Andrew
4ff3048dd3
- _helpers.tpl: required guard on image.tag — silent empty deploys can no longer happen; helm fails fast with a clear message. - configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only sees HTTPS when X-Forwarded-Proto is actually present. - deployment-app: add startupProbe with 100s budget so first-boot cache warmup doesn't trip liveness. - deployment-horizon: failureThreshold=5 on the horizon:status probe; transient Valkey blips no longer cause restart loops. - job-migrate: mount oauth-keys so seeders that touch Passport clients don't silently fail. - statefulset-valkey: replace separate password Secret with a requirePassword toggle that reads REDIS_PASSWORD from the main chart Secret (same Secret app/horizon/scheduler already mount). Liveness probe authenticates with the password when set. - values-us-prod: enable valkey.requirePassword. - README: add REDIS_PASSWORD to bootstrap procedure. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
101 lines
2.3 KiB
YAML
101 lines
2.3 KiB
YAML
# ===========================================================================
|
|
# Production: ezs-us-east-prod-01.node.ezscale.tech
|
|
# Namespace: ezscale (shared with mariadb instance + ezscale_api)
|
|
# ===========================================================================
|
|
|
|
image:
|
|
registry: git.ezscale.cloud
|
|
repository: ezscale/website
|
|
tag: "" # SET via --set image.tag=v0.1.0 at deploy time
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets:
|
|
- name: gitea-registry
|
|
|
|
app:
|
|
replicaCount: 2
|
|
autoscaling:
|
|
enabled: true
|
|
minReplicas: 2
|
|
maxReplicas: 8
|
|
targetCPU: 70
|
|
resources:
|
|
requests: { cpu: 200m, memory: 512Mi }
|
|
limits: { cpu: 1500m, memory: 1536Mi }
|
|
|
|
horizon:
|
|
replicaCount: 1
|
|
resources:
|
|
requests: { cpu: 200m, memory: 512Mi }
|
|
limits: { cpu: 1000m, memory: 1Gi }
|
|
|
|
scheduler:
|
|
replicaCount: 1
|
|
resources:
|
|
requests: { cpu: 50m, memory: 128Mi }
|
|
|
|
# Reuse the cluster's existing replicated MariaDB.
|
|
mariadb:
|
|
enabled: false
|
|
externalRef:
|
|
name: mariadb
|
|
namespace: ezscale
|
|
database: ezscale_billing
|
|
username: ezscale_billing_app
|
|
|
|
# Per-app Valkey for sessions/cache/queue. requirePassword=true means
|
|
# REDIS_PASSWORD must be present in ezscale-website-secrets.
|
|
valkey:
|
|
enabled: true
|
|
requirePassword: true
|
|
storage:
|
|
size: 10Gi
|
|
storageClassName: longhorn
|
|
|
|
migrate:
|
|
enabled: true
|
|
seed: false
|
|
|
|
ingressRoute:
|
|
enabled: true
|
|
hosts:
|
|
- ezscale.cloud
|
|
- account.ezscale.cloud
|
|
- admin.ezscale.cloud
|
|
tls:
|
|
secretName: ezscale-website-tls
|
|
issuerName: letsencrypt
|
|
middlewares:
|
|
cloudflarewarp:
|
|
enabled: true
|
|
namespace: kube-system
|
|
name: cloudflarewarp
|
|
httpToHttps:
|
|
enabled: true
|
|
namespace: kube-system
|
|
name: http-to-https
|
|
|
|
# Production NEVER lets the chart generate APP_KEY. Bootstrap procedure
|
|
# in helm/ezscale-website/README.md.
|
|
secret:
|
|
create: false
|
|
existingSecretName: ezscale-website-secrets
|
|
|
|
env:
|
|
APP_NAME: "EZSCALE Billing"
|
|
APP_ENV: production
|
|
APP_DEBUG: "false"
|
|
APP_URL: https://ezscale.cloud
|
|
LOG_LEVEL: warning
|
|
FILESYSTEM_DISK: s3
|
|
AWS_BUCKET: ezscale-website-prod
|
|
AWS_DEFAULT_REGION: us-east-1
|
|
AWS_ENDPOINT: https://gateway.storjshare.io
|
|
AWS_USE_PATH_STYLE_ENDPOINT: "true"
|
|
SESSION_DRIVER: redis
|
|
SESSION_DOMAIN: .ezscale.cloud
|
|
CACHE_STORE: redis
|
|
QUEUE_CONNECTION: redis
|
|
MAIL_MAILER: smtp
|
|
TRUSTED_PROXIES: "*"
|