feat(helm): values-local + values-us-prod

Local: in-cluster MariaDB + Valkey, port-forward instead of ingress, chart-generated APP_KEY (dev only). Prod: external MariaDB (ezscale ns), Longhorn-backed Valkey, Traefik IngressRoute with cloudflarewarp + cert-manager TLS, image.tag set at deploy time, secret pre-created out-of-band. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 22:56:25 -04:00
parent 7238095a77
commit 1c1cc0681d
2 changed files with 159 additions and 0 deletions
--- a/helm/ezscale-website/values-local.yaml
+++ b/helm/ezscale-website/values-local.yaml
@@ -0,0 +1,61 @@
+# ===========================================================================
+# Local k3d/minikube cluster — fully self-contained.
+# Prerequisite: mariadb-operator installed in the cluster.
+#   helm install mariadb-operator -n mariadb-operator --create-namespace \
+#     mariadb-operator/mariadb-operator
+# ===========================================================================
+
+image:
+  tag: latest
+  pullPolicy: Always
+
+imagePullSecrets: []   # no registry auth needed for locally-built images
+
+app:
+  replicaCount: 1
+  resources:
+    requests: { cpu: 100m, memory: 256Mi }
+
+mariadb:
+  enabled: true
+  replicas: 1
+  storage:
+    size: 5Gi
+    storageClassName: local-path
+
+valkey:
+  enabled: true
+  storage:
+    size: 1Gi
+    storageClassName: local-path
+
+migrate:
+  enabled: true
+  seed: true
+  seedClass: DemoDataSeeder
+
+ingressRoute:
+  enabled: false       # local uses port-forward, not Traefik
+
+# Local dev: chart generates a random APP_KEY on first install.
+# This is OK in local because there's no encrypted prod data to lose.
+# In production this MUST be `secret.create=false`.
+secret:
+  create: true
+  existingSecretName: ""
+  values:
+    APP_KEY: "base64:CHANGEME_GENERATE_VIA_PHP_ARTISAN_KEY_GENERATE_SHOW"
+    DB_PASSWORD: "local_dev_password"
+    AWS_ACCESS_KEY_ID: ""
+    AWS_SECRET_ACCESS_KEY: ""
+    STRIPE_KEY: ""
+    STRIPE_SECRET: ""
+
+env:
+  APP_ENV: local
+  APP_DEBUG: "true"
+  APP_URL: http://localhost
+  LOG_LEVEL: debug
+  FILESYSTEM_DISK: local
+  MAIL_MAILER: log
+  SESSION_DOMAIN: ""
--- a/helm/ezscale-website/values-us-prod.yaml
+++ b/helm/ezscale-website/values-us-prod.yaml
@@ -0,0 +1,98 @@
+# ===========================================================================
+# Production: ezs-us-east-prod-01.node.ezscale.tech
+# Namespace: ezscale (shared with mariadb instance + ezscale_api)
+# ===========================================================================
+
+image:
+  registry: git.ezscale.cloud
+  repository: ezscale/website
+  tag: ""              # SET via --set image.tag=v0.1.0 at deploy time
+  pullPolicy: IfNotPresent
+
+imagePullSecrets:
+  - name: gitea-registry
+
+app:
+  replicaCount: 2
+  autoscaling:
+    enabled: true
+    minReplicas: 2
+    maxReplicas: 8
+    targetCPU: 70
+  resources:
+    requests: { cpu: 200m, memory: 512Mi }
+    limits:   { cpu: 1500m, memory: 1536Mi }
+
+horizon:
+  replicaCount: 1
+  resources:
+    requests: { cpu: 200m, memory: 512Mi }
+    limits:   { cpu: 1000m, memory: 1Gi }
+
+scheduler:
+  replicaCount: 1
+  resources:
+    requests: { cpu: 50m, memory: 128Mi }
+
+# Reuse the cluster's existing replicated MariaDB.
+mariadb:
+  enabled: false
+  externalRef:
+    name: mariadb
+    namespace: ezscale
+  database: ezscale_billing
+  username: ezscale_billing_app
+
+# Per-app Valkey for sessions/cache/queue.
+valkey:
+  enabled: true
+  storage:
+    size: 10Gi
+    storageClassName: longhorn
+
+migrate:
+  enabled: true
+  seed: false
+
+ingressRoute:
+  enabled: true
+  hosts:
+    - ezscale.cloud
+    - account.ezscale.cloud
+    - admin.ezscale.cloud
+  tls:
+    secretName: ezscale-website-tls
+    issuerName: letsencrypt
+  middlewares:
+    cloudflarewarp:
+      enabled: true
+      namespace: kube-system
+      name: cloudflarewarp
+    httpToHttps:
+      enabled: true
+      namespace: kube-system
+      name: http-to-https
+
+# Production NEVER lets the chart generate APP_KEY. Bootstrap procedure
+# in helm/ezscale-website/README.md.
+secret:
+  create: false
+  existingSecretName: ezscale-website-secrets
+
+env:
+  APP_NAME: "EZSCALE Billing"
+  APP_ENV: production
+  APP_DEBUG: "false"
+  APP_URL: https://ezscale.cloud
+  LOG_LEVEL: warning
+  FILESYSTEM_DISK: s3
+  AWS_BUCKET: ezscale-website-prod
+  AWS_DEFAULT_REGION: us-east-1
+  AWS_ENDPOINT: https://gateway.storjshare.io
+  AWS_USE_PATH_STYLE_ENDPOINT: "true"
+  SESSION_DRIVER: redis
+  SESSION_DOMAIN: .ezscale.cloud
+  CACHE_STORE: redis
+  QUEUE_CONNECTION: redis
+  MAIL_MAILER: smtp
+  TRUSTED_PROXIES: "*"