bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity

Add feature branch deployment pipeline

Browse Source
This commit is contained in:
Mondo Diaz
2026-01-14 12:29:37 -06:00
parent 7cfad28f67
commit 4b3d2fd41d
19 changed files with 1062 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
helm/orchard/Chart.yaml
View File

@@ -17,13 +17,13 @@ maintainers:
dependencies:
- name: postgresql
version: "15.5.x"
repository: https://charts.bitnami.com/bitnami
repository: oci://deps.global.bsf.tools/registry-1.docker.io-helmoci/bitnamicharts
condition: postgresql.enabled
- name: minio
version: "14.x.x"
repository: https://charts.bitnami.com/bitnami
repository: oci://deps.global.bsf.tools/registry-1.docker.io-helmoci/bitnamicharts
condition: minio.enabled
- name: redis
version: "19.x.x"
repository: https://charts.bitnami.com/bitnami
repository: oci://deps.global.bsf.tools/registry-1.docker.io-helmoci/bitnamicharts
condition: redis.enabled

165
helm/orchard/values-dev.yaml Normal file
View File

@@ -0,0 +1,165 @@
# Values for feature branch deployments (ephemeral dev environments)
# Hostnames are overridden by CI pipeline via --set flags
replicaCount: 1
image:
repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
pullPolicy: Always
tag: "latest" # Overridden by CI
imagePullSecrets:
- name: orchard-pull-secret
initContainer:
image:
repository: containers.global.bsf.tools/busybox
tag: "1.36"
pullPolicy: IfNotPresent
serviceAccount:
create: true
automount: true
annotations: {}
name: "" # Auto-generated based on release name
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
service:
type: ClusterIP
port: 8080
# Ingress - hostnames overridden by CI pipeline
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
hosts:
- host: orchard-dev.common.global.bsf.tools # Overridden by CI
paths:
- path: /
pathType: Prefix
tls:
- secretName: orchard-tls # Overridden by CI
hosts:
- orchard-dev.common.global.bsf.tools # Overridden by CI
# Lighter resources for ephemeral environments
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 100m
memory: 128Mi
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 5
periodSeconds: 5
autoscaling:
enabled: false
nodeSelector: {}
tolerations: []
affinity: {}
orchard:
server:
host: "0.0.0.0"
port: 8080
database:
host: ""
port: 5432
user: orchard
password: ""
dbname: orchard
sslmode: disable
existingSecret: ""
existingSecretPasswordKey: "password"
s3:
endpoint: ""
region: us-east-1
bucket: orchard-artifacts
accessKeyId: ""
secretAccessKey: ""
usePathStyle: true
existingSecret: ""
existingSecretAccessKeyKey: "access-key-id"
existingSecretSecretKeyKey: "secret-access-key"
download:
mode: "presigned"
presignedUrlExpiry: 3600
# PostgreSQL - ephemeral, no persistence
postgresql:
enabled: true
image:
registry: containers.global.bsf.tools
repository: bitnami/postgresql
tag: "15"
pullPolicy: IfNotPresent
auth:
username: orchard
password: orchard-password
database: orchard
primary:
persistence:
enabled: false
# MinIO - ephemeral, no persistence
minio:
enabled: true
image:
registry: containers.global.bsf.tools
repository: bitnami/minio
tag: "latest"
pullPolicy: IfNotPresent
auth:
rootUser: minioadmin
rootPassword: minioadmin
defaultBuckets: "orchard-artifacts"
persistence:
enabled: false
# MinIO ingress - hostname overridden by CI
minioIngress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
host: "minio-dev.common.global.bsf.tools" # Overridden by CI
tls:
enabled: true
secretName: minio-tls # Overridden by CI
redis:
enabled: false
waitForDatabase: true
global:
security:
allowInsecureImages: true

58
helm/orchard/values-external.yaml
View File

@@ -1,58 +0,0 @@
# Values for using external PostgreSQL and S3 storage
# Use this when you have existing infrastructure
replicaCount: 2
image:
pullPolicy: Always
# Disable subcharts - use external services
postgresql:
enabled: false
minio:
enabled: false
redis:
enabled: false
orchard:
database:
host: "your-postgres-host.example.com"
port: 5432
user: orchard
dbname: orchard
sslmode: require
# Option 1: Use existing secret
existingSecret: "my-postgres-secret"
existingSecretPasswordKey: "password"
# Option 2: Set password directly (not recommended)
# password: "your-password"
s3:
endpoint: "https://s3.amazonaws.com"
region: us-east-1
bucket: orchard-artifacts
usePathStyle: false
# Option 1: Use existing secret
existingSecret: "my-s3-secret"
existingSecretAccessKeyKey: "access-key-id"
existingSecretSecretKeyKey: "secret-access-key"
# Option 2: Set credentials directly (not recommended)
# accessKeyId: "your-access-key"
# secretAccessKey: "your-secret-key"
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: orchard.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: orchard-tls
hosts:
- orchard.example.com

80
helm/orchard/values-production.yaml
View File

@@ -1,80 +0,0 @@
# Production values for orchard
replicaCount: 3
image:
pullPolicy: Always
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 20
targetCPUUtilizationPercentage: 70
targetMemoryUtilizationPercentage: 80
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
hosts:
- host: orchard.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: orchard-tls
hosts:
- orchard.example.com
orchard:
database:
sslmode: require
postgresql:
enabled: true
auth:
password: "" # Set via --set or external secret
primary:
persistence:
enabled: true
size: 100Gi
resources:
limits:
cpu: 2000m
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
minio:
enabled: true
auth:
rootPassword: "" # Set via --set or external secret
persistence:
enabled: true
size: 500Gi
resources:
limits:
cpu: 2000m
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi
redis:
enabled: true
auth:
password: "" # Set via --set or external secret
master:
persistence:
enabled: true
size: 10Gi

190
helm/orchard/values-stage.yaml Normal file
View File

@@ -0,0 +1,190 @@
# Default values for orchard
replicaCount: 1
image:
repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
pullPolicy: Always
tag: "latest" # Defaults to chart appVersion
imagePullSecrets:
- name: orchard-pull-secret
# Init container image (used for wait-for-db, wait-for-minio)
initContainer:
image:
repository: containers.global.bsf.tools/busybox
tag: "1.36"
pullPolicy: IfNotPresent
serviceAccount:
create: true
automount: true
annotations: {}
name: "orchard"
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
securityContext:
readOnlyRootFilesystem: false # Python needs to write __pycache__
runAsNonRoot: true
runAsUser: 1000
service:
type: ClusterIP
port: 8080
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
hosts:
- host: orchard-stage.common.global.bsf.tools
paths:
- path: /
pathType: Prefix
tls:
- secretName: orchard-tls
hosts:
- orchard-stage.common.global.bsf.tools
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 500m
memory: 512Mi
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 5
periodSeconds: 5
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
# Orchard server configuration
orchard:
server:
host: "0.0.0.0"
port: 8080
# Database configuration (used when postgresql.enabled is false)
database:
host: ""
port: 5432
user: orchard
password: ""
dbname: orchard
sslmode: disable
existingSecret: ""
existingSecretPasswordKey: "password"
# S3 configuration (used when minio.enabled is false)
s3:
endpoint: ""
region: us-east-1
bucket: orchard-artifacts
accessKeyId: ""
secretAccessKey: ""
usePathStyle: true
existingSecret: ""
existingSecretAccessKeyKey: "access-key-id"
existingSecretSecretKeyKey: "secret-access-key"
# Download configuration
download:
mode: "presigned" # presigned, redirect, or proxy
presignedUrlExpiry: 3600 # Presigned URL expiry in seconds
# PostgreSQL subchart configuration
postgresql:
enabled: true
image:
registry: containers.global.bsf.tools
repository: bitnami/postgresql
tag: "15"
pullPolicy: IfNotPresent
auth:
username: orchard
password: orchard-password
database: orchard
primary:
persistence:
enabled: false
size: 10Gi
# MinIO subchart configuration
minio:
enabled: true
image:
registry: containers.global.bsf.tools
repository: bitnami/minio
tag: "latest"
pullPolicy: IfNotPresent
auth:
rootUser: minioadmin
rootPassword: minioadmin
defaultBuckets: "orchard-artifacts"
persistence:
enabled: false
size: 50Gi
# MinIO external ingress for presigned URL access (separate from subchart ingress)
minioIngress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/proxy-body-size: "0" # Disable body size limit for uploads
host: "minio-orch-stage.common.global.bsf.tools"
tls:
enabled: true
secretName: minio-tls
# Redis subchart configuration (for future caching)
redis:
enabled: false
image:
registry: containers.global.bsf.tools
repository: bitnami/redis
tag: "7.2"
pullPolicy: IfNotPresent
auth:
enabled: true
password: redis-password
architecture: standalone
master:
persistence:
enabled: true
size: 1Gi
# Wait for database before starting (SQLAlchemy creates tables on startup)
waitForDatabase: true
global:
security:
allowInsecureImages: true