# Default values for the Flow platform # This is a YAML-formatted file. # -- Global configuration shared across all services global: # -- Namespace to install all Flow components # This ensures all resources are created in a single namespace for easy management and cleanup # If not set, uses the namespace specified during helm install (--namespace flag) namespace: "" # -- Image registry for all Flow services imageRegistry: "cr.kn.entit.eu" # -- Image pull secrets imagePullSecrets: [] # -- Storage class for persistent volumes storageClass: "" # -- Azure AD authentication configuration azureAd: enabled: true instance: "https://login.microsoftonline.com/" domain: "" tenantId: "" clientId: "" clientSecret: "" scopes: "access_as_user" # -- Database configuration database: # -- Database provider: SqlServer or Postgres provider: "Postgres" # -- SQL Server connection string (when provider is SqlServer) sqlServer: connectionString: "" # -- Use existing secret for connection string existingSecret: "" existingSecretKey: "connection-string" # -- PostgreSQL configuration (when provider is Postgres) postgres: # -- Use external PostgreSQL instance (set to true for managed services like Azure Database for PostgreSQL, AWS RDS, etc.) external: false # -- PostgreSQL host (FQDN for managed services, e.g., myserver.postgres.database.azure.com) host: "postgresql" # -- PostgreSQL port port: 5432 # -- Database name database: "flow" # -- Database username (for Azure, use format: username@servername) username: "flow" # -- Database password (ignored if existingSecret is set) password: "" # -- Use existing secret for password existingSecret: "" # -- Key in existing secret containing the password existingSecretKey: "postgres-password" # -- SSL mode: disable, allow, prefer, require, verify-ca, verify-full sslMode: "prefer" # -- Additional connection parameters (e.g., "sslrootcert=/path/to/ca.crt&application_name=flow") extraParams: "" # -- Connection pool settings pooling: # -- Minimum pool size minSize: 5 # -- Maximum pool size maxSize: 100 # -- Connection lifetime in seconds (0 = infinite) connectionLifetime: 0 # -- Connection idle timeout in seconds connectionIdleLifetime: 300 # -- RabbitMQ configuration rabbitmq: # -- Use external RabbitMQ instance (set to true for managed services like CloudAMQP, Amazon MQ, etc.) external: false # -- RabbitMQ host (FQDN for managed services) host: "rabbitmq" # -- Additional hosts for cluster connection (comma-separated or list) additionalHosts: [] # -- RabbitMQ AMQP port port: 5672 # -- RabbitMQ management port managementPort: 15672 # -- RabbitMQ username username: "flow" # -- RabbitMQ password (ignored if existingSecret is set) password: "" # -- Use existing secret for password existingSecret: "" # -- Key in existing secret containing the password existingSecretKey: "rabbitmq-password" # -- Virtual host vhost: "/" # -- Prefetch count prefetch: 1 # -- Activity exchange name activityExchange: "workflow.activities" # -- Completed exchange name completedExchange: "workflow.completed" # -- Workflow events exchange name workflowEventsExchange: "workflow.logging" # -- Use TLS for connection tls: enabled: false # -- Skip TLS certificate verification (not recommended for production) insecureSkipVerify: false # -- Path to CA certificate (for self-signed certs) caCertPath: "" # -- Use existing secret containing TLS certificates existingSecret: "" # -- Key in existing secret containing CA certificate caCertKey: "ca.crt" # -- Redis configuration redis: # -- Enable Redis (for caching and distributed locking) enabled: false # -- Use external Redis instance (set to true for managed services like Azure Cache for Redis, Amazon ElastiCache, etc.) external: false # -- Redis deployment mode: standalone, sentinel, or cluster mode: "standalone" # -- Standalone/Sentinel configuration # -- Redis host (single host for standalone, master name for sentinel, ignored for cluster mode) host: "redis" # -- Redis port (6379 for standalone, 26379 for sentinel) port: 6379 # -- Redis Sentinel configuration (when mode=sentinel) sentinel: # -- Sentinel master name masterName: "mymaster" # -- Sentinel nodes (list of host:port) nodes: [] # Example: # - "sentinel-0.sentinel:26379" # - "sentinel-1.sentinel:26379" # - "sentinel-2.sentinel:26379" # -- Sentinel password (if different from Redis password) password: "" # -- Use existing secret for sentinel password existingSecret: "" existingSecretKey: "sentinel-password" # -- Redis Cluster configuration (when mode=cluster) cluster: # -- Cluster nodes (list of host:port for cluster endpoints) nodes: [] # Example for Azure Cache for Redis (clustered): # - "myredis.redis.cache.windows.net:6380" # Example for Amazon ElastiCache cluster: # - "cluster-endpoint.cache.amazonaws.com:6379" # Example for self-hosted cluster: # - "redis-node-0:6379" # - "redis-node-1:6379" # - "redis-node-2:6379" # -- Maximum number of redirect hops maxRedirects: 3 # -- Redis username (Redis 6+ ACL, required for Azure Cache for Redis) username: "" # -- Redis password (ignored if existingSecret is set) password: "" # -- Use existing secret for password existingSecret: "" # -- Key in existing secret containing the password existingSecretKey: "redis-password" # -- Redis database index (only for standalone/sentinel, not supported in cluster mode) database: 0 # -- TLS configuration tls: # -- Enable TLS (required for most managed Redis services) enabled: false # -- Skip TLS certificate verification (not recommended for production) insecureSkipVerify: false # -- Path to CA certificate caCertPath: "" # -- Use existing secret containing TLS certificates existingSecret: "" caCertKey: "ca.crt" # -- Connection settings connectTimeout: 5000 # -- Sync timeout in milliseconds syncTimeout: 5000 # -- Keep alive interval in seconds (0 to disable) keepAlive: 60 # -- Retry settings retry: # -- Maximum retry attempts maxAttempts: 3 # -- Base delay between retries in milliseconds baseDelay: 100 # -- Maximum delay between retries in milliseconds maxDelay: 5000 # -- Connection pool settings pool: # -- Minimum number of connections to maintain minSize: 5 # -- Maximum number of connections maxSize: 50 # -- Service URLs (internal Kubernetes DNS - uses full FQDN for cross-namespace communication) # Format: http://..svc.cluster.local: # These are templated and will be resolved during Helm rendering serviceUrls: activityRegistry: "http://{{ .Release.Name }}-activity-registry.{{ .Release.Namespace }}.svc.cluster.local:80" definitionStore: "http://{{ .Release.Name }}-definition-store.{{ .Release.Namespace }}.svc.cluster.local:80" workflowEngine: "http://{{ .Release.Name }}-workflow-engine.{{ .Release.Namespace }}.svc.cluster.local:80" workflowLogging: "http://{{ .Release.Name }}-workflow-logging.{{ .Release.Namespace }}.svc.cluster.local:80" connectionStore: "http://{{ .Release.Name }}-connection-store.{{ .Release.Namespace }}.svc.cluster.local:80" tenantRegistry: "http://{{ .Release.Name }}-tenant-registry.{{ .Release.Namespace }}.svc.cluster.local:80" # ============================================================================= # Core Services # ============================================================================= # -- Workflow Engine service configuration workflowEngine: enabled: true replicaCount: 1 image: repository: flow/WorkflowEngine tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: workflow-engine.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} # -- Runtime configuration runtime: concurrencyMaxRetries: 5 concurrencyBaseDelayMs: 100 concurrencyJitterMs: 50 # -- Additional environment variables extraEnv: [] # -- Additional volume mounts extraVolumeMounts: [] # -- Additional volumes extraVolumes: [] # -- Activity Registry service configuration activityRegistry: enabled: true replicaCount: 1 image: repository: flow/ActivityRegistry tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: activity-registry.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # -- Definition Store service configuration definitionStore: enabled: true replicaCount: 1 image: repository: flow/DefinitionStore tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: definition-store.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # -- Workflow Logging service configuration workflowLogging: enabled: true replicaCount: 1 image: repository: flow/WorkflowLogging tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: workflow-logging.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # -- Connection Store service configuration connectionStore: enabled: true replicaCount: 1 image: repository: flow/ConnectionStore tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: connection-store.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # -- Tenant Registry service configuration tenantRegistry: enabled: true replicaCount: 1 image: repository: flow/TenantRegistry tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: false className: "" annotations: {} hosts: - host: tenant-registry.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # ============================================================================= # Frontend # ============================================================================= # -- Frontend Web service configuration frontendWeb: enabled: true replicaCount: 1 image: repository: flow/frontend-web tag: "" pullPolicy: IfNotPresent service: type: ClusterIP port: 80 ingress: enabled: true className: "" annotations: {} hosts: - host: flow.local paths: - path: / pathType: Prefix tls: [] resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} extraEnv: [] extraVolumeMounts: [] extraVolumes: [] # ============================================================================= # Activity Services # ============================================================================= # -- Activity services common configuration activities: # -- Common image settings for activity services image: pullPolicy: IfNotPresent # -- Common resource settings for activity services resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi # -- Common service settings service: type: ClusterIP port: 80 # -- Individual activity service configurations httpRequestActivity: enabled: true replicaCount: 1 image: repository: flow/HttpRequestActivity tag: "" sqlActivity: enabled: true replicaCount: 1 image: repository: flow/SqlActivity tag: "" redisActivity: enabled: true replicaCount: 1 image: repository: flow/RedisActivity tag: "" blobStorageActivity: enabled: true replicaCount: 1 image: repository: flow/BlobStorageActivity tag: "" queueActivity: enabled: true replicaCount: 1 image: repository: flow/QueueActivity tag: "" cosmosDbActivity: enabled: true replicaCount: 1 image: repository: flow/CosmosDbActivity tag: "" mongoDbActivity: enabled: true replicaCount: 1 image: repository: flow/MongoDbActivity tag: "" emailActivity: enabled: true replicaCount: 1 image: repository: flow/EmailActivity tag: "" slackActivity: enabled: true replicaCount: 1 image: repository: flow/SlackActivity tag: "" teamsActivity: enabled: true replicaCount: 1 image: repository: flow/TeamsActivity tag: "" twilioActivity: enabled: true replicaCount: 1 image: repository: flow/TwilioActivity tag: "" ftpActivity: enabled: true replicaCount: 1 image: repository: flow/FtpActivity tag: "" graphqlActivity: enabled: true replicaCount: 1 image: repository: flow/GraphQLActivity tag: "" soapActivity: enabled: true replicaCount: 1 image: repository: flow/SoapActivity tag: "" pdfActivity: enabled: true replicaCount: 1 image: repository: flow/PdfActivity tag: "" csvActivity: enabled: true replicaCount: 1 image: repository: flow/CsvActivity tag: "" excelActivity: enabled: true replicaCount: 1 image: repository: flow/ExcelActivity tag: "" oauthActivity: enabled: true replicaCount: 1 image: repository: flow/OAuthActivity tag: "" keyVaultActivity: enabled: true replicaCount: 1 image: repository: flow/KeyVaultActivity tag: "" eventHubActivity: enabled: true replicaCount: 1 image: repository: flow/EventHubActivity tag: "" eventGridActivity: enabled: true replicaCount: 1 image: repository: flow/EventGridActivity tag: "" awsS3Activity: enabled: true replicaCount: 1 image: repository: flow/AwsS3Activity tag: "" awsSqsActivity: enabled: true replicaCount: 1 image: repository: flow/AwsSqsActivity tag: "" m365Activity: enabled: true replicaCount: 1 image: repository: flow/M365Activity tag: "" # ============================================================================= # Infrastructure Dependencies # ============================================================================= # These services can be deployed internally by this chart or configured to use # external services that already exist in the cluster or externally. # -- PostgreSQL internal deployment configuration # Only used when global.database.postgres.external=false postgresql: # -- Enable internal PostgreSQL deployment enabled: true # -- Deployment mode: standalone or ha (high-availability with streaming replication) mode: "standalone" image: repository: postgres tag: "16-alpine" pullPolicy: IfNotPresent # -- Number of replicas (only used when mode=ha, must be >= 2) replicaCount: 1 # -- PostgreSQL superuser password auth: # -- PostgreSQL admin username postgresUsername: "postgres" # -- PostgreSQL admin password postgresPassword: "" # -- Application database name database: "flow" # -- Application username username: "flow" # -- Application password password: "" # -- Use existing secret for passwords existingSecret: "" # -- Key for postgres password in existing secret secretKeys: adminPasswordKey: "postgres-password" userPasswordKey: "password" replicationPasswordKey: "replication-password" # -- Replication configuration (used when mode=ha) replication: # -- Enable synchronous replication for zero data loss (impacts performance) synchronous: false # -- Number of synchronous replicas (when synchronous=true) numSynchronousReplicas: 1 # -- Replication username username: "replicator" # -- Replication password password: "" # -- Primary node configuration primary: # -- PostgreSQL configuration parameters configuration: | max_connections = 200 shared_buffers = 256MB effective_cache_size = 768MB maintenance_work_mem = 64MB checkpoint_completion_target = 0.9 wal_buffers = 16MB default_statistics_target = 100 random_page_cost = 1.1 effective_io_concurrency = 200 min_wal_size = 1GB max_wal_size = 4GB max_worker_processes = 4 max_parallel_workers_per_gather = 2 max_parallel_workers = 4 max_parallel_maintenance_workers = 2 # -- pg_hba.conf entries pgHbaConfiguration: | local all all trust host all all 127.0.0.1/32 trust host all all ::1/128 trust host all all 0.0.0.0/0 scram-sha-256 host replication all 0.0.0.0/0 scram-sha-256 # -- Initialization scripts (run on first startup) initScripts: {} resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 512Mi # -- Persistent storage for primary persistence: enabled: true storageClass: "" size: 10Gi accessModes: - ReadWriteOnce nodeSelector: {} tolerations: [] affinity: {} # -- Replica/standby configuration (used when mode=ha) replica: # -- Number of read replicas replicaCount: 1 # -- Hot standby settings configuration: | hot_standby = on max_standby_streaming_delay = 30s wal_receiver_status_interval = 10s hot_standby_feedback = on resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi persistence: enabled: true storageClass: "" size: 10Gi accessModes: - ReadWriteOnce nodeSelector: {} tolerations: [] affinity: {} service: type: ClusterIP port: 5432 # -- Create headless service for StatefulSet headless: annotations: {} # -- Pod disruption budget podDisruptionBudget: enabled: false minAvailable: 1 # -- Metrics/monitoring metrics: enabled: false image: repository: prometheuscommunity/postgres-exporter tag: "v0.15.0" port: 9187 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 50m memory: 64Mi nodeSelector: {} tolerations: [] affinity: {} # -- RabbitMQ internal deployment configuration # Only used when global.rabbitmq.external=false rabbitmq: # -- Enable internal RabbitMQ deployment enabled: true # -- Deployment mode: standalone or ha (clustered with quorum queues) mode: "standalone" image: repository: rabbitmq tag: "3.13-management-alpine" pullPolicy: IfNotPresent # -- Number of replicas (for HA mode, should be odd number >= 3) replicaCount: 1 auth: # -- Default username username: "flow" # -- Default password password: "" # -- Erlang cookie for clustering (required for HA) erlangCookie: "" # -- Use existing secret existingSecret: "" secretKeys: passwordKey: "rabbitmq-password" erlangCookieKey: "erlang-cookie" # -- RabbitMQ configuration configuration: | ## Cluster formation cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s cluster_formation.k8s.host = kubernetes.default.svc.cluster.local cluster_formation.k8s.address_type = hostname cluster_formation.node_cleanup.interval = 30 cluster_formation.node_cleanup.only_log_warning = true cluster_partition_handling = pause_minority ## Queue settings queue_master_locator = min-masters ## Memory and disk vm_memory_high_watermark.relative = 0.6 disk_free_limit.relative = 1.5 ## Networking tcp_listen_options.backlog = 128 tcp_listen_options.nodelay = true tcp_listen_options.linger.on = true tcp_listen_options.linger.timeout = 0 tcp_listen_options.sndbuf = 32768 tcp_listen_options.recbuf = 32768 # -- Additional plugins to enable plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_prometheus" # -- HA-specific configuration ha: # -- Enable mirroring policies (classic HA, use quorum queues instead for new deployments) mirroringEnabled: false # -- Default queue type for new queues (classic or quorum) defaultQueueType: "quorum" resources: limits: cpu: 1000m memory: 1Gi requests: cpu: 250m memory: 512Mi persistence: enabled: true storageClass: "" size: 8Gi accessModes: - ReadWriteOnce service: type: ClusterIP amqpPort: 5672 managementPort: 15672 # -- Create headless service for StatefulSet headless: annotations: {} # -- Pod disruption budget podDisruptionBudget: enabled: false minAvailable: 1 # -- Metrics/monitoring metrics: enabled: false port: 15692 nodeSelector: {} tolerations: [] affinity: {} # -- Redis internal deployment configuration # Only used when global.redis.external=false and global.redis.enabled=true redis: # -- Enable internal Redis deployment enabled: false # -- Deployment mode: standalone or ha (with Redis Sentinel) mode: "standalone" image: repository: redis tag: "7-alpine" pullPolicy: IfNotPresent auth: # -- Enable password authentication enabled: true # -- Redis password password: "" # -- Use existing secret existingSecret: "" existingSecretKey: "redis-password" # -- Master/primary configuration master: # -- Redis configuration configuration: | maxmemory 256mb maxmemory-policy allkeys-lru appendonly yes appendfsync everysec save 900 1 save 300 10 save 60 10000 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi persistence: enabled: true storageClass: "" size: 5Gi accessModes: - ReadWriteOnce nodeSelector: {} tolerations: [] affinity: {} # -- Replica configuration (used when mode=ha) replica: # -- Number of replicas replicaCount: 2 resources: limits: cpu: 250m memory: 256Mi requests: cpu: 50m memory: 128Mi persistence: enabled: true storageClass: "" size: 5Gi accessModes: - ReadWriteOnce nodeSelector: {} tolerations: [] affinity: {} # -- Sentinel configuration (used when mode=ha) sentinel: # -- Enable Sentinel for automatic failover enabled: true image: repository: redis tag: "7-alpine" # -- Number of Sentinel instances (should be odd, >= 3) replicaCount: 3 # -- Quorum for failover decision quorum: 2 # -- Sentinel port port: 26379 # -- Time in milliseconds before considering master down downAfterMilliseconds: 30000 # -- Failover timeout in milliseconds failoverTimeout: 180000 # -- Number of replicas to reconfigure in parallel during failover parallelSyncs: 1 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 50m memory: 64Mi service: type: ClusterIP port: 6379 sentinelPort: 26379 # -- Create headless service for StatefulSet headless: annotations: {} # -- Pod disruption budget podDisruptionBudget: enabled: false minAvailable: 1 # -- Metrics/monitoring metrics: enabled: false image: repository: oliver006/redis_exporter tag: "v1.55.0" port: 9121 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 50m memory: 64Mi nodeSelector: {} tolerations: [] affinity: {} # ============================================================================= # Common Configuration # ============================================================================= # -- Pod security context podSecurityContext: fsGroup: 1000 # -- Container security context securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true # -- Service account configuration serviceAccount: create: true annotations: {} name: "" # -- Pod annotations podAnnotations: {} # ============================================================================= # Network Policies (SOC2/NIS2 Compliance) # ============================================================================= # Network policies enforce zero-trust network security by restricting # pod-to-pod communication to only what is explicitly allowed. networkPolicy: # -- Enable network policies for all components enabled: false # -- Default policy for pods without specific rules defaultDenyIngress: true defaultDenyEgress: false # -- Allow DNS egress for all pods (required for service discovery) allowDnsEgress: true # -- Additional ingress rules for all application pods additionalIngressRules: [] # - from: # - namespaceSelector: # matchLabels: # name: monitoring # ports: # - protocol: TCP # port: 9090 # -- Additional egress rules for all application pods additionalEgressRules: [] # - to: # - ipBlock: # cidr: 10.0.0.0/8 # ports: # - protocol: TCP # port: 443 # -- Infrastructure-specific network policies infrastructure: # -- PostgreSQL network policy postgresql: enabled: true # -- Allow ingress only from application pods and replicas allowedNamespaces: [] # -- Additional allowed pod selectors additionalAllowedPods: [] # -- RabbitMQ network policy rabbitmq: enabled: true allowedNamespaces: [] additionalAllowedPods: [] # -- Redis network policy redis: enabled: true allowedNamespaces: [] additionalAllowedPods: [] # ============================================================================= # Backup Configuration (SOC2/NIS2 Compliance) # ============================================================================= # Automated backups for disaster recovery and compliance requirements. # Supports local PVC storage, S3-compatible storage, and Azure Blob Storage. backup: # -- Enable backup functionality enabled: false # -- Global backup settings global: # -- Backup storage type: pvc, s3, minio, azure, gcs # Note: For clusters without RWX volume support, use 's3' or 'minio' storageType: "minio" # -- PVC storage configuration (requires RWX volumes for concurrent backup jobs) # Not recommended for clusters without RWX support pvc: storageClass: "" size: 50Gi accessModes: - ReadWriteOnce # -- S3-compatible storage configuration (AWS S3, MinIO, etc.) # Recommended for clusters without RWX volume support s3: # -- S3 endpoint URL (for MinIO, use internal service URL) # Example for MinIO in cluster: http://minio.minio-system.svc.cluster.local:9000 # Example for AWS S3: https://s3.amazonaws.com endpoint: "http://minio.minio-system.svc.cluster.local:9000" # -- Bucket name for backups bucket: "flow-backups" # -- AWS region (only needed for AWS S3) region: "us-east-1" # -- Access key ID (ignored if existingSecret is set) accessKeyId: "" # -- Secret access key (ignored if existingSecret is set) secretAccessKey: "" # -- Use existing secret containing S3 credentials existingSecret: "" # -- Keys in the existing secret secretKeys: accessKeyId: "access-key-id" secretAccessKey: "secret-access-key" # -- Azure Blob Storage configuration azure: storageAccount: "" container: "" sasToken: "" existingSecret: "" secretKeys: sasToken: "sas-token" # -- Google Cloud Storage configuration gcs: bucket: "" projectId: "" serviceAccountKey: "" existingSecret: "" secretKeys: serviceAccountKey: "service-account-key" # -- Retention policy retention: # -- Number of daily backups to keep daily: 7 # -- Number of weekly backups to keep weekly: 4 # -- Number of monthly backups to keep monthly: 12 # -- Encryption settings encryption: # -- Enable backup encryption enabled: false # -- Encryption key (base64 encoded, 32 bytes for AES-256) key: "" # -- Use existing secret for encryption key existingSecret: "" existingSecretKey: "encryption-key" # -- PostgreSQL backup configuration postgresql: enabled: true # -- Backup schedule (cron format) schedule: "0 2 * * *" # Daily at 2 AM # -- Backup type: full, incremental (requires pgBackRest or similar) type: "full" # -- Number of backups to retain retentionCount: 7 # -- Backup image image: repository: postgres tag: "16-alpine" # -- Resources for backup job resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 256Mi # -- Additional pg_dump options pgDumpOptions: "--format=custom --compress=9" # -- Pre-backup script (runs before backup) preBackupScript: "" # -- Post-backup script (runs after successful backup) postBackupScript: "" # -- Backup verification verification: enabled: true # -- Restore to temporary database and run integrity checks restoreTest: false # -- Point-in-time recovery (PITR) configuration pitr: enabled: false # -- WAL archiving destination walArchiveCommand: "" # -- WAL archive storage (same as backup storage if not specified) walStorageType: "" # -- RabbitMQ backup configuration rabbitmq: enabled: true # -- Backup schedule (cron format) schedule: "0 3 * * *" # Daily at 3 AM # -- What to backup: definitions, messages, both backupType: "definitions" # -- Number of backups to retain retentionCount: 7 # -- Backup image image: repository: curlimages/curl tag: "8.5.0" resources: limits: cpu: 200m memory: 256Mi requests: cpu: 50m memory: 128Mi # -- Redis backup configuration redis: enabled: true # -- Backup schedule (cron format) schedule: "0 4 * * *" # Daily at 4 AM # -- Number of backups to retain retentionCount: 7 # -- Backup image image: repository: redis tag: "7-alpine" resources: limits: cpu: 200m memory: 256Mi requests: cpu: 50m memory: 128Mi # -- Use BGSAVE before backup (recommended for data consistency) useBgsave: true # ============================================================================= # Audit Logging (SOC2/NIS2 Compliance) # ============================================================================= auditLogging: # -- Enable enhanced audit logging enabled: false # -- Log all API requests logApiRequests: true # -- Log authentication events logAuthEvents: true # -- Log data access events logDataAccess: true # -- Log administrative actions logAdminActions: true # -- Audit log retention days retentionDays: 365 # -- Export audit logs to external system export: enabled: false # -- Export type: syslog, splunk, elasticsearch, azure-sentinel type: "syslog" # -- Export endpoint endpoint: "" # -- Use TLS for export tls: true # ============================================================================= # TLS Configuration (SOC2/NIS2 Compliance) # ============================================================================= # Internal mTLS between microservices using cert-manager with self-signed CA. # Certificates are valid for services within the configured namespace(s). tls: # -- Enable TLS for internal service communication enabled: false # -- Namespaces for which certificates should be valid # By default uses the installation namespace (from global.namespace or --namespace flag) # Add additional namespaces if services need to communicate across namespaces namespaces: [] # Example: # - "flow" # - "flow-activities" # - "flow-infrastructure" # -- Use cert-manager for automatic certificate management # Requires cert-manager to be installed in the cluster # See: https://cert-manager.io/docs/installation/ certManager: # -- Enable cert-manager integration enabled: true # -- Create a self-signed ClusterIssuer for internal certificates # If false, you must provide an existing issuer via issuerRef createSelfSignedIssuer: true # -- Name of the self-signed CA issuer (created by this chart) selfSignedIssuerName: "{{ .Release.Name }}-selfsigned-issuer" # -- Name of the CA certificate (created by this chart) caCertificateName: "{{ .Release.Name }}-internal-ca" # -- Name of the CA issuer that signs service certificates caIssuerName: "{{ .Release.Name }}-ca-issuer" # -- Reference to an existing issuer (used when createSelfSignedIssuer=false) issuerRef: # -- Name of the existing issuer name: "" # -- Kind: Issuer or ClusterIssuer kind: "ClusterIssuer" # -- Group (usually cert-manager.io) group: "cert-manager.io" # -- Certificate duration (default: 90 days) duration: "2160h" # 90 days # -- Certificate renewal before expiry (default: 30 days before) renewBefore: "720h" # 30 days # -- Private key algorithm: RSA, ECDSA, Ed25519 privateKey: algorithm: "ECDSA" size: 256 # For ECDSA: 256, 384, or 521. For RSA: 2048, 4096 # -- CA certificate settings ca: # -- CA certificate duration (default: 10 years) duration: "87600h" # 10 years # -- CA renewal before expiry renewBefore: "8760h" # 1 year # -- CA common name commonName: "Flow Internal CA" # -- CA organization organization: "Entit AB" # -- Use existing TLS secret (alternative to cert-manager) # This secret must contain tls.crt, tls.key, and ca.crt existingSecret: "" # -- Minimum TLS version (1.2 or 1.3) minVersion: "1.2" # -- Cipher suites (leave empty for secure defaults) # Recommended for TLS 1.2: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipherSuites: [] # -- Additional DNS names to include in all certificates additionalDnsNames: [] # -- Service-specific certificate overrides # By default, each service gets a certificate with DNS names for all configured namespaces: # - # - -..svc.cluster.local (for each namespace) services: workflowEngine: # -- Additional DNS names for this service's certificate additionalDnsNames: [] activityRegistry: additionalDnsNames: [] definitionStore: additionalDnsNames: [] workflowLogging: additionalDnsNames: [] connectionStore: additionalDnsNames: [] tenantRegistry: additionalDnsNames: [] frontendWeb: additionalDnsNames: []