From 2c0e27c48803082a170443fbd8d87046516944f2 Mon Sep 17 00:00:00 2001 From: Gitea Actions Date: Mon, 22 Dec 2025 10:50:53 +0000 Subject: [PATCH] Update documentation and example values --- README.md | 408 +++++++++- examples/values-dev.yaml | 161 ++++ examples/values-prod.yaml | 284 +++++++ examples/values.schema.json | 316 ++++++++ examples/values.yaml | 1402 +++++++++++++++++++++++++++++++++++ 5 files changed, 2569 insertions(+), 2 deletions(-) create mode 100644 examples/values-dev.yaml create mode 100644 examples/values-prod.yaml create mode 100644 examples/values.schema.json create mode 100644 examples/values.yaml diff --git a/README.md b/README.md index 44457d4..45b1357 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,407 @@ -# Helm-Charts +# Flow Helm Chart -public helm chart repo from Entit AB \ No newline at end of file +A Helm chart for deploying the Flow workflow engine platform to Kubernetes. + +## Overview + +Flow is a distributed workflow automation platform consisting of: + +- **Core Services**: Workflow Engine, Activity Registry, Definition Store, Workflow Logging, Connection Store, Tenant Registry +- **Frontend**: Blazor WebAssembly web application +- **Activity Services**: 23+ activity implementations for various integrations (HTTP, SQL, Azure, AWS, etc.) +- **Infrastructure**: RabbitMQ for messaging, PostgreSQL/SQL Server for persistence + +## Prerequisites + +- Kubernetes 1.25+ +- Helm 3.8+ +- PV provisioner (if using built-in PostgreSQL/RabbitMQ) + +## Quick Start + +### Install from Gitea Helm Repository + +The Flow Helm chart is published to the Gitea Package Registry at `https://git.kn.entit.eu`. + +```bash +# Add the Helm repository (requires authentication for private repos) +helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \ + --username YOUR_GITEA_USERNAME \ + --password YOUR_GITEA_TOKEN + +# Update repository cache +helm repo update + +# Search for available versions +helm search repo entit-flow/flow --versions + +# Install the chart +helm install flow entit-flow/flow \ + --namespace flow \ + --create-namespace \ + -f values.yaml +``` + +### Install from Local Source + +```bash +# Add Helm Dependencies +cd helm/flow +helm dependency update + +# Install for Development +helm install flow ./helm/flow -f ./helm/flow/values-dev.yaml + +# Install for Production +helm install flow ./helm/flow \ + -f ./helm/flow/values-prod.yaml \ + --set global.azureAd.tenantId=YOUR_TENANT_ID \ + --set global.azureAd.clientId=YOUR_CLIENT_ID \ + --set global.azureAd.clientSecret=YOUR_CLIENT_SECRET +``` + +## Helm Repository Setup + +### Using in Kubernetes (from Gitea Registry) + +After the chart is published to Gitea, you can install it in any Kubernetes cluster: + +```bash +# 1. Add the Gitea Helm repository +helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \ + --username $GITEA_USER \ + --password $GITEA_TOKEN + +# 2. Update repositories +helm repo update + +# 3. Install the chart (development) +helm install flow entit-flow/flow \ + --namespace flow \ + --create-namespace \ + -f values-dev.yaml + +# 4. Install the chart (production) +helm install flow entit-flow/flow \ + --namespace flow \ + --create-namespace \ + -f values-prod.yaml \ + --set global.azureAd.tenantId=YOUR_TENANT_ID \ + --set global.azureAd.clientId=YOUR_CLIENT_ID +``` + +### Using with ArgoCD + +Create an ArgoCD Application that references the Gitea Helm repository: + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: flow + namespace: argocd +spec: + project: default + source: + repoURL: https://git.kn.entit.eu/api/packages/EntitAB/helm + chart: flow + targetRevision: 0.1.0 + helm: + valueFiles: + - values-prod.yaml + parameters: + - name: global.azureAd.tenantId + value: YOUR_TENANT_ID + - name: global.azureAd.clientId + value: YOUR_CLIENT_ID + destination: + server: https://kubernetes.default.svc + namespace: flow + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true +--- +# Repository credentials secret for ArgoCD +apiVersion: v1 +kind: Secret +metadata: + name: gitea-helm-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository +stringData: + type: helm + url: https://git.kn.entit.eu/api/packages/EntitAB/helm + username: YOUR_GITEA_USER + password: YOUR_GITEA_TOKEN +``` + +### Using with Flux CD + +```yaml +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: entit-flow + namespace: flux-system +spec: + interval: 1h + url: https://git.kn.entit.eu/api/packages/EntitAB/helm + secretRef: + name: gitea-helm-auth +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitea-helm-auth + namespace: flux-system +stringData: + username: YOUR_GITEA_USER + password: YOUR_GITEA_TOKEN +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: flow + namespace: flow +spec: + interval: 5m + chart: + spec: + chart: flow + version: "0.1.0" + sourceRef: + kind: HelmRepository + name: entit-flow + namespace: flux-system + valuesFrom: + - kind: ConfigMap + name: flow-values + valuesKey: values.yaml +``` + +### Publishing Charts (CI/CD) + +The chart is automatically published to Gitea when changes are pushed to the `main` branch. The CI pipeline: + +1. Lints and validates the chart +2. Runs unit tests +3. Packages the chart +4. Pushes to Gitea Package Registry at `https://git.kn.entit.eu/api/packages/EntitAB/helm` + +To publish manually: + +```bash +# Set credentials +export GITEA_USER=your-username +export GITEA_TOKEN=your-token + +# Package and push +make push-gitea +``` + +**Required GitHub Secrets for CI:** +- `GITEA_USER` - Gitea username +- `GITEA_TOKEN` - Gitea personal access token with `write:package` scope + +## Configuration + +### Global Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `global.imageRegistry` | Container registry for all images | `""` | +| `global.imagePullSecrets` | Image pull secrets | `[]` | +| `global.azureAd.enabled` | Enable Azure AD authentication | `true` | +| `global.azureAd.tenantId` | Azure AD tenant ID | `""` | +| `global.azureAd.clientId` | Azure AD application client ID | `""` | +| `global.database.provider` | Database provider (Postgres/SqlServer) | `Postgres` | +| `global.rabbitmq.host` | RabbitMQ host | `{{ .Release.Name }}-rabbitmq` | + +### Core Services + +Each core service supports the following configuration: + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `.enabled` | Enable the service | `true` | +| `.replicaCount` | Number of replicas | `1` | +| `.image.repository` | Image repository | varies | +| `.image.tag` | Image tag | `""` (uses appVersion) | +| `.resources` | CPU/Memory resources | varies | +| `.autoscaling.enabled` | Enable HPA | `false` | +| `.ingress.enabled` | Enable ingress | `false` | + +### Activity Services + +Activity services can be enabled/disabled individually: + +```yaml +httpRequestActivity: + enabled: true + replicaCount: 2 + +sqlActivity: + enabled: true + +# Disable activities not needed +awsS3Activity: + enabled: false +``` + +### Database Configuration + +#### Using Built-in PostgreSQL + +```yaml +postgresql: + enabled: true + auth: + username: flow + password: your-password + database: flow +``` + +#### Using External PostgreSQL + +```yaml +postgresql: + enabled: false + +global: + database: + provider: Postgres + postgres: + host: your-postgres-host.postgres.database.azure.com + port: 5432 + database: flow + username: flow + existingSecret: your-db-secret + existingSecretKey: password +``` + +#### Using SQL Server + +```yaml +postgresql: + enabled: false + +global: + database: + provider: SqlServer + sqlServer: + connectionString: "Server=your-server;Database=flow;User Id=flow;Password=xxx;" +``` + +### RabbitMQ Configuration + +#### Using Built-in RabbitMQ + +```yaml +rabbitmq: + enabled: true + auth: + username: flow + password: your-password +``` + +#### Using External RabbitMQ + +```yaml +rabbitmq: + enabled: false + +global: + rabbitmq: + host: your-rabbitmq-host + username: flow + existingSecret: rabbitmq-secret + existingSecretKey: password +``` + +## Ingress Configuration + +### NGINX Ingress with TLS + +```yaml +frontendWeb: + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: flow.example.com + paths: + - path: / + pathType: Prefix + tls: + - secretName: flow-tls + hosts: + - flow.example.com +``` + +## Security + +### Pod Security + +```yaml +podSecurityContext: + fsGroup: 1000 + runAsNonRoot: true + +securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true +``` + +### Network Policies + +Enable network policies for production: + +```yaml +networkPolicy: + enabled: true +``` + +## Upgrading + +```bash +helm upgrade flow ./helm/flow -f values-prod.yaml +``` + +## Uninstalling + +```bash +helm uninstall flow +``` + +**Note**: This will not delete PVCs. To completely remove data: + +```bash +kubectl delete pvc -l app.kubernetes.io/instance=flow +``` + +## Building Docker Images + +Each service has a Dockerfile. Build all images: + +```bash +# Build all services +for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do + docker build -t niblo/flow-${service}:latest -f $service/Dockerfile . +done + +# Push to Docker Hub +for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do + docker push niblo/flow-${service}:latest +done diff --git a/examples/values-dev.yaml b/examples/values-dev.yaml new file mode 100644 index 0000000..a7c7356 --- /dev/null +++ b/examples/values-dev.yaml @@ -0,0 +1,161 @@ +# Development environment values +# Use with: helm install flow ./helm/flow -f ./helm/flow/values-dev.yaml +# +# PREREQUISITES: +# Deploy RabbitMQ and PostgreSQL separately before installing this chart. +# Example using Helm: +# helm install rabbitmq oci://registry-1.docker.io/bitnamicharts/rabbitmq -n flow +# helm install postgresql oci://registry-1.docker.io/bitnamicharts/postgresql -n flow +# +# Or use your own deployments/operators. + +global: + imageRegistry: "cr.kn.entit.eu" + imagePullSecrets: + - flow-registry-credentials + + azureAd: + enabled: false # Disable auth for local development + + database: + provider: "Postgres" + postgres: + host: "postgresql" # Update to match your PostgreSQL service name + database: "flow" + username: "flow" + password: "devpassword123" + # Or use existing secret: + # existingSecret: "postgresql-credentials" + # existingSecretKey: "password" + + rabbitmq: + host: "rabbitmq" # Update to match your RabbitMQ service name + username: "flow" + password: "devpassword123" + # Or use existing secret: + # existingSecret: "rabbitmq-credentials" + # existingSecretKey: "password" + +# Core services - minimal replicas for dev +workflowEngine: + replicaCount: 1 + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + +activityRegistry: + replicaCount: 1 + +definitionStore: + replicaCount: 1 + +workflowLogging: + replicaCount: 1 + +connectionStore: + replicaCount: 1 + +tenantRegistry: + replicaCount: 1 + +frontendWeb: + replicaCount: 1 + ingress: + enabled: true + hosts: + - host: flow.local + paths: + - path: / + pathType: Prefix + +# Enable only essential activities for dev +httpRequestActivity: + enabled: true + replicaCount: 1 + +sqlActivity: + enabled: true + replicaCount: 1 + +# Disable non-essential activities +redisActivity: + enabled: false + +blobStorageActivity: + enabled: false + +queueActivity: + enabled: false + +cosmosDbActivity: + enabled: false + +mongoDbActivity: + enabled: false + +emailActivity: + enabled: false + +slackActivity: + enabled: false + +teamsActivity: + enabled: false + +twilioActivity: + enabled: false + +ftpActivity: + enabled: false + +graphqlActivity: + enabled: false + +soapActivity: + enabled: false + +pdfActivity: + enabled: false + +csvActivity: + enabled: false + +excelActivity: + enabled: false + +oauthActivity: + enabled: false + +keyVaultActivity: + enabled: false + +eventHubActivity: + enabled: false + +eventGridActivity: + enabled: false + +awsS3Activity: + enabled: false + +awsSqsActivity: + enabled: false + +# External infrastructure - not deployed by this chart +rabbitmq: + enabled: false + +postgresql: + enabled: false + +redis: + enabled: false + +# Relaxed security for development +securityContext: + runAsNonRoot: false + readOnlyRootFilesystem: false diff --git a/examples/values-prod.yaml b/examples/values-prod.yaml new file mode 100644 index 0000000..a07b1b3 --- /dev/null +++ b/examples/values-prod.yaml @@ -0,0 +1,284 @@ +# Production environment values +# Use with: helm install flow ./helm/flow -f ./helm/flow/values-prod.yaml + +global: + imageRegistry: "cr.kn.entit.eu" + imagePullSecrets: + - flow-registry-credentials + + azureAd: + enabled: true + instance: "https://login.microsoftonline.com/" + domain: "your-domain.com" + tenantId: "" # Set via --set or external secret + clientId: "" # Set via --set or external secret + clientSecret: "" # Set via --set or external secret + scopes: "access_as_user" + + database: + provider: "Postgres" + postgres: + host: "your-postgres-host.postgres.database.azure.com" + port: 5432 + database: "flow_prod" + username: "flow@your-postgres-host" + existingSecret: "flow-db-secret" + existingSecretKey: "postgres-password" + + rabbitmq: + host: "your-rabbitmq-host" + username: "flow" + existingSecret: "flow-rabbitmq-secret" + existingSecretKey: "rabbitmq-password" + +# Core services - production replicas with autoscaling +workflowEngine: + replicaCount: 3 + autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + targetCPUUtilizationPercentage: 70 + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: api.flow.your-domain.com + paths: + - path: / + pathType: Prefix + tls: + - secretName: flow-api-tls + hosts: + - api.flow.your-domain.com + +activityRegistry: + replicaCount: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +definitionStore: + replicaCount: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +workflowLogging: + replicaCount: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +connectionStore: + replicaCount: 2 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +tenantRegistry: + replicaCount: 2 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +frontendWeb: + replicaCount: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + ingress: + enabled: true + className: nginx + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: flow.your-domain.com + paths: + - path: / + pathType: Prefix + tls: + - secretName: flow-frontend-tls + hosts: + - flow.your-domain.com + +# Activity services - production resources +activities: + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + +httpRequestActivity: + enabled: true + replicaCount: 2 + +sqlActivity: + enabled: true + replicaCount: 2 + +redisActivity: + enabled: true + replicaCount: 2 + +blobStorageActivity: + enabled: true + replicaCount: 2 + +queueActivity: + enabled: true + replicaCount: 2 + +cosmosDbActivity: + enabled: true + replicaCount: 2 + +mongoDbActivity: + enabled: true + replicaCount: 1 + +emailActivity: + enabled: true + replicaCount: 2 + +slackActivity: + enabled: true + replicaCount: 1 + +teamsActivity: + enabled: true + replicaCount: 1 + +twilioActivity: + enabled: true + replicaCount: 1 + +ftpActivity: + enabled: true + replicaCount: 1 + +graphqlActivity: + enabled: true + replicaCount: 1 + +soapActivity: + enabled: true + replicaCount: 1 + +pdfActivity: + enabled: true + replicaCount: 1 + +csvActivity: + enabled: true + replicaCount: 1 + +excelActivity: + enabled: true + replicaCount: 1 + +oauthActivity: + enabled: true + replicaCount: 1 + +keyVaultActivity: + enabled: true + replicaCount: 1 + +eventHubActivity: + enabled: true + replicaCount: 2 + +eventGridActivity: + enabled: true + replicaCount: 1 + +awsS3Activity: + enabled: true + replicaCount: 1 + +awsSqsActivity: + enabled: true + replicaCount: 1 + +# External infrastructure in production (managed services) +rabbitmq: + enabled: false # Use Azure Service Bus or managed RabbitMQ + +postgresql: + enabled: false # Use Azure Database for PostgreSQL + +redis: + enabled: false # Use Azure Cache for Redis if needed + +# Production security +podSecurityContext: + fsGroup: 1000 + runAsNonRoot: true + +securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + +# Network policies for production +networkPolicy: + enabled: true + +# Pod Disruption Budgets +podDisruptionBudget: + enabled: true + minAvailable: 1 diff --git a/examples/values.schema.json b/examples/values.schema.json new file mode 100644 index 0000000..ef4357b --- /dev/null +++ b/examples/values.schema.json @@ -0,0 +1,316 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "type": "object", + "properties": { + "global": { + "type": "object", + "properties": { + "imageRegistry": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "string" + } + }, + "azureAd": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "instance": { + "type": "string" + }, + "domain": { + "type": "string" + }, + "tenantId": { + "type": "string" + }, + "clientId": { + "type": "string" + }, + "clientSecret": { + "type": "string" + }, + "scopes": { + "type": "string" + } + } + }, + "database": { + "type": "object", + "properties": { + "provider": { + "type": "string", + "enum": ["Postgres", "SqlServer"] + }, + "postgres": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "port": { + "type": "integer", + "minimum": 1, + "maximum": 65535 + }, + "database": { + "type": "string" + }, + "username": { + "type": "string" + }, + "password": { + "type": "string" + }, + "existingSecret": { + "type": "string" + }, + "existingSecretKey": { + "type": "string" + } + } + }, + "sqlServer": { + "type": "object", + "properties": { + "connectionString": { + "type": "string" + } + } + } + } + }, + "rabbitmq": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "username": { + "type": "string" + }, + "password": { + "type": "string" + }, + "existingSecret": { + "type": "string" + }, + "existingSecretKey": { + "type": "string" + }, + "prefetch": { + "type": "integer", + "minimum": 1 + }, + "activityExchange": { + "type": "string" + }, + "completedExchange": { + "type": "string" + }, + "workflowEventsExchange": { + "type": "string" + } + } + } + } + }, + "workflowEngine": { + "$ref": "#/definitions/service" + }, + "activityRegistry": { + "$ref": "#/definitions/service" + }, + "definitionStore": { + "$ref": "#/definitions/service" + }, + "workflowLogging": { + "$ref": "#/definitions/service" + }, + "connectionStore": { + "$ref": "#/definitions/service" + }, + "tenantRegistry": { + "$ref": "#/definitions/service" + }, + "frontendWeb": { + "$ref": "#/definitions/service" + } + }, + "definitions": { + "service": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "replicaCount": { + "type": "integer", + "minimum": 0 + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + }, + "pullPolicy": { + "type": "string", + "enum": ["Always", "IfNotPresent", "Never"] + } + } + }, + "service": { + "type": "object", + "properties": { + "type": { + "type": "string", + "enum": ["ClusterIP", "NodePort", "LoadBalancer"] + }, + "port": { + "type": "integer", + "minimum": 1, + "maximum": 65535 + } + } + }, + "ingress": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "className": { + "type": "string" + }, + "annotations": { + "type": "object" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string", + "enum": ["Prefix", "Exact", "ImplementationSpecific"] + } + } + } + } + } + } + }, + "tls": { + "type": "array", + "items": { + "type": "object", + "properties": { + "secretName": { + "type": "string" + }, + "hosts": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "minReplicas": { + "type": "integer", + "minimum": 1 + }, + "maxReplicas": { + "type": "integer", + "minimum": 1 + }, + "targetCPUUtilizationPercentage": { + "type": "integer", + "minimum": 1, + "maximum": 100 + }, + "targetMemoryUtilizationPercentage": { + "type": "integer", + "minimum": 1, + "maximum": 100 + } + } + }, + "nodeSelector": { + "type": "object" + }, + "tolerations": { + "type": "array" + }, + "affinity": { + "type": "object" + }, + "extraEnv": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + } + } + } + } +} diff --git a/examples/values.yaml b/examples/values.yaml new file mode 100644 index 0000000..7e5fb46 --- /dev/null +++ b/examples/values.yaml @@ -0,0 +1,1402 @@ +# Default values for the Flow platform +# This is a YAML-formatted file. + +# -- Global configuration shared across all services +global: + # -- Image registry for all Flow services + imageRegistry: "cr.kn.entit.eu" + # -- Image pull secrets + imagePullSecrets: [] + # -- Storage class for persistent volumes + storageClass: "" + + # -- Azure AD authentication configuration + azureAd: + enabled: true + instance: "https://login.microsoftonline.com/" + domain: "" + tenantId: "" + clientId: "" + clientSecret: "" + scopes: "access_as_user" + + # -- Database configuration + database: + # -- Database provider: SqlServer or Postgres + provider: "Postgres" + # -- SQL Server connection string (when provider is SqlServer) + sqlServer: + connectionString: "" + # -- PostgreSQL configuration (when provider is Postgres) + postgres: + # -- Use external PostgreSQL instance (set to true if PostgreSQL is already deployed in cluster or external) + external: false + # -- PostgreSQL host (single host or primary for HA, ignored if external=false and internal deployment is used) + host: "postgresql" + # -- PostgreSQL port + port: 5432 + # -- Database name + database: "flow" + # -- Database username + username: "flow" + # -- Database password (ignored if existingSecret is set) + password: "" + # -- Use existing secret for password + existingSecret: "" + # -- Key in existing secret containing the password + existingSecretKey: "postgres-password" + # -- SSL mode: disable, require, verify-ca, verify-full + sslMode: "prefer" + # -- Additional connection parameters + extraParams: "" + + # -- RabbitMQ configuration + rabbitmq: + # -- Use external RabbitMQ instance + external: false + # -- RabbitMQ host (single host or first node for HA, ignored if external=false) + host: "rabbitmq" + # -- RabbitMQ AMQP port + port: 5672 + # -- RabbitMQ management port + managementPort: 15672 + # -- RabbitMQ username + username: "flow" + # -- RabbitMQ password (ignored if existingSecret is set) + password: "" + # -- Use existing secret for password + existingSecret: "" + # -- Key in existing secret containing the password + existingSecretKey: "rabbitmq-password" + # -- Virtual host + vhost: "/" + # -- Prefetch count + prefetch: 1 + # -- Activity exchange name + activityExchange: "workflow.activities" + # -- Completed exchange name + completedExchange: "workflow.completed" + # -- Workflow events exchange name + workflowEventsExchange: "workflow.logging" + # -- Use TLS for connection + tls: + enabled: false + # -- Skip TLS certificate verification (not recommended for production) + insecureSkipVerify: false + + # -- Redis configuration + redis: + # -- Enable Redis (for caching and distributed locking) + enabled: false + # -- Use external Redis instance + external: false + # -- Redis host (single host or sentinel master name for HA) + host: "redis" + # -- Redis port (standard port or sentinel port) + port: 6379 + # -- Redis password (ignored if existingSecret is set) + password: "" + # -- Use existing secret for password + existingSecret: "" + # -- Key in existing secret containing the password + existingSecretKey: "redis-password" + # -- Redis database index + database: 0 + # -- Use TLS for connection + tls: + enabled: false + # -- Connection timeout in milliseconds + connectTimeout: 5000 + # -- Sync timeout in milliseconds + syncTimeout: 5000 + + # -- Service URLs (internal Kubernetes DNS) + serviceUrls: + activityRegistry: "http://{{ .Release.Name }}-activity-registry:80" + definitionStore: "http://{{ .Release.Name }}-definition-store:80" + workflowEngine: "http://{{ .Release.Name }}-workflow-engine:80" + workflowLogging: "http://{{ .Release.Name }}-workflow-logging:80" + connectionStore: "http://{{ .Release.Name }}-connection-store:80" + tenantRegistry: "http://{{ .Release.Name }}-tenant-registry:80" + +# ============================================================================= +# Core Services +# ============================================================================= + +# -- Workflow Engine service configuration +workflowEngine: + enabled: true + replicaCount: 1 + + image: + repository: flow/WorkflowEngine + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: workflow-engine.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + # -- Runtime configuration + runtime: + concurrencyMaxRetries: 5 + concurrencyBaseDelayMs: 100 + concurrencyJitterMs: 50 + + # -- Additional environment variables + extraEnv: [] + + # -- Additional volume mounts + extraVolumeMounts: [] + + # -- Additional volumes + extraVolumes: [] + +# -- Activity Registry service configuration +activityRegistry: + enabled: true + replicaCount: 1 + + image: + repository: flow/ActivityRegistry + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: activity-registry.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# -- Definition Store service configuration +definitionStore: + enabled: true + replicaCount: 1 + + image: + repository: flow/DefinitionStore + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: definition-store.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# -- Workflow Logging service configuration +workflowLogging: + enabled: true + replicaCount: 1 + + image: + repository: flow/WorkflowLogging + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: workflow-logging.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# -- Connection Store service configuration +connectionStore: + enabled: true + replicaCount: 1 + + image: + repository: flow/ConnectionStore + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: connection-store.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# -- Tenant Registry service configuration +tenantRegistry: + enabled: true + replicaCount: 1 + + image: + repository: flow/TenantRegistry + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: false + className: "" + annotations: {} + hosts: + - host: tenant-registry.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# ============================================================================= +# Frontend +# ============================================================================= + +# -- Frontend Web service configuration +frontendWeb: + enabled: true + replicaCount: 1 + + image: + repository: flow/frontend-web + tag: "" + pullPolicy: IfNotPresent + + service: + type: ClusterIP + port: 80 + + ingress: + enabled: true + className: "" + annotations: {} + hosts: + - host: flow.local + paths: + - path: / + pathType: Prefix + tls: [] + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + + nodeSelector: {} + tolerations: [] + affinity: {} + + extraEnv: [] + extraVolumeMounts: [] + extraVolumes: [] + +# ============================================================================= +# Activity Services +# ============================================================================= + +# -- Activity services common configuration +activities: + # -- Common image settings for activity services + image: + pullPolicy: IfNotPresent + + # -- Common resource settings for activity services + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + # -- Common service settings + service: + type: ClusterIP + port: 80 + +# -- Individual activity service configurations +httpRequestActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/HttpRequestActivity + tag: "" + +sqlActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/SqlActivity + tag: "" + +redisActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/RedisActivity + tag: "" + +blobStorageActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/BlobStorageActivity + tag: "" + +queueActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/QueueActivity + tag: "" + +cosmosDbActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/CosmosDbActivity + tag: "" + +mongoDbActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/MongoDbActivity + tag: "" + +emailActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/EmailActivity + tag: "" + +slackActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/SlackActivity + tag: "" + +teamsActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/TeamsActivity + tag: "" + +twilioActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/TwilioActivity + tag: "" + +ftpActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/FtpActivity + tag: "" + +graphqlActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/GraphQLActivity + tag: "" + +soapActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/SoapActivity + tag: "" + +pdfActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/PdfActivity + tag: "" + +csvActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/CsvActivity + tag: "" + +excelActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/ExcelActivity + tag: "" + +oauthActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/OAuthActivity + tag: "" + +keyVaultActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/KeyVaultActivity + tag: "" + +eventHubActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/EventHubActivity + tag: "" + +eventGridActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/EventGridActivity + tag: "" + +awsS3Activity: + enabled: true + replicaCount: 1 + image: + repository: flow/AwsS3Activity + tag: "" + +awsSqsActivity: + enabled: true + replicaCount: 1 + image: + repository: flow/AwsSqsActivity + tag: "" + +m365Activity: + enabled: true + replicaCount: 1 + image: + repository: flow/M365Activity + tag: "" + +# ============================================================================= +# Infrastructure Dependencies +# ============================================================================= +# These services can be deployed internally by this chart or configured to use +# external services that already exist in the cluster or externally. + +# -- PostgreSQL internal deployment configuration +# Only used when global.database.postgres.external=false +postgresql: + # -- Enable internal PostgreSQL deployment + enabled: true + + # -- Deployment mode: standalone or ha (high-availability with streaming replication) + mode: "standalone" + + image: + repository: postgres + tag: "16-alpine" + pullPolicy: IfNotPresent + + # -- Number of replicas (only used when mode=ha, must be >= 2) + replicaCount: 1 + + # -- PostgreSQL superuser password + auth: + # -- PostgreSQL admin username + postgresUsername: "postgres" + # -- PostgreSQL admin password + postgresPassword: "" + # -- Application database name + database: "flow" + # -- Application username + username: "flow" + # -- Application password + password: "" + # -- Use existing secret for passwords + existingSecret: "" + # -- Key for postgres password in existing secret + secretKeys: + adminPasswordKey: "postgres-password" + userPasswordKey: "password" + replicationPasswordKey: "replication-password" + + # -- Replication configuration (used when mode=ha) + replication: + # -- Enable synchronous replication for zero data loss (impacts performance) + synchronous: false + # -- Number of synchronous replicas (when synchronous=true) + numSynchronousReplicas: 1 + # -- Replication username + username: "replicator" + # -- Replication password + password: "" + + # -- Primary node configuration + primary: + # -- PostgreSQL configuration parameters + configuration: | + max_connections = 200 + shared_buffers = 256MB + effective_cache_size = 768MB + maintenance_work_mem = 64MB + checkpoint_completion_target = 0.9 + wal_buffers = 16MB + default_statistics_target = 100 + random_page_cost = 1.1 + effective_io_concurrency = 200 + min_wal_size = 1GB + max_wal_size = 4GB + max_worker_processes = 4 + max_parallel_workers_per_gather = 2 + max_parallel_workers = 4 + max_parallel_maintenance_workers = 2 + + # -- pg_hba.conf entries + pgHbaConfiguration: | + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host all all 0.0.0.0/0 scram-sha-256 + host replication all 0.0.0.0/0 scram-sha-256 + + # -- Initialization scripts (run on first startup) + initScripts: {} + + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + + # -- Persistent storage for primary + persistence: + enabled: true + storageClass: "" + size: 10Gi + accessModes: + - ReadWriteOnce + + nodeSelector: {} + tolerations: [] + affinity: {} + + # -- Replica/standby configuration (used when mode=ha) + replica: + # -- Number of read replicas + replicaCount: 1 + + # -- Hot standby settings + configuration: | + hot_standby = on + max_standby_streaming_delay = 30s + wal_receiver_status_interval = 10s + hot_standby_feedback = on + + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + persistence: + enabled: true + storageClass: "" + size: 10Gi + accessModes: + - ReadWriteOnce + + nodeSelector: {} + tolerations: [] + affinity: {} + + service: + type: ClusterIP + port: 5432 + # -- Create headless service for StatefulSet + headless: + annotations: {} + + # -- Pod disruption budget + podDisruptionBudget: + enabled: false + minAvailable: 1 + + # -- Metrics/monitoring + metrics: + enabled: false + image: + repository: prometheuscommunity/postgres-exporter + tag: "v0.15.0" + port: 9187 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + nodeSelector: {} + tolerations: [] + affinity: {} + +# -- RabbitMQ internal deployment configuration +# Only used when global.rabbitmq.external=false +rabbitmq: + # -- Enable internal RabbitMQ deployment + enabled: true + + # -- Deployment mode: standalone or ha (clustered with quorum queues) + mode: "standalone" + + image: + repository: rabbitmq + tag: "3.13-management-alpine" + pullPolicy: IfNotPresent + + # -- Number of replicas (for HA mode, should be odd number >= 3) + replicaCount: 1 + + auth: + # -- Default username + username: "flow" + # -- Default password + password: "" + # -- Erlang cookie for clustering (required for HA) + erlangCookie: "" + # -- Use existing secret + existingSecret: "" + secretKeys: + passwordKey: "rabbitmq-password" + erlangCookieKey: "erlang-cookie" + + # -- RabbitMQ configuration + configuration: | + ## Cluster formation + cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s + cluster_formation.k8s.host = kubernetes.default.svc.cluster.local + cluster_formation.k8s.address_type = hostname + cluster_formation.node_cleanup.interval = 30 + cluster_formation.node_cleanup.only_log_warning = true + cluster_partition_handling = pause_minority + ## Queue settings + queue_master_locator = min-masters + ## Memory and disk + vm_memory_high_watermark.relative = 0.6 + disk_free_limit.relative = 1.5 + ## Networking + tcp_listen_options.backlog = 128 + tcp_listen_options.nodelay = true + tcp_listen_options.linger.on = true + tcp_listen_options.linger.timeout = 0 + tcp_listen_options.sndbuf = 32768 + tcp_listen_options.recbuf = 32768 + + # -- Additional plugins to enable + plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_prometheus" + + # -- HA-specific configuration + ha: + # -- Enable mirroring policies (classic HA, use quorum queues instead for new deployments) + mirroringEnabled: false + # -- Default queue type for new queues (classic or quorum) + defaultQueueType: "quorum" + + resources: + limits: + cpu: 1000m + memory: 1Gi + requests: + cpu: 250m + memory: 512Mi + + persistence: + enabled: true + storageClass: "" + size: 8Gi + accessModes: + - ReadWriteOnce + + service: + type: ClusterIP + amqpPort: 5672 + managementPort: 15672 + # -- Create headless service for StatefulSet + headless: + annotations: {} + + # -- Pod disruption budget + podDisruptionBudget: + enabled: false + minAvailable: 1 + + # -- Metrics/monitoring + metrics: + enabled: false + port: 15692 + + nodeSelector: {} + tolerations: [] + affinity: {} + +# -- Redis internal deployment configuration +# Only used when global.redis.external=false and global.redis.enabled=true +redis: + # -- Enable internal Redis deployment + enabled: false + + # -- Deployment mode: standalone or ha (with Redis Sentinel) + mode: "standalone" + + image: + repository: redis + tag: "7-alpine" + pullPolicy: IfNotPresent + + auth: + # -- Enable password authentication + enabled: true + # -- Redis password + password: "" + # -- Use existing secret + existingSecret: "" + existingSecretKey: "redis-password" + + # -- Master/primary configuration + master: + # -- Redis configuration + configuration: | + maxmemory 256mb + maxmemory-policy allkeys-lru + appendonly yes + appendfsync everysec + save 900 1 + save 300 10 + save 60 10000 + + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + persistence: + enabled: true + storageClass: "" + size: 5Gi + accessModes: + - ReadWriteOnce + + nodeSelector: {} + tolerations: [] + affinity: {} + + # -- Replica configuration (used when mode=ha) + replica: + # -- Number of replicas + replicaCount: 2 + + resources: + limits: + cpu: 250m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + persistence: + enabled: true + storageClass: "" + size: 5Gi + accessModes: + - ReadWriteOnce + + nodeSelector: {} + tolerations: [] + affinity: {} + + # -- Sentinel configuration (used when mode=ha) + sentinel: + # -- Enable Sentinel for automatic failover + enabled: true + + image: + repository: redis + tag: "7-alpine" + + # -- Number of Sentinel instances (should be odd, >= 3) + replicaCount: 3 + + # -- Quorum for failover decision + quorum: 2 + + # -- Sentinel port + port: 26379 + + # -- Time in milliseconds before considering master down + downAfterMilliseconds: 30000 + + # -- Failover timeout in milliseconds + failoverTimeout: 180000 + + # -- Number of replicas to reconfigure in parallel during failover + parallelSyncs: 1 + + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + service: + type: ClusterIP + port: 6379 + sentinelPort: 26379 + # -- Create headless service for StatefulSet + headless: + annotations: {} + + # -- Pod disruption budget + podDisruptionBudget: + enabled: false + minAvailable: 1 + + # -- Metrics/monitoring + metrics: + enabled: false + image: + repository: oliver006/redis_exporter + tag: "v1.55.0" + port: 9121 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + nodeSelector: {} + tolerations: [] + affinity: {} + +# ============================================================================= +# Common Configuration +# ============================================================================= + +# -- Pod security context +podSecurityContext: + fsGroup: 1000 + +# -- Container security context +securityContext: + runAsNonRoot: true + runAsUser: 1000 + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + +# -- Service account configuration +serviceAccount: + create: true + annotations: {} + name: "" + +# -- Pod annotations +podAnnotations: {} + +# ============================================================================= +# Network Policies (SOC2/NIS2 Compliance) +# ============================================================================= +# Network policies enforce zero-trust network security by restricting +# pod-to-pod communication to only what is explicitly allowed. + +networkPolicy: + # -- Enable network policies for all components + enabled: false + + # -- Default policy for pods without specific rules + defaultDenyIngress: true + defaultDenyEgress: false + + # -- Allow DNS egress for all pods (required for service discovery) + allowDnsEgress: true + + # -- Additional ingress rules for all application pods + additionalIngressRules: [] + # - from: + # - namespaceSelector: + # matchLabels: + # name: monitoring + # ports: + # - protocol: TCP + # port: 9090 + + # -- Additional egress rules for all application pods + additionalEgressRules: [] + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 + # ports: + # - protocol: TCP + # port: 443 + + # -- Infrastructure-specific network policies + infrastructure: + # -- PostgreSQL network policy + postgresql: + enabled: true + # -- Allow ingress only from application pods and replicas + allowedNamespaces: [] + # -- Additional allowed pod selectors + additionalAllowedPods: [] + + # -- RabbitMQ network policy + rabbitmq: + enabled: true + allowedNamespaces: [] + additionalAllowedPods: [] + + # -- Redis network policy + redis: + enabled: true + allowedNamespaces: [] + additionalAllowedPods: [] + +# ============================================================================= +# Backup Configuration (SOC2/NIS2 Compliance) +# ============================================================================= +# Automated backups for disaster recovery and compliance requirements. +# Supports local PVC storage, S3-compatible storage, and Azure Blob Storage. + +backup: + # -- Enable backup functionality + enabled: false + + # -- Global backup settings + global: + # -- Backup storage type: pvc, s3, minio, azure, gcs + # Note: For clusters without RWX volume support, use 's3' or 'minio' + storageType: "minio" + + # -- PVC storage configuration (requires RWX volumes for concurrent backup jobs) + # Not recommended for clusters without RWX support + pvc: + storageClass: "" + size: 50Gi + accessModes: + - ReadWriteOnce + + # -- S3-compatible storage configuration (AWS S3, MinIO, etc.) + # Recommended for clusters without RWX volume support + s3: + # -- S3 endpoint URL (for MinIO, use internal service URL) + # Example for MinIO in cluster: http://minio.minio-system.svc.cluster.local:9000 + # Example for AWS S3: https://s3.amazonaws.com + endpoint: "http://minio.minio-system.svc.cluster.local:9000" + # -- Bucket name for backups + bucket: "flow-backups" + # -- AWS region (only needed for AWS S3) + region: "us-east-1" + # -- Access key ID (ignored if existingSecret is set) + accessKeyId: "" + # -- Secret access key (ignored if existingSecret is set) + secretAccessKey: "" + # -- Use existing secret containing S3 credentials + existingSecret: "" + # -- Keys in the existing secret + secretKeys: + accessKeyId: "access-key-id" + secretAccessKey: "secret-access-key" + + # -- Azure Blob Storage configuration + azure: + storageAccount: "" + container: "" + sasToken: "" + existingSecret: "" + secretKeys: + sasToken: "sas-token" + + # -- Google Cloud Storage configuration + gcs: + bucket: "" + projectId: "" + serviceAccountKey: "" + existingSecret: "" + secretKeys: + serviceAccountKey: "service-account-key" + + # -- Retention policy + retention: + # -- Number of daily backups to keep + daily: 7 + # -- Number of weekly backups to keep + weekly: 4 + # -- Number of monthly backups to keep + monthly: 12 + + # -- Encryption settings + encryption: + # -- Enable backup encryption + enabled: false + # -- Encryption key (base64 encoded, 32 bytes for AES-256) + key: "" + # -- Use existing secret for encryption key + existingSecret: "" + existingSecretKey: "encryption-key" + + # -- PostgreSQL backup configuration + postgresql: + enabled: true + + # -- Backup schedule (cron format) + schedule: "0 2 * * *" # Daily at 2 AM + + # -- Backup type: full, incremental (requires pgBackRest or similar) + type: "full" + + # -- Number of backups to retain + retentionCount: 7 + + # -- Backup image + image: + repository: postgres + tag: "16-alpine" + + # -- Resources for backup job + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 100m + memory: 256Mi + + # -- Additional pg_dump options + pgDumpOptions: "--format=custom --compress=9" + + # -- Pre-backup script (runs before backup) + preBackupScript: "" + + # -- Post-backup script (runs after successful backup) + postBackupScript: "" + + # -- Backup verification + verification: + enabled: true + # -- Restore to temporary database and run integrity checks + restoreTest: false + + # -- Point-in-time recovery (PITR) configuration + pitr: + enabled: false + # -- WAL archiving destination + walArchiveCommand: "" + # -- WAL archive storage (same as backup storage if not specified) + walStorageType: "" + + # -- RabbitMQ backup configuration + rabbitmq: + enabled: true + + # -- Backup schedule (cron format) + schedule: "0 3 * * *" # Daily at 3 AM + + # -- What to backup: definitions, messages, both + backupType: "definitions" + + # -- Number of backups to retain + retentionCount: 7 + + # -- Backup image + image: + repository: curlimages/curl + tag: "8.5.0" + + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + # -- Redis backup configuration + redis: + enabled: true + + # -- Backup schedule (cron format) + schedule: "0 4 * * *" # Daily at 4 AM + + # -- Number of backups to retain + retentionCount: 7 + + # -- Backup image + image: + repository: redis + tag: "7-alpine" + + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + + # -- Use BGSAVE before backup (recommended for data consistency) + useBgsave: true + +# ============================================================================= +# Audit Logging (SOC2/NIS2 Compliance) +# ============================================================================= + +auditLogging: + # -- Enable enhanced audit logging + enabled: false + + # -- Log all API requests + logApiRequests: true + + # -- Log authentication events + logAuthEvents: true + + # -- Log data access events + logDataAccess: true + + # -- Log administrative actions + logAdminActions: true + + # -- Audit log retention days + retentionDays: 365 + + # -- Export audit logs to external system + export: + enabled: false + # -- Export type: syslog, splunk, elasticsearch, azure-sentinel + type: "syslog" + # -- Export endpoint + endpoint: "" + # -- Use TLS for export + tls: true + +# ============================================================================= +# TLS Configuration (SOC2/NIS2 Compliance) +# ============================================================================= + +tls: + # -- Enable TLS for internal service communication + enabled: false + + # -- Use cert-manager for certificate management + certManager: + enabled: false + issuerRef: + name: "" + kind: "ClusterIssuer" + + # -- Use existing TLS secret + existingSecret: "" + + # -- Generate self-signed certificates (not recommended for production) + selfSigned: false + + # -- Minimum TLS version (1.2 or 1.3) + minVersion: "1.2" + + # -- Cipher suites (leave empty for secure defaults) + cipherSuites: []