232 lines
7.4 KiB
YAML
232 lines
7.4 KiB
YAML
# ============================================================
|
|
# unionflow-server-impl-quarkus — Values pour cluster k1 (prod)
|
|
# ============================================================
|
|
# Override du chart parent lions-app. Toutes les valeurs non-override
|
|
# héritent des defaults de helm-chart-lions-app/values.yaml.
|
|
|
|
lions-app:
|
|
|
|
# --------------------------------------------------------
|
|
# Image (mise à jour par lionsctl pipeline après build)
|
|
# --------------------------------------------------------
|
|
image:
|
|
registry: registry.lions.dev
|
|
repository: lionsdev
|
|
name: unionflow-server-impl-quarkus
|
|
tag: "1.0.5-20260418-081420" # AUTO-UPDATED by lionsctl pipeline
|
|
pullPolicy: IfNotPresent
|
|
pullSecrets:
|
|
- lionsregistry-secret
|
|
|
|
# --------------------------------------------------------
|
|
# Replicas + HPA
|
|
# --------------------------------------------------------
|
|
replicaCount: 1
|
|
|
|
# Activable quand on aura de la charge (UnionFlow actuel = charge faible)
|
|
hpa:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
targetCPUUtilizationPercentage: 70
|
|
|
|
# --------------------------------------------------------
|
|
# Resources
|
|
# --------------------------------------------------------
|
|
resources:
|
|
requests:
|
|
cpu: 200m
|
|
memory: 512Mi
|
|
limits:
|
|
cpu: "1"
|
|
memory: 1Gi
|
|
|
|
# --------------------------------------------------------
|
|
# Env non-sensibles (ConfigMap)
|
|
# --------------------------------------------------------
|
|
configMap:
|
|
enabled: true
|
|
envFrom: true
|
|
data:
|
|
QUARKUS_PROFILE: prod
|
|
APP_ENV: production
|
|
APP_BASE_URL: https://lions.dev
|
|
QUARKUS_HTTP_PORT: "8080"
|
|
QUARKUS_DATASOURCE_DB_KIND: postgresql
|
|
QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://postgresql-service.postgresql.svc.cluster.local:5432/unionflow-server-impl-quarkus
|
|
QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: validate
|
|
KAFKA_BOOTSTRAP_SERVERS: kafka-service.kafka.svc.cluster.local:9092
|
|
STORAGE_PATH: /app/storage
|
|
# Brevo SMTP (via secret brevo-smtp optionnel dans le namespace)
|
|
QUARKUS_MAILER_MOCK: "false"
|
|
JAVA_OPTS: -Xms256m -Xmx512m
|
|
|
|
# --------------------------------------------------------
|
|
# Secrets — phase de transition : référencer les Secrets K8s existants
|
|
#
|
|
# TODO: quand Vault root token sera disponible, migrer vers externalSecret.
|
|
# Les Secrets existants (db-secret, oidc-secret) seront alors
|
|
# régénérés par ESO depuis Vault automatiquement.
|
|
# --------------------------------------------------------
|
|
extraEnvFrom:
|
|
- secretRef:
|
|
name: unionflow-server-db-eso
|
|
- secretRef:
|
|
name: unionflow-server-oidc-eso
|
|
- secretRef:
|
|
name: brevo-smtp-eso
|
|
optional: true
|
|
|
|
externalSecret:
|
|
enabled: false
|
|
# Configuration prête pour activation future :
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: vault-backend
|
|
refreshInterval: 1h
|
|
target:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
data:
|
|
- secretKey: QUARKUS_DATASOURCE_USERNAME
|
|
remoteRef: { key: lions/applications/unionflow-server/db, property: username }
|
|
- secretKey: QUARKUS_DATASOURCE_PASSWORD
|
|
remoteRef: { key: lions/applications/unionflow-server/db, property: password }
|
|
- secretKey: KEYCLOAK_CLIENT_SECRET
|
|
remoteRef: { key: lions/applications/unionflow-server/oidc, property: client-secret }
|
|
- secretKey: KEYCLOAK_ADMIN_SERVICE_SECRET
|
|
remoteRef: { key: lions/applications/unionflow-server/oidc, property: admin-service-secret }
|
|
|
|
# --------------------------------------------------------
|
|
# Ingress
|
|
# --------------------------------------------------------
|
|
ingress:
|
|
enabled: true
|
|
className: nginx
|
|
clusterIssuer: letsencrypt-prod
|
|
host: api.lions.dev
|
|
# UnionFlow est monté sous /unionflow sur api.lions.dev
|
|
# → mode prefix-strip : /unionflow(/|$)(.*) → backend reçoit /(.*)
|
|
pathPrefix:
|
|
enabled: true
|
|
strip: /unionflow
|
|
tls:
|
|
enabled: true
|
|
# secretName: auto = "unionflow-server-impl-quarkus-tls"
|
|
rateLimit:
|
|
enabled: true
|
|
rpm: 3000
|
|
connections: 200
|
|
cors:
|
|
enabled: true
|
|
origins: "https://unionflow.lions.dev"
|
|
methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
|
|
headers: "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
|
|
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
|
|
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
|
|
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
|
|
nginx.ingress.kubernetes.io/proxy-buffering: "on"
|
|
|
|
# --------------------------------------------------------
|
|
# NetworkPolicy
|
|
# --------------------------------------------------------
|
|
networkPolicy:
|
|
enabled: true
|
|
allowIngressFrom:
|
|
- namespaceSelector:
|
|
kubernetes.io/metadata.name: ingress-nginx
|
|
- namespaceSelector:
|
|
kubernetes.io/metadata.name: monitoring
|
|
allowEgressDNS: true
|
|
allowEgressKubeAPI: true
|
|
allowEgressTo:
|
|
- namespaceSelector:
|
|
kubernetes.io/metadata.name: postgresql
|
|
ports:
|
|
- port: 5432
|
|
protocol: TCP
|
|
- namespaceSelector:
|
|
kubernetes.io/metadata.name: keycloak
|
|
ports:
|
|
- port: 8080
|
|
protocol: TCP
|
|
- namespaceSelector:
|
|
kubernetes.io/metadata.name: kafka
|
|
ports:
|
|
- port: 9092
|
|
protocol: TCP
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
httpGet:
|
|
path: /health/live
|
|
port: 8080
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readiness:
|
|
enabled: true
|
|
httpGet:
|
|
path: /health/ready
|
|
port: 8080
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
startup:
|
|
enabled: true
|
|
httpGet:
|
|
path: /health/started
|
|
port: 8080
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
failureThreshold: 30 # 5 min de grace
|
|
|
|
# --------------------------------------------------------
|
|
# Volumes (nécessaires avec readOnlyRootFilesystem)
|
|
# --------------------------------------------------------
|
|
volumes:
|
|
tmp:
|
|
enabled: true
|
|
sizeLimit: 200Mi
|
|
logs:
|
|
enabled: true
|
|
sizeLimit: 1Gi
|
|
mountPath: /app/logs
|
|
extra:
|
|
# Storage pour /app/storage (uploads KYC, PDFs, etc.)
|
|
- name: app-storage
|
|
emptyDir:
|
|
sizeLimit: 2Gi
|
|
|
|
volumeMounts:
|
|
- name: app-storage
|
|
mountPath: /app/storage
|
|
|
|
# --------------------------------------------------------
|
|
# ServiceMonitor (activer quand quarkus-micrometer sera ajouté à l'app)
|
|
# --------------------------------------------------------
|
|
serviceMonitor:
|
|
enabled: false
|
|
path: /q/metrics
|
|
interval: 30s
|
|
|
|
# --------------------------------------------------------
|
|
# Scheduling (single-node cluster k1)
|
|
# --------------------------------------------------------
|
|
tolerations:
|
|
- key: node-role.kubernetes.io/control-plane
|
|
operator: Exists
|
|
effect: NoSchedule
|
|
|
|
# --------------------------------------------------------
|
|
# Annotations additionnelles
|
|
# --------------------------------------------------------
|
|
podAnnotations:
|
|
lionsctl.lions.dev/cluster: k1
|
|
lionsctl.lions.dev/environment: production
|