# Default values: lean toward "self-contained dev cluster" so `helm install` # with no flags produces a working stack on a local k3d. Production values # live in values-us-prod.yaml and disable the in-cluster MariaDB/Valkey when # pointing at the existing ezscale-namespace MariaDB. replicaCount: 1 image: registry: git.ezscale.cloud repository: ezscale/website # The chart appends `-{role}-{tag}` to derive each role's image. # Override `tag` per-release via --set image.tag=v0.1.0 tag: latest pullPolicy: IfNotPresent imagePullSecrets: - name: gitea-registry nameOverride: "" fullnameOverride: "" # --- App (php-fpm + nginx sidecar) --- app: replicaCount: 1 autoscaling: enabled: false minReplicas: 1 maxReplicas: 8 targetCPU: 70 resources: requests: cpu: 100m memory: 256Mi limits: cpu: 1000m memory: 1Gi # --- Horizon --- horizon: replicaCount: 1 resources: requests: cpu: 100m memory: 256Mi # --- Scheduler --- scheduler: replicaCount: 1 resources: requests: cpu: 50m memory: 128Mi limits: cpu: 200m memory: 256Mi # --- In-cluster MariaDB (mariadb-operator CRD) --- mariadb: enabled: true # When enabled, deploys a MariaDB CR named `{release}-mariadb` in this # release's namespace. When disabled, the chart still creates Database/User/ # Grant CRDs but they reference an externally-managed MariaDB CR via # `mariadb.externalRef`. externalRef: name: "" # e.g. "mariadb" namespace: "" # e.g. "ezscale" image: mariadb:11.4 replicas: 1 storage: size: 5Gi storageClassName: local-path rootPasswordSecret: "" # if empty, chart generates a random secret database: ezscale_billing username: ezscale_billing_app # --- In-cluster Valkey (StatefulSet) --- valkey: enabled: true image: valkey/valkey:9-alpine # When true, valkey runs with --requirepass and reads REDIS_PASSWORD from # the main chart Secret (same key the app/horizon/scheduler pods read via # envFrom). The Secret MUST contain a REDIS_PASSWORD key — bootstrap it # alongside APP_KEY in production, or include it in secret.values for dev. requirePassword: false maxmemory: "1gb" storage: size: 5Gi storageClassName: local-path # --- Migration Job (Helm hook) --- migrate: enabled: true seed: false seedClass: ProductionSeeder # --- Ingress (Traefik IngressRoute) --- ingressRoute: enabled: false hosts: - ezscale.cloud - account.ezscale.cloud - admin.ezscale.cloud tls: secretName: ezscale-website-tls issuerName: letsencrypt middlewares: cloudflarewarp: enabled: false namespace: kube-system name: cloudflarewarp httpToHttps: enabled: false namespace: kube-system name: http-to-https # --- Service --- service: type: ClusterIP port: 80 # --- Non-secret env vars (rendered into ConfigMap) --- env: APP_NAME: "EZSCALE Billing" APP_ENV: production APP_DEBUG: "false" APP_URL: https://ezscale.cloud APP_MAINTENANCE_DRIVER: file LOG_CHANNEL: stack LOG_STACK: single LOG_LEVEL: info DB_CONNECTION: mysql DB_PORT: "3306" DB_DATABASE: ezscale_billing DB_USERNAME: ezscale_billing_app REDIS_CLIENT: phpredis REDIS_PORT: "6379" SESSION_DRIVER: redis SESSION_LIFETIME: "120" SESSION_DOMAIN: .ezscale.cloud CACHE_STORE: redis QUEUE_CONNECTION: redis BROADCAST_CONNECTION: log FILESYSTEM_DISK: s3 MAIL_MAILER: smtp AWS_DEFAULT_REGION: us-east-1 AWS_USE_PATH_STYLE_ENDPOINT: "true" # --- Secret references (chart does NOT generate APP_KEY or Passport keys) --- secret: # When false, chart assumes a Secret named `secret.existingSecretName` is # already present. This is the production path. create: false existingSecretName: ezscale-website-secrets # Used only when create=true (local dev convenience). values: {} # --- Probes --- healthCheck: livenessPath: /up readinessPath: /up initialDelaySeconds: 15 periodSeconds: 15 timeoutSeconds: 5 failureThreshold: 3