# Production environment values # Use with: helm install flow ./helm/flow -f ./helm/flow/values-prod.yaml global: imageRegistry: "cr.kn.entit.eu" imagePullSecrets: - flow-registry-credentials azureAd: enabled: true instance: "https://login.microsoftonline.com/" domain: "your-domain.com" tenantId: "" # Set via --set or external secret clientId: "" # Set via --set or external secret clientSecret: "" # Set via --set or external secret scopes: "access_as_user" # ========================================================================== # External PostgreSQL (Managed Service) # ========================================================================== # Example: Azure Database for PostgreSQL, AWS RDS, Google Cloud SQL database: provider: "Postgres" postgres: # Use external managed PostgreSQL external: true # PostgreSQL host FQDN # Azure: myserver.postgres.database.azure.com # AWS RDS: mydb.xxxx.region.rds.amazonaws.com # GCP: /cloudsql/project:region:instance (for Cloud SQL Proxy) host: "your-postgres-host.postgres.database.azure.com" port: 5432 database: "flow_prod" # Azure PostgreSQL username format: username@servername # AWS/GCP: just the username username: "flow@your-postgres-host" # Use Kubernetes secret for password (recommended for production) existingSecret: "flow-db-secret" existingSecretKey: "postgres-password" # SSL mode - use 'require' or 'verify-full' for production sslMode: "require" # Additional connection parameters extraParams: "" # Connection pool settings for production workloads pooling: minSize: 10 maxSize: 200 connectionLifetime: 3600 connectionIdleLifetime: 300 # ========================================================================== # External RabbitMQ (Managed Service) # ========================================================================== # Example: CloudAMQP, Amazon MQ, or self-hosted cluster rabbitmq: # Use external managed RabbitMQ external: true # RabbitMQ host FQDN # CloudAMQP: xyz.rmq.cloudamqp.com # Amazon MQ: b-xxxx.mq.region.amazonaws.com host: "your-rabbitmq-host.cloudamqp.com" # Additional cluster hosts (for HA setups) additionalHosts: [] # - "rabbitmq-node-2.example.com" # - "rabbitmq-node-3.example.com" port: 5672 managementPort: 15672 username: "flow" # Use Kubernetes secret for password (recommended for production) existingSecret: "flow-rabbitmq-secret" existingSecretKey: "rabbitmq-password" vhost: "/" prefetch: 10 # Higher prefetch for production throughput # Exchange names activityExchange: "workflow.activities" completedExchange: "workflow.completed" workflowEventsExchange: "workflow.logging" # TLS settings (enable for managed services) tls: enabled: true insecureSkipVerify: false # ========================================================================== # External Redis (Managed Service) # ========================================================================== # Example: Azure Cache for Redis, Amazon ElastiCache, Redis Cloud redis: # Enable Redis for caching and distributed locking enabled: true # Use external managed Redis external: true # Redis mode: standalone, sentinel, or cluster # Azure Cache for Redis: use 'standalone' for Basic/Standard, 'cluster' for Premium/Enterprise clustered # Amazon ElastiCache: use 'standalone' for single node, 'cluster' for cluster mode enabled mode: "standalone" # or "cluster" for clustered deployments # --- Standalone mode configuration --- # Azure Cache for Redis: myredis.redis.cache.windows.net # Amazon ElastiCache: my-cluster.xxxx.cache.amazonaws.com host: "your-redis.redis.cache.windows.net" port: 6380 # Azure uses 6380 for TLS, ElastiCache uses 6379 # --- Cluster mode configuration --- # Uncomment and configure for Redis Cluster mode # cluster: # nodes: # - "your-redis.redis.cache.windows.net:6380" # maxRedirects: 3 # --- Sentinel mode configuration --- # Uncomment and configure for Redis Sentinel # sentinel: # masterName: "mymaster" # nodes: # - "sentinel-0:26379" # - "sentinel-1:26379" # - "sentinel-2:26379" # Authentication # Azure Cache for Redis requires username (default is empty or access key name) username: "" # Use Kubernetes secret for password/access key (recommended for production) existingSecret: "flow-redis-secret" existingSecretKey: "redis-password" # Database index (0-15, only for standalone/sentinel mode) database: 0 # TLS settings (required for Azure Cache for Redis) tls: enabled: true insecureSkipVerify: false # Connection settings optimized for production connectTimeout: 5000 syncTimeout: 5000 keepAlive: 60 retry: maxAttempts: 3 baseDelay: 100 maxDelay: 5000 pool: minSize: 10 maxSize: 100 # ============================================================================= # Core services - production replicas with autoscaling # ============================================================================= workflowEngine: replicaCount: 3 autoscaling: enabled: true minReplicas: 3 maxReplicas: 10 targetCPUUtilizationPercentage: 70 resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 512Mi ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: api.flow.your-domain.com paths: - path: / pathType: Prefix tls: - secretName: flow-api-tls hosts: - api.flow.your-domain.com activityRegistry: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi definitionStore: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi workflowLogging: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi connectionStore: replicaCount: 2 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi tenantRegistry: replicaCount: 2 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi frontendWeb: replicaCount: 2 autoscaling: enabled: true minReplicas: 2 maxReplicas: 5 ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: flow.your-domain.com paths: - path: / pathType: Prefix tls: - secretName: flow-frontend-tls hosts: - flow.your-domain.com # ============================================================================= # Activity services - production resources # ============================================================================= activities: resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi httpRequestActivity: enabled: true replicaCount: 2 sqlActivity: enabled: true replicaCount: 2 redisActivity: enabled: true replicaCount: 2 blobStorageActivity: enabled: true replicaCount: 2 queueActivity: enabled: true replicaCount: 2 cosmosDbActivity: enabled: true replicaCount: 2 mongoDbActivity: enabled: true replicaCount: 1 emailActivity: enabled: true replicaCount: 2 slackActivity: enabled: true replicaCount: 1 teamsActivity: enabled: true replicaCount: 1 twilioActivity: enabled: true replicaCount: 1 ftpActivity: enabled: true replicaCount: 1 graphqlActivity: enabled: true replicaCount: 1 soapActivity: enabled: true replicaCount: 1 pdfActivity: enabled: true replicaCount: 1 csvActivity: enabled: true replicaCount: 1 excelActivity: enabled: true replicaCount: 1 oauthActivity: enabled: true replicaCount: 1 keyVaultActivity: enabled: true replicaCount: 1 eventHubActivity: enabled: true replicaCount: 2 eventGridActivity: enabled: true replicaCount: 1 awsS3Activity: enabled: true replicaCount: 1 awsSqsActivity: enabled: true replicaCount: 1 m365Activity: enabled: true replicaCount: 1 # ============================================================================= # Infrastructure - Disabled (using external managed services) # ============================================================================= # Internal deployments disabled - using external managed services rabbitmq: enabled: false postgresql: enabled: false redis: enabled: false # ============================================================================= # Production Security # ============================================================================= podSecurityContext: fsGroup: 1000 runAsNonRoot: true securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true seccompProfile: type: RuntimeDefault # Network policies for production networkPolicy: enabled: true # Pod Disruption Budgets podDisruptionBudget: enabled: true minAvailable: 1