Fix deploy job dependencies and add production deployment (#63)

2026-01-15 15:16:07 -06:00
parent 0ad106a141
commit 823dfcb400
3 changed files with 281 additions and 9 deletions
--- a/helm/orchard/values-prod.yaml
+++ b/helm/orchard/values-prod.yaml
@@ -0,0 +1,217 @@
+# Production values for orchard
+# TODO: Replace subcharts with managed services (RDS, S3) when ready
+replicaCount: 1
+
+image:
+  repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
+  pullPolicy: IfNotPresent  # Don't always pull in prod
+  tag: "latest"  # Overridden by CI
+
+imagePullSecrets:
+  - name: orchard-pull-secret
+
+initContainer:
+  image:
+    repository: containers.global.bsf.tools/busybox
+    tag: "1.36"
+    pullPolicy: IfNotPresent
+
+serviceAccount:
+  create: true
+  automount: true
+  annotations: {}
+  name: "orchard"
+
+podAnnotations: {}
+podLabels: {}
+
+podSecurityContext: {}
+
+securityContext:
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8080
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  hosts:
+    - host: orchard.common.global.bsf.tools
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: orchard-prod-tls
+      hosts:
+        - orchard.common.global.bsf.tools
+
+# Production resources - same as stage for MVP, increase as needed
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 500m
+    memory: 512Mi
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 10
+  periodSeconds: 10
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: http
+  initialDelaySeconds: 5
+  periodSeconds: 5
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 80
+  targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+orchard:
+  server:
+    host: "0.0.0.0"
+    port: 8080
+
+  # Database configuration (used when postgresql.enabled is false)
+  # TODO: Configure for managed PostgreSQL when ready
+  database:
+    host: ""
+    port: 5432
+    user: orchard
+    password: ""
+    dbname: orchard
+    sslmode: disable
+    existingSecret: ""
+    existingSecretPasswordKey: "password"
+
+  # S3 configuration (used when minio.enabled is false)
+  # TODO: Configure for real S3 when ready
+  s3:
+    endpoint: ""
+    region: us-east-1
+    bucket: orchard-artifacts
+    accessKeyId: ""
+    secretAccessKey: ""
+    usePathStyle: true
+    existingSecret: ""
+    existingSecretAccessKeyKey: "access-key-id"
+    existingSecretSecretKeyKey: "secret-access-key"
+
+  download:
+    mode: "presigned"
+    presignedUrlExpiry: 3600
+
+# PostgreSQL subchart - MVP uses subchart, switch to managed later
+postgresql:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/postgresql
+    tag: "15"
+    pullPolicy: IfNotPresent
+  auth:
+    username: orchard
+    password: orchard-prod-password  # TODO: Use existingSecret
+    database: orchard
+  primary:
+    persistence:
+      enabled: true  # Enable persistence for prod
+      size: 20Gi
+    resourcesPreset: "none"
+    resources:
+      limits:
+        cpu: 500m
+        memory: 512Mi
+      requests:
+        cpu: 250m
+        memory: 512Mi
+  volumePermissions:
+    resourcesPreset: "none"
+    resources:
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 50m
+        memory: 128Mi
+
+# MinIO subchart - MVP uses subchart, switch to real S3 later
+minio:
+  enabled: true
+  image:
+    registry: containers.global.bsf.tools
+    repository: bitnami/minio
+    tag: "latest"
+    pullPolicy: IfNotPresent
+  auth:
+    rootUser: minioadmin
+    rootPassword: minioadmin-prod  # TODO: Use existingSecret
+  defaultBuckets: "orchard-artifacts"
+  persistence:
+    enabled: true  # Enable persistence for prod
+    size: 100Gi
+  resourcesPreset: "none"
+  resources:
+    limits:
+      cpu: 500m
+      memory: 512Mi
+    requests:
+      cpu: 250m
+      memory: 512Mi
+  defaultInitContainers:
+    volumePermissions:
+      resourcesPreset: "none"
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 50m
+          memory: 128Mi
+  provisioning:
+    resources:
+      limits:
+        cpu: 200m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+
+# MinIO external ingress for presigned URL access
+minioIngress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+  host: "minio-orchard.common.global.bsf.tools"
+  tls:
+    enabled: true
+    secretName: minio-prod-tls
+
+redis:
+  enabled: false
+
+waitForDatabase: true
+
+global:
+  security:
+    allowInsecureImages: true