vikingowl
2e5d7b726b
- Add SMTP_PORT, SMTP_FROM, ADMIN_EMAIL, FRONTEND_URL to ConfigMap - Add Helm-managed SMTP secret for credentials (host, user, password) - Wire Woodpecker secrets into deploy step via --set flags - SMTP secret conditionally created only when values are provided
138 lines
2.7 KiB
YAML
138 lines
2.7 KiB
YAML
image:
|
|
repository: somegit.dev/marktvogt.de/backend
|
|
tag: "latest"
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets:
|
|
- name: somegit
|
|
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
replicaCount: 1
|
|
|
|
service:
|
|
port: 80
|
|
targetPort: 8080
|
|
|
|
httpRoute:
|
|
enabled: true
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
hostname: api.marktvogt.de
|
|
gatewayName: default
|
|
gatewayNamespace: nginx-gateway
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
targetCPUUtilizationPercentage: 80
|
|
|
|
# Only meaningful with replicaCount >= 2
|
|
pdb:
|
|
enabled: false
|
|
minAvailable: 1
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65534
|
|
fsGroup: 65534
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
# Non-sensitive configuration — rendered into a ConfigMap
|
|
config:
|
|
APP_ENV: production
|
|
APP_PORT: "8080"
|
|
APP_HOST: "0.0.0.0"
|
|
CORS_ORIGINS: "https://marktvogt.de"
|
|
DB_SSLMODE: "require"
|
|
DB_MAX_CONNS: "25"
|
|
DB_MIN_CONNS: "5"
|
|
VALKEY_DB: "0"
|
|
RATE_LIMIT_RPS: "10"
|
|
RATE_LIMIT_BURST: "20"
|
|
JWT_ACCESS_TTL: "15m"
|
|
JWT_SESSION_TTL: "720h"
|
|
MAGIC_LINK_TTL: "15m"
|
|
MAGIC_LINK_BASE_URL: "https://marktvogt.de/auth/magic-link/verify"
|
|
OAUTH_REDIRECT_BASE_URL: "https://api.marktvogt.de"
|
|
SMTP_PORT: "587"
|
|
SMTP_FROM: "noreply@marktvogt.de"
|
|
ADMIN_EMAIL: "christian@nachtigall.dev"
|
|
FRONTEND_URL: "https://marktvogt.de"
|
|
|
|
# Name of the manually-created Secret containing:
|
|
# JWT_SECRET, SENTRY_DSN,
|
|
# OAUTH_{GOOGLE,APPLE,FACEBOOK,GITHUB}_{CLIENT_ID,CLIENT_SECRET}
|
|
secretName: marktvogt-backend-secrets
|
|
|
|
# SMTP credentials — passed via Woodpecker secrets during deploy.
|
|
# Rendered into a Helm-managed K8s Secret.
|
|
smtp:
|
|
host: ""
|
|
user: ""
|
|
password: ""
|
|
|
|
# CloudNativePG Postgres cluster
|
|
postgres:
|
|
enabled: false
|
|
name: marktvogt-pg
|
|
instances: 1
|
|
# PostGIS-enabled CNPG image — verify tag at ghcr.io/cloudnative-pg/postgis
|
|
image: ghcr.io/cloudnative-pg/postgis:17-3.5
|
|
storageSize: 5Gi
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 512Mi
|
|
|
|
# DragonflyDB (Redis-compatible) — replaces Valkey in production
|
|
# Access is restricted via NetworkPolicy; no auth required
|
|
dragonfly:
|
|
enabled: true
|
|
name: marktvogt-cache
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# Migration job (Helm pre-install/pre-upgrade hook)
|
|
migrate:
|
|
enabled: true
|
|
|
|
networkPolicy:
|
|
enabled: false
|
|
|
|
serviceAccount:
|
|
create: true
|
|
name: ""
|
|
annotations: {}
|
|
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|