Update documentation and example values

2025-12-22 14:07:22 +00:00
parent 742158d7c9
commit c74d8d16a0
3 changed files with 302 additions and 8 deletions
--- a/examples/values.yaml
+++ b/examples/values.yaml
@@ -3,6 +3,11 @@

 # -- Global configuration shared across all services
 global:
+  # -- Namespace to install all Flow components
+  # This ensures all resources are created in a single namespace for easy management and cleanup
+  # If not set, uses the namespace specified during helm install (--namespace flag)
+  namespace: ""
+  
  # -- Image registry for all Flow services
  imageRegistry: "cr.kn.entit.eu"
  # -- Image pull secrets
@@ -1465,26 +1470,104 @@ auditLogging:
 # =============================================================================
 # TLS Configuration (SOC2/NIS2 Compliance)
 # =============================================================================
+# Internal mTLS between microservices using cert-manager with self-signed CA.
+# Certificates are valid for services within the configured namespace(s).

 tls:
  # -- Enable TLS for internal service communication
  enabled: false
  
-  # -- Use cert-manager for certificate management
+  # -- Namespaces for which certificates should be valid
+  # By default uses the installation namespace (from global.namespace or --namespace flag)
+  # Add additional namespaces if services need to communicate across namespaces
+  namespaces: []
+  # Example:
+  # - "flow"
+  # - "flow-activities"
+  # - "flow-infrastructure"
+  
+  # -- Use cert-manager for automatic certificate management
+  # Requires cert-manager to be installed in the cluster
+  # See: https://cert-manager.io/docs/installation/
  certManager:
-    enabled: false
+    # -- Enable cert-manager integration
+    enabled: true
+    
+    # -- Create a self-signed ClusterIssuer for internal certificates
+    # If false, you must provide an existing issuer via issuerRef
+    createSelfSignedIssuer: true
+    
+    # -- Name of the self-signed CA issuer (created by this chart)
+    selfSignedIssuerName: "{{ .Release.Name }}-selfsigned-issuer"
+    
+    # -- Name of the CA certificate (created by this chart)
+    caCertificateName: "{{ .Release.Name }}-internal-ca"
+    
+    # -- Name of the CA issuer that signs service certificates
+    caIssuerName: "{{ .Release.Name }}-ca-issuer"
+    
+    # -- Reference to an existing issuer (used when createSelfSignedIssuer=false)
    issuerRef:
+      # -- Name of the existing issuer
      name: ""
+      # -- Kind: Issuer or ClusterIssuer
      kind: "ClusterIssuer"
+      # -- Group (usually cert-manager.io)
+      group: "cert-manager.io"
+    
+    # -- Certificate duration (default: 90 days)
+    duration: "2160h"  # 90 days
+    
+    # -- Certificate renewal before expiry (default: 30 days before)
+    renewBefore: "720h"  # 30 days
+    
+    # -- Private key algorithm: RSA, ECDSA, Ed25519
+    privateKey:
+      algorithm: "ECDSA"
+      size: 256  # For ECDSA: 256, 384, or 521. For RSA: 2048, 4096
+    
+    # -- CA certificate settings
+    ca:
+      # -- CA certificate duration (default: 10 years)
+      duration: "87600h"  # 10 years
+      # -- CA renewal before expiry
+      renewBefore: "8760h"  # 1 year
+      # -- CA common name
+      commonName: "Flow Internal CA"
+      # -- CA organization
+      organization: "Entit AB"
  
-  # -- Use existing TLS secret
+  # -- Use existing TLS secret (alternative to cert-manager)
+  # This secret must contain tls.crt, tls.key, and ca.crt
  existingSecret: ""
  
-  # -- Generate self-signed certificates (not recommended for production)
-  selfSigned: false
-  
  # -- Minimum TLS version (1.2 or 1.3)
  minVersion: "1.2"
  
  # -- Cipher suites (leave empty for secure defaults)
+  # Recommended for TLS 1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  cipherSuites: []
+  
+  # -- Additional DNS names to include in all certificates
+  additionalDnsNames: []
+  
+  # -- Service-specific certificate overrides
+  # By default, each service gets a certificate with DNS names for all configured namespaces:
+  #   - <service-name>
+  #   - <release>-<service-name>.<namespace>.svc.cluster.local (for each namespace)
+  services:
+    workflowEngine:
+      # -- Additional DNS names for this service's certificate
+      additionalDnsNames: []
+    activityRegistry:
+      additionalDnsNames: []
+    definitionStore:
+      additionalDnsNames: []
+    workflowLogging:
+      additionalDnsNames: []
+    connectionStore:
+      additionalDnsNames: []
+    tenantRegistry:
+      additionalDnsNames: []
+    frontendWeb:
+      additionalDnsNames: []