EZSCALE/website
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ff3048dd3c97ef6cd836def78537415a847608ec55fc1f5e8b4f0a34db2c48f
website/helm/ezscale-website/values.yaml
Andrew 4ff3048dd3 fix(helm): hardening from review 
- _helpers.tpl: required guard on image.tag — silent empty deploys can
  no longer happen; helm fails fast with a clear message.
- configmap-nginx: HTTPS fastcgi param uses if_not_empty, so PHP only
  sees HTTPS when X-Forwarded-Proto is actually present.
- deployment-app: add startupProbe with 100s budget so first-boot cache
  warmup doesn't trip liveness.
- deployment-horizon: failureThreshold=5 on the horizon:status probe;
  transient Valkey blips no longer cause restart loops.
- job-migrate: mount oauth-keys so seeders that touch Passport clients
  don't silently fail.
- statefulset-valkey: replace separate password Secret with a
  requirePassword toggle that reads REDIS_PASSWORD from the main chart
  Secret (same Secret app/horizon/scheduler already mount). Liveness
  probe authenticates with the password when set.
- values-us-prod: enable valkey.requirePassword.
- README: add REDIS_PASSWORD to bootstrap procedure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 23:08:10 -04:00

165 lines
4.0 KiB
YAML
Raw Blame History

# Default values: lean toward "self-contained dev cluster" so `helm install`
# with no flags produces a working stack on a local k3d. Production values
# live in values-us-prod.yaml and disable the in-cluster MariaDB/Valkey when
# pointing at the existing ezscale-namespace MariaDB.
replicaCount: 1
image:
registry: git.ezscale.cloud
repository: ezscale/website
# The chart appends `-{role}-{tag}` to derive each role's image.
# Override `tag` per-release via --set image.tag=v0.1.0
tag: latest
pullPolicy: IfNotPresent
imagePullSecrets:
- name: gitea-registry
nameOverride: ""
fullnameOverride: ""
# --- App (php-fpm + nginx sidecar) ---
app:
replicaCount: 1
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 8
targetCPU: 70
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
# --- Horizon ---
horizon:
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 256Mi
# --- Scheduler ---
scheduler:
replicaCount: 1
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
# --- In-cluster MariaDB (mariadb-operator CRD) ---
mariadb:
enabled: true
# When enabled, deploys a MariaDB CR named `{release}-mariadb` in this
# release's namespace. When disabled, the chart still creates Database/User/
# Grant CRDs but they reference an externally-managed MariaDB CR via
# `mariadb.externalRef`.
externalRef:
name: "" # e.g. "mariadb"
namespace: "" # e.g. "ezscale"
image: mariadb:11.4
replicas: 1
storage:
size: 5Gi
storageClassName: local-path
rootPasswordSecret: "" # if empty, chart generates a random secret
database: ezscale_billing
username: ezscale_billing_app
# --- In-cluster Valkey (StatefulSet) ---
valkey:
enabled: true
image: valkey/valkey:9-alpine
# When true, valkey runs with --requirepass and reads REDIS_PASSWORD from
# the main chart Secret (same key the app/horizon/scheduler pods read via
# envFrom). The Secret MUST contain a REDIS_PASSWORD key — bootstrap it
# alongside APP_KEY in production, or include it in secret.values for dev.
requirePassword: false
maxmemory: "1gb"
storage:
size: 5Gi
storageClassName: local-path
# --- Migration Job (Helm hook) ---
migrate:
enabled: true
seed: false
seedClass: ProductionSeeder
# --- Ingress (Traefik IngressRoute) ---
ingressRoute:
enabled: false
hosts:
- ezscale.cloud
- account.ezscale.cloud
- admin.ezscale.cloud
tls:
secretName: ezscale-website-tls
issuerName: letsencrypt
middlewares:
cloudflarewarp:
enabled: false
namespace: kube-system
name: cloudflarewarp
httpToHttps:
enabled: false
namespace: kube-system
name: http-to-https
# --- Service ---
service:
type: ClusterIP
port: 80
# --- Non-secret env vars (rendered into ConfigMap) ---
env:
APP_NAME: "EZSCALE Billing"
APP_ENV: production
APP_DEBUG: "false"
APP_URL: https://ezscale.cloud
APP_MAINTENANCE_DRIVER: file
LOG_CHANNEL: stack
LOG_STACK: single
LOG_LEVEL: info
DB_CONNECTION: mysql
DB_PORT: "3306"
DB_DATABASE: ezscale_billing
DB_USERNAME: ezscale_billing_app
REDIS_CLIENT: phpredis
REDIS_PORT: "6379"
SESSION_DRIVER: redis
SESSION_LIFETIME: "120"
SESSION_DOMAIN: .ezscale.cloud
CACHE_STORE: redis
QUEUE_CONNECTION: redis
BROADCAST_CONNECTION: log
FILESYSTEM_DISK: s3
MAIL_MAILER: smtp
AWS_DEFAULT_REGION: us-east-1
AWS_USE_PATH_STYLE_ENDPOINT: "true"
# --- Secret references (chart does NOT generate APP_KEY or Passport keys) ---
secret:
# When false, chart assumes a Secret named `secret.existingSecretName` is
# already present. This is the production path.
create: false
existingSecretName: ezscale-website-secrets
# Used only when create=true (local dev convenience).
values: {}
# --- Probes ---
healthCheck:
livenessPath: /up
readinessPath: /up
initialDelaySeconds: 15
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 3
Reference in New Issue View Git Blame Copy Permalink