137 lines
2.8 KiB
YAML
137 lines
2.8 KiB
YAML
# Production values for orchard
|
|
# TODO: Replace subcharts with managed services (RDS, S3) when ready
|
|
replicaCount: 1
|
|
|
|
image:
|
|
repository: registry.global.bsf.tools/esv/bsf/bsf-integration/orchard/orchard-mvp
|
|
pullPolicy: Always
|
|
tag: "latest" # Overridden by CI
|
|
|
|
imagePullSecrets:
|
|
- name: orchard-pull-secret
|
|
|
|
initContainer:
|
|
image:
|
|
repository: containers.global.bsf.tools/busybox
|
|
tag: "1.36"
|
|
pullPolicy: IfNotPresent
|
|
|
|
serviceAccount:
|
|
create: true
|
|
automount: true
|
|
annotations:
|
|
eks.amazonaws.com/role-arn: arn:aws-us-gov:iam::052673043337:role/service-orchard-prd
|
|
name: "orchard"
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext: {}
|
|
|
|
securityContext:
|
|
readOnlyRootFilesystem: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
ingress:
|
|
enabled: true
|
|
className: "nginx"
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: "letsencrypt"
|
|
nginx.ingress.kubernetes.io/proxy-body-size: "0" # Disable body size limit for uploads
|
|
hosts:
|
|
- host: orchard.common.global.bsf.tools
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- secretName: orchard-prod-tls
|
|
hosts:
|
|
- orchard.common.global.bsf.tools
|
|
|
|
# Production resources - same as stage for MVP, increase as needed
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 10
|
|
targetCPUUtilizationPercentage: 80
|
|
targetMemoryUtilizationPercentage: 80
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
orchard:
|
|
env: "production" # Disables seed data
|
|
server:
|
|
host: "0.0.0.0"
|
|
port: 8080
|
|
|
|
# Database configuration - uses AWS Secrets Manager via CSI driver
|
|
database:
|
|
host: "orchard-prd.cluster-cvw3jzjkozoc.us-gov-west-1.rds.amazonaws.com"
|
|
port: 5432
|
|
dbname: orchard_prod
|
|
sslmode: require
|
|
secretsManager:
|
|
enabled: true
|
|
secretArn: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:rds!cluster-0afc8af5-f644-4284-92fb-2ed545490f92-3v9uXV"
|
|
|
|
# S3 configuration - uses IRSA for credentials
|
|
s3:
|
|
endpoint: "" # Empty = use AWS default
|
|
region: us-gov-west-1
|
|
bucket: orchard-artifacts-prod
|
|
usePathStyle: false # Real S3 uses virtual-hosted style
|
|
|
|
download:
|
|
mode: "presigned"
|
|
presignedUrlExpiry: 3600
|
|
|
|
# PostgreSQL subchart - disabled in prod, using RDS
|
|
postgresql:
|
|
enabled: false
|
|
|
|
# MinIO subchart - disabled in prod, using real S3
|
|
minio:
|
|
enabled: false
|
|
|
|
# MinIO ingress - disabled in prod, using real S3
|
|
minioIngress:
|
|
enabled: false
|
|
|
|
redis:
|
|
enabled: false
|
|
|
|
waitForDatabase: true
|
|
|
|
global:
|
|
security:
|
|
allowInsecureImages: true
|