions.dev/lionsdev/unionflow-server-impl-quarkus`
 - **Ingress** : TLS Let's Encrypt, path-strip `/unionflow` → backend
 - **Secrets** : Vault `lions/applications/unionflow-server/*`
 - **DB** : PostgreSQL `unionflow-server-impl-quarkus` sur `postgresql-service.postgresql`
 - **Messaging** : Kafka `kafka-service.kafka` port 9092
 ## Conventions
 - Le nom du Helm release = `unionflow-server-impl-quarkus` (correspond au nom de l'app et de l'image)
 - Le namespace = environnement (`applications` pour prod)
 - L'image tag est **automatiquement mis à jour** par lionsctl pipeline à chaque déploiement
 - **Ne jamais mettre de secrets en clair** dans `values.yaml` — toujours via ExternalSecret + Vault
 ## Lien vers les docs
 - [Chart parent helm-chart-lions-app](https://git.lions.dev/lionsdev/helm-chart-lions-app)
 - [UnionFlow source code](https://git.lions.dev/lionsdev/unionflow-server-impl-quarkus)
 - [Lions Infrastructure](https://git.lions.dev/lionsdev/lions-infrastructure-2025)
--- a/values.yaml
+++ b/values.yaml
@@ -0,0 +1,232 @@
 # ============================================================
 # unionflow-server-impl-quarkus — Values pour cluster k1 (prod)
 # ============================================================
 # Override du chart parent lions-app. Toutes les valeurs non-override
 # héritent des defaults de helm-chart-lions-app/values.yaml.
 lions-app:
  # --------------------------------------------------------
  # Image (mise à jour par lionsctl pipeline après build)
  # --------------------------------------------------------
  image:
    registry: registry.lions.dev
    repository: lionsdev
    name: unionflow-server-impl-quarkus
    tag: "1.0.5-20260418-081420"   # AUTO-UPDATED by lionsctl pipeline
    pullPolicy: IfNotPresent
    pullSecrets:
      - lionsregistry-secret
  # --------------------------------------------------------
  # Replicas + HPA
  # --------------------------------------------------------
  replicaCount: 1
  # Activable quand on aura de la charge (UnionFlow actuel = charge faible)
  hpa:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 70
  # --------------------------------------------------------
  # Resources
  # --------------------------------------------------------
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: "1"
      memory: 1Gi
  # --------------------------------------------------------
  # Env non-sensibles (ConfigMap)
  # --------------------------------------------------------
  configMap:
    enabled: true
    envFrom: true
    data:
      QUARKUS_PROFILE: prod
      APP_ENV: production
      APP_BASE_URL: https://lions.dev
      QUARKUS_HTTP_PORT: "8080"
      QUARKUS_DATASOURCE_DB_KIND: postgresql
      QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://postgresql-service.postgresql.svc.cluster.local:5432/unionflow-server-impl-quarkus
      QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
      KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
      STORAGE_PATH: /app/storage
      JAVA_OPTS: -Xms256m -Xmx512m
  # --------------------------------------------------------
  # Secrets depuis Vault (via External Secrets Operator)
  # --------------------------------------------------------
  externalSecret:
    enabled: true
    secretStoreRef:
      kind: ClusterSecretStore
      name: vault-backend
    refreshInterval: 1h
    target:
      creationPolicy: Owner
      deletionPolicy: Retain
    data:
      # Base de données
      - secretKey: QUARKUS_DATASOURCE_USERNAME
        remoteRef:
          key: lions/applications/unionflow-server/db
          property: username
      - secretKey: QUARKUS_DATASOURCE_PASSWORD
        remoteRef:
          key: lions/applications/unionflow-server/db
          property: password
      # Keycloak OIDC
      - secretKey: KEYCLOAK_CLIENT_SECRET
        remoteRef:
          key: lions/applications/unionflow-server/oidc
          property: client-secret
      - secretKey: KEYCLOAK_ADMIN_SERVICE_SECRET
        remoteRef:
          key: lions/applications/unionflow-server/oidc
          property: admin-service-secret
  # --------------------------------------------------------
  # Ingress
  # --------------------------------------------------------
  ingress:
    enabled: true
    className: nginx
    clusterIssuer: letsencrypt-prod
    host: api.lions.dev
    # UnionFlow est monté sous /unionflow sur api.lions.dev
    # → mode prefix-strip : /unionflow(/|$)(.*) → backend reçoit /(.*)
    pathPrefix:
      enabled: true
      strip: /unionflow
    tls:
      enabled: true
      # secretName: auto = "unionflow-server-impl-quarkus-tls"
    rateLimit:
      enabled: true
      rpm: 3000
      connections: 200
    cors:
      enabled: true
      origins: "https://unionflow.lions.dev"
      methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
      headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: "50m"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
      nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
      nginx.ingress.kubernetes.io/proxy-buffering: "on"
  # --------------------------------------------------------
  # NetworkPolicy
  # --------------------------------------------------------
  networkPolicy:
    enabled: true
    allowIngressFrom:
      - namespaceSelector:
          kubernetes.io/metadata.name: ingress-nginx
      - namespaceSelector:
          kubernetes.io/metadata.name: monitoring
    allowEgressDNS: true
    allowEgressKubeAPI: true
    allowEgressTo:
      # PostgreSQL
      - namespaceSelector:
          kubernetes.io/metadata.name: postgresql
        ports:
          - port: 5432
            protocol: TCP
      # Kafka
      - namespaceSelector:
          kubernetes.io/metadata.name: kafka
        ports:
          - port: 9092
            protocol: TCP
      # Keycloak
      - namespaceSelector:
          kubernetes.io/metadata.name: keycloak
        ports:
          - port: 8080
            protocol: TCP
  # --------------------------------------------------------
  # Probes Quarkus SmallRye Health
  # --------------------------------------------------------
  probes:
    liveness:
      enabled: true
      httpGet:
        path: /q/health/live
        port: 8080
      initialDelaySeconds: 60
      periodSeconds: 30
      timeoutSeconds: 5
      failureThreshold: 3
    readiness:
      enabled: true
      httpGet:
        path: /q/health/ready
        port: 8080
      initialDelaySeconds: 30
      periodSeconds: 10
      timeoutSeconds: 5
      failureThreshold: 3
    startup:
      enabled: true
      httpGet:
        path: /q/health/started
        port: 8080
      initialDelaySeconds: 10
      periodSeconds: 10
      failureThreshold: 30         # 5 min de grace
  # --------------------------------------------------------
  # Volumes (nécessaires avec readOnlyRootFilesystem)
  # --------------------------------------------------------
  volumes:
    tmp:
      enabled: true
      sizeLimit: 200Mi
    logs:
      enabled: true
      sizeLimit: 1Gi
      mountPath: /app/logs
    extra:
      # Storage pour /app/storage (uploads KYC, PDFs, etc.)
      - name: app-storage
        emptyDir:
          sizeLimit: 2Gi
  volumeMounts:
    - name: app-storage
      mountPath: /app/storage
  # --------------------------------------------------------
  # ServiceMonitor (activer quand quarkus-micrometer sera ajouté à l'app)
  # --------------------------------------------------------
  serviceMonitor:
    enabled: false
    path: /q/metrics
    interval: 30s
  # --------------------------------------------------------
  # Scheduling (single-node cluster k1)
  # --------------------------------------------------------
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      operator: Exists
      effect: NoSchedule
  # --------------------------------------------------------
  # Annotations additionnelles
  # --------------------------------------------------------
  podAnnotations:
    lionsctl.lions.dev/cluster: k1
    lionsctl.lions.dev/environment: production