EntitAB/Helm-Charts
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a4bbca4963b5485503e3544cca7764b99caf331
Helm-Charts/examples/values-prod.yaml
Gitea Actions ffb8880861 Add flow-0.8.12 and update documentation
2026-01-06 16:10:01 +00:00

484 lines
12 KiB
YAML
Raw Blame History

# Production environment values
# Use with: helm install flow ./helm/flow -f ./helm/flow/values-prod.yaml --namespace flow --create-namespace
#
# HARBOR CREDENTIALS:
# Pass Harbor credentials during install:
# helm install flow ./helm/flow -f values-prod.yaml \
# --set global.imageCredentials.enabled=true \
# --set global.imageCredentials.username=$HARBOR_USER \
# --set global.imageCredentials.password=$HARBOR_PASSWORD \
# --set global.azureAd.tenantId=YOUR_TENANT_ID \
# --set global.azureAd.clientId=YOUR_CLIENT_ID
global:
# -- Explicit namespace for all Flow components
# Recommended for production to ensure consistent resource organization
# All resources will be created in this namespace for easy management and cleanup
namespace: "flow"
imageRegistry: "cr.kn.entit.eu"
# Harbor registry credentials - creates dockerconfigjson secret automatically
# Harbor requires authentication even for public repositories
# Enable and set credentials via --set flags during install:
# --set global.imageCredentials.enabled=true
# --set global.imageCredentials.username=$HARBOR_USER
# --set global.imageCredentials.password=$HARBOR_PASSWORD
imageCredentials:
enabled: false # Set to true and provide credentials during install
username: ""
password: ""
azureAd:
enabled: true
instance: "https://login.microsoftonline.com/"
domain: "your-domain.com"
tenantId: "" # Set via --set or external secret
clientId: "" # Set via --set or external secret
clientSecret: "" # Set via --set or external secret
scopes: "access_as_user"
# ==========================================================================
# External PostgreSQL (Managed Service)
# ==========================================================================
# Example: Azure Database for PostgreSQL, AWS RDS, Google Cloud SQL
database:
provider: "Postgres"
postgres:
# Use external managed PostgreSQL
external: true
# PostgreSQL host FQDN
# Azure: myserver.postgres.database.azure.com
# AWS RDS: mydb.xxxx.region.rds.amazonaws.com
# GCP: /cloudsql/project:region:instance (for Cloud SQL Proxy)
host: "your-postgres-host.postgres.database.azure.com"
port: 5432
database: "flow_prod"
# Azure PostgreSQL username format: username@servername
# AWS/GCP: just the username
username: "flow@your-postgres-host"
# Use Kubernetes secret for password (recommended for production)
existingSecret: "flow-db-secret"
existingSecretKey: "postgres-password"
# SSL mode - use 'require' or 'verify-full' for production
sslMode: "require"
# Additional connection parameters
extraParams: ""
# Connection pool settings for production workloads
pooling:
minSize: 10
maxSize: 200
connectionLifetime: 3600
connectionIdleLifetime: 300
# ==========================================================================
# External RabbitMQ (Managed Service)
# ==========================================================================
# Example: CloudAMQP, Amazon MQ, or self-hosted cluster
rabbitmq:
# Use external managed RabbitMQ
external: true
# RabbitMQ host FQDN
# CloudAMQP: xyz.rmq.cloudamqp.com
# Amazon MQ: b-xxxx.mq.region.amazonaws.com
host: "your-rabbitmq-host.cloudamqp.com"
# Additional cluster hosts (for HA setups)
additionalHosts: []
# - "rabbitmq-node-2.example.com"
# - "rabbitmq-node-3.example.com"
port: 5672
managementPort: 15672
username: "flow"
# Use Kubernetes secret for password (recommended for production)
existingSecret: "flow-rabbitmq-secret"
existingSecretKey: "rabbitmq-password"
vhost: "/"
prefetch: 10 # Higher prefetch for production throughput
# Exchange names
activityExchange: "workflow.activities"
completedExchange: "workflow.completed"
workflowEventsExchange: "workflow.logging"
# TLS settings (enable for managed services)
tls:
enabled: true
insecureSkipVerify: false
# ==========================================================================
# External Redis (Managed Service)
# ==========================================================================
# Example: Azure Cache for Redis, Amazon ElastiCache, Redis Cloud
redis:
# Enable Redis for caching and distributed locking
enabled: true
# Use external managed Redis
external: true
# Redis mode: standalone, sentinel, or cluster
# Azure Cache for Redis: use 'standalone' for Basic/Standard, 'cluster' for Premium/Enterprise clustered
# Amazon ElastiCache: use 'standalone' for single node, 'cluster' for cluster mode enabled
mode: "standalone" # or "cluster" for clustered deployments
# --- Standalone mode configuration ---
# Azure Cache for Redis: myredis.redis.cache.windows.net
# Amazon ElastiCache: my-cluster.xxxx.cache.amazonaws.com
host: "your-redis.redis.cache.windows.net"
port: 6380 # Azure uses 6380 for TLS, ElastiCache uses 6379
# --- Cluster mode configuration ---
# Uncomment and configure for Redis Cluster mode
# cluster:
# nodes:
# - "your-redis.redis.cache.windows.net:6380"
# maxRedirects: 3
# --- Sentinel mode configuration ---
# Uncomment and configure for Redis Sentinel
# sentinel:
# masterName: "mymaster"
# nodes:
# - "sentinel-0:26379"
# - "sentinel-1:26379"
# - "sentinel-2:26379"
# Authentication
# Azure Cache for Redis requires username (default is empty or access key name)
username: ""
# Use Kubernetes secret for password/access key (recommended for production)
existingSecret: "flow-redis-secret"
existingSecretKey: "redis-password"
# Database index (0-15, only for standalone/sentinel mode)
database: 0
# TLS settings (required for Azure Cache for Redis)
tls:
enabled: true
insecureSkipVerify: false
# Connection settings optimized for production
connectTimeout: 5000
syncTimeout: 5000
keepAlive: 60
retry:
maxAttempts: 3
baseDelay: 100
maxDelay: 5000
pool:
minSize: 10
maxSize: 100
# =============================================================================
# Core services - production replicas with autoscaling
# =============================================================================
workflowEngine:
replicaCount: 3
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
targetCPUUtilizationPercentage: 70
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 250m
memory: 512Mi
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: api.flow.your-domain.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: flow-api-tls
hosts:
- api.flow.your-domain.com
activityRegistry:
replicaCount: 2
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
definitionStore:
replicaCount: 2
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
workflowLogging:
replicaCount: 2
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
connectionStore:
replicaCount: 2
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
tenantRegistry:
replicaCount: 2
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
frontendWeb:
replicaCount: 2
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
ingress:
enabled: true
className: traefik
annotations:
# Blazor Server requires sticky sessions for SignalR
traefik.ingress.kubernetes.io/affinity: "true"
traefik.ingress.kubernetes.io/session-cookie-name: "FLOW_AFFINITY"
# Enable WebSocket support (required for SignalR)
traefik.ingress.kubernetes.io/router.middlewares: ""
# SSL redirect
traefik.ingress.kubernetes.io/router.entrypoints: websecure
# Certificate
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: flow.your-domain.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: flow-frontend-tls
hosts:
- flow.your-domain.com
# =============================================================================
# Activity services - production resources
# =============================================================================
activities:
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
httpRequestActivity:
enabled: true
replicaCount: 2
sqlActivity:
enabled: true
replicaCount: 2
redisActivity:
enabled: true
replicaCount: 2
blobStorageActivity:
enabled: true
replicaCount: 2
queueActivity:
enabled: true
replicaCount: 2
cosmosDbActivity:
enabled: true
replicaCount: 2
mongoDbActivity:
enabled: true
replicaCount: 1
emailActivity:
enabled: true
replicaCount: 2
slackActivity:
enabled: true
replicaCount: 1
teamsActivity:
enabled: true
replicaCount: 1
twilioActivity:
enabled: true
replicaCount: 1
ftpActivity:
enabled: true
replicaCount: 1
graphqlActivity:
enabled: true
replicaCount: 1
soapActivity:
enabled: true
replicaCount: 1
pdfActivity:
enabled: true
replicaCount: 1
csvActivity:
enabled: true
replicaCount: 1
excelActivity:
enabled: true
replicaCount: 1
oauthActivity:
enabled: true
replicaCount: 1
keyVaultActivity:
enabled: true
replicaCount: 1
eventHubActivity:
enabled: true
replicaCount: 2
eventGridActivity:
enabled: true
replicaCount: 1
awsS3Activity:
enabled: true
replicaCount: 1
awsSqsActivity:
enabled: true
replicaCount: 1
m365Activity:
enabled: true
replicaCount: 1
# =============================================================================
# Infrastructure - Disabled (using external managed services)
# =============================================================================
# Internal deployments disabled - using external managed services
rabbitmq:
enabled: false
postgresql:
enabled: false
redis:
enabled: false
# =============================================================================
# Production Security
# =============================================================================
podSecurityContext:
fsGroup: 1000
runAsNonRoot: true
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
# Network policies for production
networkPolicy:
enabled: true
# Pod Disruption Budgets
podDisruptionBudget:
enabled: true
minAvailable: 1
# =============================================================================
# Internal TLS (mTLS between Microservices)
# =============================================================================
# Enable encrypted communication between all Flow microservices.
# Requires cert-manager to be installed in the cluster.
tls:
# Enable TLS for all internal service communication
enabled: true
certManager:
# Use cert-manager to automatically manage certificates
enabled: true
# Create a self-signed CA for internal certificates
# Set to false if using an existing issuer (e.g., Vault, enterprise CA)
createSelfSignedIssuer: true
# Certificate validity duration (90 days)
duration: "2160h"
# Renew certificates 30 days before expiry
renewBefore: "720h"
# Use ECDSA for better performance
privateKey:
algorithm: "ECDSA"
size: 256
# CA certificate settings
ca:
duration: "87600h" # 10 years
renewBefore: "8760h" # 1 year
commonName: "Flow Internal CA"
organization: "Entit AB"
# Minimum TLS version
minVersion: "1.2"
Reference in New Issue View Git Blame Copy Permalink