EntitAB/Helm-Charts
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
742158d7c92236b2c55b9996fd25832abca053e1
Helm-Charts/examples/values.yaml
Gitea Actions 742158d7c9 Update documentation and example values
2025-12-22 11:41:59 +00:00

1491 lines
35 KiB
YAML
Raw Blame History

# Default values for the Flow platform
# This is a YAML-formatted file.
# -- Global configuration shared across all services
global:
# -- Image registry for all Flow services
imageRegistry: "cr.kn.entit.eu"
# -- Image pull secrets
imagePullSecrets: []
# -- Storage class for persistent volumes
storageClass: ""
# -- Azure AD authentication configuration
azureAd:
enabled: true
instance: "https://login.microsoftonline.com/"
domain: ""
tenantId: ""
clientId: ""
clientSecret: ""
scopes: "access_as_user"
# -- Database configuration
database:
# -- Database provider: SqlServer or Postgres
provider: "Postgres"
# -- SQL Server connection string (when provider is SqlServer)
sqlServer:
connectionString: ""
# -- Use existing secret for connection string
existingSecret: ""
existingSecretKey: "connection-string"
# -- PostgreSQL configuration (when provider is Postgres)
postgres:
# -- Use external PostgreSQL instance (set to true for managed services like Azure Database for PostgreSQL, AWS RDS, etc.)
external: false
# -- PostgreSQL host (FQDN for managed services, e.g., myserver.postgres.database.azure.com)
host: "postgresql"
# -- PostgreSQL port
port: 5432
# -- Database name
database: "flow"
# -- Database username (for Azure, use format: username@servername)
username: "flow"
# -- Database password (ignored if existingSecret is set)
password: ""
# -- Use existing secret for password
existingSecret: ""
# -- Key in existing secret containing the password
existingSecretKey: "postgres-password"
# -- SSL mode: disable, allow, prefer, require, verify-ca, verify-full
sslMode: "prefer"
# -- Additional connection parameters (e.g., "sslrootcert=/path/to/ca.crt&application_name=flow")
extraParams: ""
# -- Connection pool settings
pooling:
# -- Minimum pool size
minSize: 5
# -- Maximum pool size
maxSize: 100
# -- Connection lifetime in seconds (0 = infinite)
connectionLifetime: 0
# -- Connection idle timeout in seconds
connectionIdleLifetime: 300
# -- RabbitMQ configuration
rabbitmq:
# -- Use external RabbitMQ instance (set to true for managed services like CloudAMQP, Amazon MQ, etc.)
external: false
# -- RabbitMQ host (FQDN for managed services)
host: "rabbitmq"
# -- Additional hosts for cluster connection (comma-separated or list)
additionalHosts: []
# -- RabbitMQ AMQP port
port: 5672
# -- RabbitMQ management port
managementPort: 15672
# -- RabbitMQ username
username: "flow"
# -- RabbitMQ password (ignored if existingSecret is set)
password: ""
# -- Use existing secret for password
existingSecret: ""
# -- Key in existing secret containing the password
existingSecretKey: "rabbitmq-password"
# -- Virtual host
vhost: "/"
# -- Prefetch count
prefetch: 1
# -- Activity exchange name
activityExchange: "workflow.activities"
# -- Completed exchange name
completedExchange: "workflow.completed"
# -- Workflow events exchange name
workflowEventsExchange: "workflow.logging"
# -- Use TLS for connection
tls:
enabled: false
# -- Skip TLS certificate verification (not recommended for production)
insecureSkipVerify: false
# -- Path to CA certificate (for self-signed certs)
caCertPath: ""
# -- Use existing secret containing TLS certificates
existingSecret: ""
# -- Key in existing secret containing CA certificate
caCertKey: "ca.crt"
# -- Redis configuration
redis:
# -- Enable Redis (for caching and distributed locking)
enabled: false
# -- Use external Redis instance (set to true for managed services like Azure Cache for Redis, Amazon ElastiCache, etc.)
external: false
# -- Redis deployment mode: standalone, sentinel, or cluster
mode: "standalone"
# -- Standalone/Sentinel configuration
# -- Redis host (single host for standalone, master name for sentinel, ignored for cluster mode)
host: "redis"
# -- Redis port (6379 for standalone, 26379 for sentinel)
port: 6379
# -- Redis Sentinel configuration (when mode=sentinel)
sentinel:
# -- Sentinel master name
masterName: "mymaster"
# -- Sentinel nodes (list of host:port)
nodes: []
# Example:
# - "sentinel-0.sentinel:26379"
# - "sentinel-1.sentinel:26379"
# - "sentinel-2.sentinel:26379"
# -- Sentinel password (if different from Redis password)
password: ""
# -- Use existing secret for sentinel password
existingSecret: ""
existingSecretKey: "sentinel-password"
# -- Redis Cluster configuration (when mode=cluster)
cluster:
# -- Cluster nodes (list of host:port for cluster endpoints)
nodes: []
# Example for Azure Cache for Redis (clustered):
# - "myredis.redis.cache.windows.net:6380"
# Example for Amazon ElastiCache cluster:
# - "cluster-endpoint.cache.amazonaws.com:6379"
# Example for self-hosted cluster:
# - "redis-node-0:6379"
# - "redis-node-1:6379"
# - "redis-node-2:6379"
# -- Maximum number of redirect hops
maxRedirects: 3
# -- Redis username (Redis 6+ ACL, required for Azure Cache for Redis)
username: ""
# -- Redis password (ignored if existingSecret is set)
password: ""
# -- Use existing secret for password
existingSecret: ""
# -- Key in existing secret containing the password
existingSecretKey: "redis-password"
# -- Redis database index (only for standalone/sentinel, not supported in cluster mode)
database: 0
# -- TLS configuration
tls:
# -- Enable TLS (required for most managed Redis services)
enabled: false
# -- Skip TLS certificate verification (not recommended for production)
insecureSkipVerify: false
# -- Path to CA certificate
caCertPath: ""
# -- Use existing secret containing TLS certificates
existingSecret: ""
caCertKey: "ca.crt"
# -- Connection settings
connectTimeout: 5000
# -- Sync timeout in milliseconds
syncTimeout: 5000
# -- Keep alive interval in seconds (0 to disable)
keepAlive: 60
# -- Retry settings
retry:
# -- Maximum retry attempts
maxAttempts: 3
# -- Base delay between retries in milliseconds
baseDelay: 100
# -- Maximum delay between retries in milliseconds
maxDelay: 5000
# -- Connection pool settings
pool:
# -- Minimum number of connections to maintain
minSize: 5
# -- Maximum number of connections
maxSize: 50
# -- Service URLs (internal Kubernetes DNS - uses full FQDN for cross-namespace communication)
# Format: http://<service-name>.<namespace>.svc.cluster.local:<port>
# These are templated and will be resolved during Helm rendering
serviceUrls:
activityRegistry: "http://{{ .Release.Name }}-activity-registry.{{ .Release.Namespace }}.svc.cluster.local:80"
definitionStore: "http://{{ .Release.Name }}-definition-store.{{ .Release.Namespace }}.svc.cluster.local:80"
workflowEngine: "http://{{ .Release.Name }}-workflow-engine.{{ .Release.Namespace }}.svc.cluster.local:80"
workflowLogging: "http://{{ .Release.Name }}-workflow-logging.{{ .Release.Namespace }}.svc.cluster.local:80"
connectionStore: "http://{{ .Release.Name }}-connection-store.{{ .Release.Namespace }}.svc.cluster.local:80"
tenantRegistry: "http://{{ .Release.Name }}-tenant-registry.{{ .Release.Namespace }}.svc.cluster.local:80"
# =============================================================================
# Core Services
# =============================================================================
# -- Workflow Engine service configuration
workflowEngine:
enabled: true
replicaCount: 1
image:
repository: flow/WorkflowEngine
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: workflow-engine.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
# -- Runtime configuration
runtime:
concurrencyMaxRetries: 5
concurrencyBaseDelayMs: 100
concurrencyJitterMs: 50
# -- Additional environment variables
extraEnv: []
# -- Additional volume mounts
extraVolumeMounts: []
# -- Additional volumes
extraVolumes: []
# -- Activity Registry service configuration
activityRegistry:
enabled: true
replicaCount: 1
image:
repository: flow/ActivityRegistry
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: activity-registry.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# -- Definition Store service configuration
definitionStore:
enabled: true
replicaCount: 1
image:
repository: flow/DefinitionStore
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: definition-store.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# -- Workflow Logging service configuration
workflowLogging:
enabled: true
replicaCount: 1
image:
repository: flow/WorkflowLogging
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: workflow-logging.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# -- Connection Store service configuration
connectionStore:
enabled: true
replicaCount: 1
image:
repository: flow/ConnectionStore
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: connection-store.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# -- Tenant Registry service configuration
tenantRegistry:
enabled: true
replicaCount: 1
image:
repository: flow/TenantRegistry
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts:
- host: tenant-registry.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# =============================================================================
# Frontend
# =============================================================================
# -- Frontend Web service configuration
frontendWeb:
enabled: true
replicaCount: 1
image:
repository: flow/frontend-web
tag: ""
pullPolicy: IfNotPresent
service:
type: ClusterIP
port: 80
ingress:
enabled: true
className: ""
annotations: {}
hosts:
- host: flow.local
paths:
- path: /
pathType: Prefix
tls: []
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
extraEnv: []
extraVolumeMounts: []
extraVolumes: []
# =============================================================================
# Activity Services
# =============================================================================
# -- Activity services common configuration
activities:
# -- Common image settings for activity services
image:
pullPolicy: IfNotPresent
# -- Common resource settings for activity services
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
# -- Common service settings
service:
type: ClusterIP
port: 80
# -- Individual activity service configurations
httpRequestActivity:
enabled: true
replicaCount: 1
image:
repository: flow/HttpRequestActivity
tag: ""
sqlActivity:
enabled: true
replicaCount: 1
image:
repository: flow/SqlActivity
tag: ""
redisActivity:
enabled: true
replicaCount: 1
image:
repository: flow/RedisActivity
tag: ""
blobStorageActivity:
enabled: true
replicaCount: 1
image:
repository: flow/BlobStorageActivity
tag: ""
queueActivity:
enabled: true
replicaCount: 1
image:
repository: flow/QueueActivity
tag: ""
cosmosDbActivity:
enabled: true
replicaCount: 1
image:
repository: flow/CosmosDbActivity
tag: ""
mongoDbActivity:
enabled: true
replicaCount: 1
image:
repository: flow/MongoDbActivity
tag: ""
emailActivity:
enabled: true
replicaCount: 1
image:
repository: flow/EmailActivity
tag: ""
slackActivity:
enabled: true
replicaCount: 1
image:
repository: flow/SlackActivity
tag: ""
teamsActivity:
enabled: true
replicaCount: 1
image:
repository: flow/TeamsActivity
tag: ""
twilioActivity:
enabled: true
replicaCount: 1
image:
repository: flow/TwilioActivity
tag: ""
ftpActivity:
enabled: true
replicaCount: 1
image:
repository: flow/FtpActivity
tag: ""
graphqlActivity:
enabled: true
replicaCount: 1
image:
repository: flow/GraphQLActivity
tag: ""
soapActivity:
enabled: true
replicaCount: 1
image:
repository: flow/SoapActivity
tag: ""
pdfActivity:
enabled: true
replicaCount: 1
image:
repository: flow/PdfActivity
tag: ""
csvActivity:
enabled: true
replicaCount: 1
image:
repository: flow/CsvActivity
tag: ""
excelActivity:
enabled: true
replicaCount: 1
image:
repository: flow/ExcelActivity
tag: ""
oauthActivity:
enabled: true
replicaCount: 1
image:
repository: flow/OAuthActivity
tag: ""
keyVaultActivity:
enabled: true
replicaCount: 1
image:
repository: flow/KeyVaultActivity
tag: ""
eventHubActivity:
enabled: true
replicaCount: 1
image:
repository: flow/EventHubActivity
tag: ""
eventGridActivity:
enabled: true
replicaCount: 1
image:
repository: flow/EventGridActivity
tag: ""
awsS3Activity:
enabled: true
replicaCount: 1
image:
repository: flow/AwsS3Activity
tag: ""
awsSqsActivity:
enabled: true
replicaCount: 1
image:
repository: flow/AwsSqsActivity
tag: ""
m365Activity:
enabled: true
replicaCount: 1
image:
repository: flow/M365Activity
tag: ""
# =============================================================================
# Infrastructure Dependencies
# =============================================================================
# These services can be deployed internally by this chart or configured to use
# external services that already exist in the cluster or externally.
# -- PostgreSQL internal deployment configuration
# Only used when global.database.postgres.external=false
postgresql:
# -- Enable internal PostgreSQL deployment
enabled: true
# -- Deployment mode: standalone or ha (high-availability with streaming replication)
mode: "standalone"
image:
repository: postgres
tag: "16-alpine"
pullPolicy: IfNotPresent
# -- Number of replicas (only used when mode=ha, must be >= 2)
replicaCount: 1
# -- PostgreSQL superuser password
auth:
# -- PostgreSQL admin username
postgresUsername: "postgres"
# -- PostgreSQL admin password
postgresPassword: ""
# -- Application database name
database: "flow"
# -- Application username
username: "flow"
# -- Application password
password: ""
# -- Use existing secret for passwords
existingSecret: ""
# -- Key for postgres password in existing secret
secretKeys:
adminPasswordKey: "postgres-password"
userPasswordKey: "password"
replicationPasswordKey: "replication-password"
# -- Replication configuration (used when mode=ha)
replication:
# -- Enable synchronous replication for zero data loss (impacts performance)
synchronous: false
# -- Number of synchronous replicas (when synchronous=true)
numSynchronousReplicas: 1
# -- Replication username
username: "replicator"
# -- Replication password
password: ""
# -- Primary node configuration
primary:
# -- PostgreSQL configuration parameters
configuration: |
max_connections = 200
shared_buffers = 256MB
effective_cache_size = 768MB
maintenance_work_mem = 64MB
checkpoint_completion_target = 0.9
wal_buffers = 16MB
default_statistics_target = 100
random_page_cost = 1.1
effective_io_concurrency = 200
min_wal_size = 1GB
max_wal_size = 4GB
max_worker_processes = 4
max_parallel_workers_per_gather = 2
max_parallel_workers = 4
max_parallel_maintenance_workers = 2
# -- pg_hba.conf entries
pgHbaConfiguration: |
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 0.0.0.0/0 scram-sha-256
host replication all 0.0.0.0/0 scram-sha-256
# -- Initialization scripts (run on first startup)
initScripts: {}
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
# -- Persistent storage for primary
persistence:
enabled: true
storageClass: ""
size: 10Gi
accessModes:
- ReadWriteOnce
nodeSelector: {}
tolerations: []
affinity: {}
# -- Replica/standby configuration (used when mode=ha)
replica:
# -- Number of read replicas
replicaCount: 1
# -- Hot standby settings
configuration: |
hot_standby = on
max_standby_streaming_delay = 30s
wal_receiver_status_interval = 10s
hot_standby_feedback = on
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
persistence:
enabled: true
storageClass: ""
size: 10Gi
accessModes:
- ReadWriteOnce
nodeSelector: {}
tolerations: []
affinity: {}
service:
type: ClusterIP
port: 5432
# -- Create headless service for StatefulSet
headless:
annotations: {}
# -- Pod disruption budget
podDisruptionBudget:
enabled: false
minAvailable: 1
# -- Metrics/monitoring
metrics:
enabled: false
image:
repository: prometheuscommunity/postgres-exporter
tag: "v0.15.0"
port: 9187
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
nodeSelector: {}
tolerations: []
affinity: {}
# -- RabbitMQ internal deployment configuration
# Only used when global.rabbitmq.external=false
rabbitmq:
# -- Enable internal RabbitMQ deployment
enabled: true
# -- Deployment mode: standalone or ha (clustered with quorum queues)
mode: "standalone"
image:
repository: rabbitmq
tag: "3.13-management-alpine"
pullPolicy: IfNotPresent
# -- Number of replicas (for HA mode, should be odd number >= 3)
replicaCount: 1
auth:
# -- Default username
username: "flow"
# -- Default password
password: ""
# -- Erlang cookie for clustering (required for HA)
erlangCookie: ""
# -- Use existing secret
existingSecret: ""
secretKeys:
passwordKey: "rabbitmq-password"
erlangCookieKey: "erlang-cookie"
# -- RabbitMQ configuration
configuration: |
## Cluster formation
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
cluster_formation.k8s.host = kubernetes.default.svc.cluster.local
cluster_formation.k8s.address_type = hostname
cluster_formation.node_cleanup.interval = 30
cluster_formation.node_cleanup.only_log_warning = true
cluster_partition_handling = pause_minority
## Queue settings
queue_master_locator = min-masters
## Memory and disk
vm_memory_high_watermark.relative = 0.6
disk_free_limit.relative = 1.5
## Networking
tcp_listen_options.backlog = 128
tcp_listen_options.nodelay = true
tcp_listen_options.linger.on = true
tcp_listen_options.linger.timeout = 0
tcp_listen_options.sndbuf = 32768
tcp_listen_options.recbuf = 32768
# -- Additional plugins to enable
plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s rabbitmq_prometheus"
# -- HA-specific configuration
ha:
# -- Enable mirroring policies (classic HA, use quorum queues instead for new deployments)
mirroringEnabled: false
# -- Default queue type for new queues (classic or quorum)
defaultQueueType: "quorum"
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
persistence:
enabled: true
storageClass: ""
size: 8Gi
accessModes:
- ReadWriteOnce
service:
type: ClusterIP
amqpPort: 5672
managementPort: 15672
# -- Create headless service for StatefulSet
headless:
annotations: {}
# -- Pod disruption budget
podDisruptionBudget:
enabled: false
minAvailable: 1
# -- Metrics/monitoring
metrics:
enabled: false
port: 15692
nodeSelector: {}
tolerations: []
affinity: {}
# -- Redis internal deployment configuration
# Only used when global.redis.external=false and global.redis.enabled=true
redis:
# -- Enable internal Redis deployment
enabled: false
# -- Deployment mode: standalone or ha (with Redis Sentinel)
mode: "standalone"
image:
repository: redis
tag: "7-alpine"
pullPolicy: IfNotPresent
auth:
# -- Enable password authentication
enabled: true
# -- Redis password
password: ""
# -- Use existing secret
existingSecret: ""
existingSecretKey: "redis-password"
# -- Master/primary configuration
master:
# -- Redis configuration
configuration: |
maxmemory 256mb
maxmemory-policy allkeys-lru
appendonly yes
appendfsync everysec
save 900 1
save 300 10
save 60 10000
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
persistence:
enabled: true
storageClass: ""
size: 5Gi
accessModes:
- ReadWriteOnce
nodeSelector: {}
tolerations: []
affinity: {}
# -- Replica configuration (used when mode=ha)
replica:
# -- Number of replicas
replicaCount: 2
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
persistence:
enabled: true
storageClass: ""
size: 5Gi
accessModes:
- ReadWriteOnce
nodeSelector: {}
tolerations: []
affinity: {}
# -- Sentinel configuration (used when mode=ha)
sentinel:
# -- Enable Sentinel for automatic failover
enabled: true
image:
repository: redis
tag: "7-alpine"
# -- Number of Sentinel instances (should be odd, >= 3)
replicaCount: 3
# -- Quorum for failover decision
quorum: 2
# -- Sentinel port
port: 26379
# -- Time in milliseconds before considering master down
downAfterMilliseconds: 30000
# -- Failover timeout in milliseconds
failoverTimeout: 180000
# -- Number of replicas to reconfigure in parallel during failover
parallelSyncs: 1
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
service:
type: ClusterIP
port: 6379
sentinelPort: 26379
# -- Create headless service for StatefulSet
headless:
annotations: {}
# -- Pod disruption budget
podDisruptionBudget:
enabled: false
minAvailable: 1
# -- Metrics/monitoring
metrics:
enabled: false
image:
repository: oliver006/redis_exporter
tag: "v1.55.0"
port: 9121
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
nodeSelector: {}
tolerations: []
affinity: {}
# =============================================================================
# Common Configuration
# =============================================================================
# -- Pod security context
podSecurityContext:
fsGroup: 1000
# -- Container security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# -- Service account configuration
serviceAccount:
create: true
annotations: {}
name: ""
# -- Pod annotations
podAnnotations: {}
# =============================================================================
# Network Policies (SOC2/NIS2 Compliance)
# =============================================================================
# Network policies enforce zero-trust network security by restricting
# pod-to-pod communication to only what is explicitly allowed.
networkPolicy:
# -- Enable network policies for all components
enabled: false
# -- Default policy for pods without specific rules
defaultDenyIngress: true
defaultDenyEgress: false
# -- Allow DNS egress for all pods (required for service discovery)
allowDnsEgress: true
# -- Additional ingress rules for all application pods
additionalIngressRules: []
# - from:
# - namespaceSelector:
# matchLabels:
# name: monitoring
# ports:
# - protocol: TCP
# port: 9090
# -- Additional egress rules for all application pods
additionalEgressRules: []
# - to:
# - ipBlock:
# cidr: 10.0.0.0/8
# ports:
# - protocol: TCP
# port: 443
# -- Infrastructure-specific network policies
infrastructure:
# -- PostgreSQL network policy
postgresql:
enabled: true
# -- Allow ingress only from application pods and replicas
allowedNamespaces: []
# -- Additional allowed pod selectors
additionalAllowedPods: []
# -- RabbitMQ network policy
rabbitmq:
enabled: true
allowedNamespaces: []
additionalAllowedPods: []
# -- Redis network policy
redis:
enabled: true
allowedNamespaces: []
additionalAllowedPods: []
# =============================================================================
# Backup Configuration (SOC2/NIS2 Compliance)
# =============================================================================
# Automated backups for disaster recovery and compliance requirements.
# Supports local PVC storage, S3-compatible storage, and Azure Blob Storage.
backup:
# -- Enable backup functionality
enabled: false
# -- Global backup settings
global:
# -- Backup storage type: pvc, s3, minio, azure, gcs
# Note: For clusters without RWX volume support, use 's3' or 'minio'
storageType: "minio"
# -- PVC storage configuration (requires RWX volumes for concurrent backup jobs)
# Not recommended for clusters without RWX support
pvc:
storageClass: ""
size: 50Gi
accessModes:
- ReadWriteOnce
# -- S3-compatible storage configuration (AWS S3, MinIO, etc.)
# Recommended for clusters without RWX volume support
s3:
# -- S3 endpoint URL (for MinIO, use internal service URL)
# Example for MinIO in cluster: http://minio.minio-system.svc.cluster.local:9000
# Example for AWS S3: https://s3.amazonaws.com
endpoint: "http://minio.minio-system.svc.cluster.local:9000"
# -- Bucket name for backups
bucket: "flow-backups"
# -- AWS region (only needed for AWS S3)
region: "us-east-1"
# -- Access key ID (ignored if existingSecret is set)
accessKeyId: ""
# -- Secret access key (ignored if existingSecret is set)
secretAccessKey: ""
# -- Use existing secret containing S3 credentials
existingSecret: ""
# -- Keys in the existing secret
secretKeys:
accessKeyId: "access-key-id"
secretAccessKey: "secret-access-key"
# -- Azure Blob Storage configuration
azure:
storageAccount: ""
container: ""
sasToken: ""
existingSecret: ""
secretKeys:
sasToken: "sas-token"
# -- Google Cloud Storage configuration
gcs:
bucket: ""
projectId: ""
serviceAccountKey: ""
existingSecret: ""
secretKeys:
serviceAccountKey: "service-account-key"
# -- Retention policy
retention:
# -- Number of daily backups to keep
daily: 7
# -- Number of weekly backups to keep
weekly: 4
# -- Number of monthly backups to keep
monthly: 12
# -- Encryption settings
encryption:
# -- Enable backup encryption
enabled: false
# -- Encryption key (base64 encoded, 32 bytes for AES-256)
key: ""
# -- Use existing secret for encryption key
existingSecret: ""
existingSecretKey: "encryption-key"
# -- PostgreSQL backup configuration
postgresql:
enabled: true
# -- Backup schedule (cron format)
schedule: "0 2 * * *" # Daily at 2 AM
# -- Backup type: full, incremental (requires pgBackRest or similar)
type: "full"
# -- Number of backups to retain
retentionCount: 7
# -- Backup image
image:
repository: postgres
tag: "16-alpine"
# -- Resources for backup job
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
# -- Additional pg_dump options
pgDumpOptions: "--format=custom --compress=9"
# -- Pre-backup script (runs before backup)
preBackupScript: ""
# -- Post-backup script (runs after successful backup)
postBackupScript: ""
# -- Backup verification
verification:
enabled: true
# -- Restore to temporary database and run integrity checks
restoreTest: false
# -- Point-in-time recovery (PITR) configuration
pitr:
enabled: false
# -- WAL archiving destination
walArchiveCommand: ""
# -- WAL archive storage (same as backup storage if not specified)
walStorageType: ""
# -- RabbitMQ backup configuration
rabbitmq:
enabled: true
# -- Backup schedule (cron format)
schedule: "0 3 * * *" # Daily at 3 AM
# -- What to backup: definitions, messages, both
backupType: "definitions"
# -- Number of backups to retain
retentionCount: 7
# -- Backup image
image:
repository: curlimages/curl
tag: "8.5.0"
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
# -- Redis backup configuration
redis:
enabled: true
# -- Backup schedule (cron format)
schedule: "0 4 * * *" # Daily at 4 AM
# -- Number of backups to retain
retentionCount: 7
# -- Backup image
image:
repository: redis
tag: "7-alpine"
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
# -- Use BGSAVE before backup (recommended for data consistency)
useBgsave: true
# =============================================================================
# Audit Logging (SOC2/NIS2 Compliance)
# =============================================================================
auditLogging:
# -- Enable enhanced audit logging
enabled: false
# -- Log all API requests
logApiRequests: true
# -- Log authentication events
logAuthEvents: true
# -- Log data access events
logDataAccess: true
# -- Log administrative actions
logAdminActions: true
# -- Audit log retention days
retentionDays: 365
# -- Export audit logs to external system
export:
enabled: false
# -- Export type: syslog, splunk, elasticsearch, azure-sentinel
type: "syslog"
# -- Export endpoint
endpoint: ""
# -- Use TLS for export
tls: true
# =============================================================================
# TLS Configuration (SOC2/NIS2 Compliance)
# =============================================================================
tls:
# -- Enable TLS for internal service communication
enabled: false
# -- Use cert-manager for certificate management
certManager:
enabled: false
issuerRef:
name: ""
kind: "ClusterIssuer"
# -- Use existing TLS secret
existingSecret: ""
# -- Generate self-signed certificates (not recommended for production)
selfSigned: false
# -- Minimum TLS version (1.2 or 1.3)
minVersion: "1.2"
# -- Cipher suites (leave empty for secure defaults)
cipherSuites: []
Reference in New Issue View Git Blame Copy Permalink