Add flow-0.10.1 and update documentation

2026-03-23 15:07:36 +00:00
parent 64e6b5d7eb
commit d1aae8814d
6 changed files with 192 additions and 34 deletions
--- a/examples/values-dev.yaml
+++ b/examples/values-dev.yaml
@@ -63,6 +63,9 @@ workflowEngine:
      cpu: 50m
      memory: 128Mi

+aiAssistant:
+  replicaCount: 1
+
 activityRegistry:
  replicaCount: 1

--- a/examples/values-prod.yaml
+++ b/examples/values-prod.yaml
@@ -201,6 +201,16 @@ workflowEngine:
        hosts:
          - api.flow.your-domain.com

+aiAssistant:
+  replicaCount: 1
+  resources:
+    limits:
+      cpu: 250m
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 128Mi
+
 activityRegistry:
  replicaCount: 2
  autoscaling:
@@ -481,3 +491,19 @@ tls:
  
  # Minimum TLS version
  minVersion: "1.2"
+
+  # Enable mutual TLS for inter-service communication
+  mtls:
+    enabled: true
+    clientCertificateMode: "RequireCertificate"
+    allowAnonymousHealthChecks: true
+
+  # External client certificate management
+  externalClients:
+    enabled: false
+    clients: []
+    # Uncomment and configure to issue certificates for external services:
+    # - name: "desktop-client"
+    #   commonName: "flow-desktop-client"
+    #   duration: "8760h"
+    #   organization: "Entit AB"
--- a/examples/values.schema.json
+++ b/examples/values.schema.json
@@ -229,6 +229,9 @@
        }
      ]
    },
+    "aiAssistant": {
+      "$ref": "#/definitions/service"
+    },
    "activityRegistry": {
      "$ref": "#/definitions/service"
    },
--- a/examples/values.yaml
+++ b/examples/values.yaml
@@ -288,6 +288,7 @@ global:
    workflowLogging: "http://{{ .Release.Name }}-workflow-logging.{{ .Release.Namespace }}.svc.cluster.local:80"
    connectionStore: "http://{{ .Release.Name }}-connection-store.{{ .Release.Namespace }}.svc.cluster.local:80"
    tenantRegistry: "http://{{ .Release.Name }}-tenant-registry.{{ .Release.Namespace }}.svc.cluster.local:80"
+    aiAssistant: "http://{{ .Release.Name }}-ai-assistant.{{ .Release.Namespace }}.svc.cluster.local:80"

 # =============================================================================
 # Core Services
@@ -572,6 +573,42 @@ connectionStore:
  extraVolumeMounts: []
  extraVolumes: []

+# -- AI Assistant service configuration
+aiAssistant:
+  enabled: true
+  replicaCount: 1
+
+  image:
+    repository: flow/aiassistant
+    tag: ""
+    pullPolicy: IfNotPresent
+
+  service:
+    type: ClusterIP
+    port: 80
+
+  resources:
+    limits:
+      cpu: 250m
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 128Mi
+
+  autoscaling:
+    enabled: false
+    minReplicas: 1
+    maxReplicas: 3
+    targetCPUUtilizationPercentage: 80
+
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+  extraEnv: []
+  extraVolumeMounts: []
+  extraVolumes: []
+
 # -- Tenant Registry service configuration
 tenantRegistry:
  enabled: true
@@ -1696,17 +1733,56 @@ tls:
      # -- CA organization
      organization: "Entit AB"
  
+  # -- Mutual TLS (mTLS) settings
+  # When enabled, services require client certificates for inter-service communication.
+  # This works alongside existing OAuth 2.0 bearer token auth (defense in depth).
+  mtls:
+    # -- Require client certificates for inter-service communication
+    enabled: false
+    # -- Client certificate validation mode
+    # RequireCertificate: connections without valid client certs are rejected
+    # AllowCertificate: client certs are validated if present, but not required
+    clientCertificateMode: "RequireCertificate"
+    # -- Allow health check endpoints (/health, /health/ready) without client certificates
+    # When true, Kestrel listens on port 8080 (HTTP) for health probes in addition to 8443 (HTTPS/mTLS)
+    allowAnonymousHealthChecks: true
+
+  # -- External client certificate settings
+  # Allows services outside the cluster (Windows desktop app, Azure-hosted frontend)
+  # to authenticate via mTLS when connecting to backend services
+  externalClients:
+    # -- Enable external client certificate management
+    enabled: false
+    # -- Additional trusted CA certificates for validating external client certificates
+    # If external clients use certificates signed by a different CA, add those CAs here
+    additionalCaCerts: []
+    # -- Secret name containing additional CA certificates (alternative to inline certs)
+    additionalCaSecret: ""
+    # -- External client certificate definitions
+    # Each entry creates a cert-manager Certificate resource signed by the internal CA
+    clients: []
+    # Example:
+    # - name: "desktop-client"
+    #   commonName: "flow-desktop-client"
+    #   duration: "8760h"     # 1 year
+    #   renewBefore: "720h"   # 30 days
+    #   organization: "Entit AB"
+    # - name: "azure-frontend"
+    #   commonName: "flow-azure-frontend"
+    #   duration: "8760h"
+    #   organization: "Entit AB"
+
  # -- Use existing TLS secret (alternative to cert-manager)
  # This secret must contain tls.crt, tls.key, and ca.crt
  existingSecret: ""
-  
+
  # -- Minimum TLS version (1.2 or 1.3)
  minVersion: "1.2"
-  
+
  # -- Cipher suites (leave empty for secure defaults)
  # Recommended for TLS 1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GLM_SHA256
  cipherSuites: []
-  
+
  # -- Additional DNS names to include in all certificates
  additionalDnsNames: []
  
@@ -1718,6 +1794,8 @@ tls:
    workflowEngine:
      # -- Additional DNS names for this service's certificate
      additionalDnsNames: []
+    aiAssistant:
+      additionalDnsNames: []
    activityRegistry:
      additionalDnsNames: []
    definitionStore: