# Production environment values # Use with: helm install flow ./helm/flow -f ./helm/flow/values-prod.yaml --namespace flow --create-namespace # # HARBOR CREDENTIALS: # Pass Harbor credentials during install: # helm install flow ./helm/flow -f values-prod.yaml \ # --set global.imageCredentials.enabled=true \ # --set global.imageCredentials.username=$HARBOR_USER \ # --set global.imageCredentials.password=$HARBOR_PASSWORD \ # --set global.azureAd.tenantId=YOUR_TENANT_ID \ # --set global.azureAd.clientId=YOUR_CLIENT_ID global: # -- Explicit namespace for all Flow components # Recommended for production to ensure consistent resource organization # All resources will be created in this namespace for easy management and cleanup namespace: "flow" imageRegistry: "cr.kn.entit.eu" # Harbor registry credentials - creates dockerconfigjson secret automatically # Harbor requires authentication even for public repositories # Enable and set credentials via --set flags during install: # --set global.imageCredentials.enabled=true # --set global.imageCredentials.username=$HARBOR_USER # --set global.imageCredentials.password=$HARBOR_PASSWORD imageCredentials: enabled: false # Set to true and provide credentials during install username: "" password: "" azureAd: enabled: true instance: "https://login.microsoftonline.com/" domain: "your-domain.com" tenantId: "" # Set via --set or external secret clientId: "" # Set via --set or external secret clientSecret: "" # Set via --set or external secret scopes: "access_as_user" # ========================================================================== # External PostgreSQL (Managed Service) # ========================================================================== # Example: Azure Database for PostgreSQL, AWS RDS, Google Cloud SQL database: provider: "Postgres" postgres: # Use external managed PostgreSQL external: true # PostgreSQL host FQDN # Azure: myserver.postgres.database.azure.com # AWS RDS: mydb.xxxx.region.rds.amazonaws.com # GCP: /cloudsql/project:region:instance (for Cloud SQL Proxy) host: "your-postgres-host.postgres.database.azure.com" port: 5432 database: "flow_prod" # Azure PostgreSQL username format: username@servername # AWS/GCP: just the username username: "flow@your-postgres-host" # Use Kubernetes secret for password (recommended for production) existingSecret: "flow-db-secret" existingSecretKey: "postgres-password" # SSL mode - use 'require' or 'verify-full' for production sslMode: "require" # Additional connection parameters extraParams: "" # Connection pool settings for production workloads pooling: minSize: 10 maxSize: 200 connectionLifetime: 3600 connectionIdleLifetime: 300 # ========================================================================== # External RabbitMQ (Managed Service) # ========================================================================== # Example: CloudAMQP, Amazon MQ, or self-hosted cluster rabbitmq: # Use external managed RabbitMQ external: true # RabbitMQ host FQDN # CloudAMQP: xyz.rmq.cloudamqp.com # Amazon MQ: b-xxxx.mq.region.amazonaws.com host: "your-rabbitmq-host.cloudamqp.com" # Additional cluster hosts (for HA setups) additionalHosts: [] # - "rabbitmq-node-2.example.com" # - "rabbitmq-node-3.example.com" port: 5672 managementPort: 15672 username: "flow" # Use Kubernetes secret for password (recommended for production) existingSecret: "flow-rabbitmq-secret" existingSecretKey: "rabbitmq-password" vhost: "/" prefetch: 10 # Higher prefetch for production throughput # Exchange names activityExchange: "workflow.activities" completedExchange: "workflow.completed" workflowEventsExchange: "workflow.logging" # TLS settings (enable for managed services) tls: enabled: true insecureSkipVerify: false # ========================================================================== # External Redis (Managed Service) # ========================================================================== # Example: Azure Cache for Redis, Amazon ElastiCache, Redis Cloud redis: # Enable Redis for caching and distributed locking enabled: true # Use external managed Redis external: true # Redis mode: standalone, sentinel, or cluster # Azure Cache for Redis: use 'standalone' for Basic/Standard, 'cluster' for Premium/Enterprise clustered # Amazon ElastiCache: use 'standalone' for single node, 'cluster' for cluster mode enabled mode: "standalone" # or "cluster" for clustered deployments # --- Standalone mode configuration --- # Azure Cache for Redis: myredis.redis.cache.windows.net # Amazon ElastiCache: my-cluster.xxxx.cache.amazonaws.com host: "your-redis.redis.cache.windows.net" port: 6380 # Azure uses 6380 for TLS, ElastiCache uses 6379 # --- Cluster mode configuration --- # Uncomment and configure for Redis Cluster mode # cluster: # nodes: # - "your-redis.redis.cache.windows.net:6380" # maxRedirects: 3 # --- Sentinel mode configuration --- # Uncomment and configure for Redis Sentinel # sentinel: # masterName: "mymaster" # nodes: # - "sentinel-0:26379" # - "sentinel-1:26379" # - "sentinel-2:26379" # Authentication # Azure Cache for Redis requires username (default is empty or access key name) username: "" # Use Kubernetes secret for password/access key (recommended for production) existingSecret: "flow-redis-secret" existingSecretKey: "redis-password" # Database index (0-15, only for standalone/sentinel mode) database: 0 # TLS settings (required for Azure Cache for Redis) tls: enabled: true insecureSkipVerify: false # Connection settings optimized for production connectTimeout: 5000 syncTimeout: 5000 keepAlive: 60 retry: maxAttempts: 3 baseDelay: 100 maxDelay: 5000 pool: minSize: 10 maxSize: 100 # ============================================================================= # Core services - production replicas with autoscaling # ============================================================================= workflowEngine: replicaCount: 3 autoscaling: enabled: true minReplicas: 3 maxReplicas: 10 targetCPUUtilizationPercentage: 70 resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 512Mi ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: api.flow.your-domain.com paths: - path: / pathType: Prefix tls: - secretName: flow-api-tls hosts: - api.flow.your-domain.com activityRegistry: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi definitionStore: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi workflowLogging: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi connectionStore: replicaCount: 2 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi tenantRegistry: replicaCount: 2 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi frontendWeb: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: flow.your-domain.com paths: - path: / pathType: Prefix tls: - secretName: flow-frontend-tls hosts: - flow.your-domain.com # ============================================================================= # Activity services - production resources # ============================================================================= activities: resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi httpRequestActivity: enabled: true replicaCount: 2 sqlActivity: enabled: true replicaCount: 2 redisActivity: enabled: true replicaCount: 2 blobStorageActivity: enabled: true replicaCount: 2 queueActivity: enabled: true replicaCount: 2 cosmosDbActivity: enabled: true replicaCount: 2 mongoDbActivity: enabled: true replicaCount: 1 emailActivity: enabled: true replicaCount: 2 slackActivity: enabled: true replicaCount: 1 teamsActivity: enabled: true replicaCount: 1 twilioActivity: enabled: true replicaCount: 1 ftpActivity: enabled: true replicaCount: 1 graphqlActivity: enabled: true replicaCount: 1 soapActivity: enabled: true replicaCount: 1 pdfActivity: enabled: true replicaCount: 1 csvActivity: enabled: true replicaCount: 1 excelActivity: enabled: true replicaCount: 1 oauthActivity: enabled: true replicaCount: 1 keyVaultActivity: enabled: true replicaCount: 1 eventHubActivity: enabled: true replicaCount: 2 eventGridActivity: enabled: true replicaCount: 1 awsS3Activity: enabled: true replicaCount: 1 awsSqsActivity: enabled: true replicaCount: 1 m365Activity: enabled: true replicaCount: 1 # ============================================================================= # Infrastructure - Disabled (using external managed services) # ============================================================================= # Internal deployments disabled - using external managed services rabbitmq: enabled: false postgresql: enabled: false redis: enabled: false # ============================================================================= # Production Security # ============================================================================= podSecurityContext: fsGroup: 1000 runAsNonRoot: true securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault # Network policies for production networkPolicy: enabled: true # Pod Disruption Budgets podDisruptionBudget: enabled: true minAvailable: 1 # ============================================================================= # Internal TLS (mTLS between Microservices) # ============================================================================= # Enable encrypted communication between all Flow microservices. # Requires cert-manager to be installed in the cluster. tls: # Enable TLS for all internal service communication enabled: true certManager: # Use cert-manager to automatically manage certificates enabled: true # Create a self-signed CA for internal certificates # Set to false if using an existing issuer (e.g., Vault, enterprise CA) createSelfSignedIssuer: true # Certificate validity duration (90 days) duration: "2160h" # Renew certificates 30 days before expiry renewBefore: "720h" # Use ECDSA for better performance privateKey: algorithm: "ECDSA" size: 256 # CA certificate settings ca: duration: "87600h" # 10 years renewBefore: "8760h" # 1 year commonName: "Flow Internal CA" organization: "Entit AB" # Minimum TLS version minVersion: "1.2"