pace/values.yaml

installationSlug: default-installation

# The deploy context - the kubernetes provider for whom specifically to adjust the resources
# for possible values see availableContexts
deployContext: microk8s

# Feature flags - smaller features for a transition period. Each flag is expected to go away in a not-too-long future.
featureFlags:
  # Mount secrets as environment variable files (under /mnt/envvars/, see FEN-1579)
  newSecretsMount: false

# The deploy tag should be a random string, unique to a particular deployment. It can be e.g. a timestamp. The tag
# is used to identify which resources have been created by this deployment and which older resources should be pruned.
deployTag: to-be-overridden

gitVersion:
  sha: undefined
  branch: undefined

#
# Ingress configuration
#
ingress:
  common:
    # Annotations to be added to all Ingress resources
    annotations: {}

  mercure:
    # Annotations to be added to the Mercure ingress resource
    annotations: {}

  main:
    # The host the ingress should be accessible on
    deployUrl: foo.bara

    # More URLs where the site should be served, in addition to the deployUrl.
    # Note: the additionalUrls currently do not work with LetsEncrypt! Required change to have it work is to have
    #       multiple secrets generated - one for each host. At the moment this only works well with TLS handled by
    #       AWS ALB.
    # Note: this could be refactored with deployUrl to only be a list.
    additionalUrls: []

    # TLS serving configuration
    tls:
      enabled: false
      # The name of the Kubernetes TLS secret to use for reading the certificate
      secretName: tls-secret

      # Used when integrating with KeyVaults (and SecretsManagers etc). If true, 'tls-secret-store' will be added to
      # the VolumeMounts of Pace pods. This is needed so that the KeyVault secret is synced and a k8s secret is created.
      # tl;dr this should be true for environments using the KeyVault integration.
      mountTlsSecretStore: false

    # LetsEncrypt CertManager provider configuration
    letsEncrypt:
      enabled: false
      # What is the name of the CertManager ClusterIssuer resource to pull the certificate from
      clusterIssuer: cluster-issuer

    # List of IPs allowed to connect to the ingress resource.
    # This will be put into a nginx annotation 'nginx.ingress.kubernetes.io/whitelist-source-range'
    allowedIps: ~ # xx
    # The nginx controller class to use
    class: nginx
    host:
      pathType: Prefix
      path: '/'
      serviceName: pace

  # More ingresses in addition to the main one. The structure of the configuration dict is:
  #   additional:
  #     any-custom-name:
  #       deployUrl:
  #       allowedIps:
  #       ...
  # The config under 'any-custom-name' is the same as for the main ingress above. Any configuration key may be omitted
  # in which case a default from the main ingress will be used. For example, to allow access to a particular path to
  # the public, use:
  #
  #   additional:
  #     minimal:
  #       allowedIps: 0.0.0.0/0
  #       host:
  #         path: '/public/digital_signature/assently_api/receive_event'
  #
  # EXCEPTIONS:
  #   The following keys have default values other than the main ingress. They always use the following defaults:
  #
  #     letsEncrypt.enabled: false
  #

# Configuration for all PHP pods (web, messenger, scheduler, migrations)
php:
  # Symfony APP_ENV environment
  appEnv: staging

  # BaseUrl for the deployment, without https://
  baseUrl: 'pace.example.com'

  corsAllowMultipleOrigin: '0'

  # Environment variables to inject to the pods, e.g. FOO: BAR
  env: {}

web:
  replicas: 1
  image:
    repository: undefined
    tag: undefined
  resources:
    requests:
      memory: 256Mi
      cpu: 100m
    limits:
      memory: 800Mi # Upper estimate, subject to change based on empirical values

      # This limit essentially means "as much as possible".
      #
      # When limits.cpu is defined here as "null" (and this value is not overwritten in another values.yaml file),
      # then 'helm template' will render it as 'limits.cpu: null'. This causes kubectl to fail, because it expects
      # a non-null value.
      # Interestingly, when a "child" values.yaml file defines 'limits.cpu: null', then that key is completely missing
      # from the rendered YAML file (which is what we want).
      #
      # tl;dr - in overriding values.yaml files the value of this can be customized as needed, but _here_ it cannot
      #         be null. So it's something large enough.
      cpu: 64


  # The service account name to use for the pod
  serviceAccountName: default

#  envFrom:
#    - secretRef:
#        name: blob-container-sas-url
#  volumeMounts:
#    - name: pace-dataplatform-secret-volume
#      mountPath: /mnt/dataplatform
#  volumes:
#    - name: pace-dataplatform-secret-volume
#      csi:
#        driver: secrets-store.csi.k8s.io
#        readOnly: true
#        volumeAttributes:
#          secretProviderClass: pace-dataplatform-secret-provider

messengerConsumers:
  asyncReplicas: 1
  resources:
    requests:
      memory: 128Mi
      cpu: 50m
    limits:
      memory: 400Mi # Upper estimate, subject to change based on empirical values
      cpu: 500m

scheduler:
  enabled: true
  podSecurityContext: {}
  resources:
    requests:
      memory: 128Mi
      cpu: 50m
    limits:
      memory: 400Mi # Upper estimate, subject to change based on empirical values
      cpu: 500m

  volumeMounts: []
  volumes: []

statsd:
  enabled: false
  image: registry.rohea.com/ops/docker-images/statsd:1.1.8

portal:
  resources:
    requests:
      memory: 256Mi
      cpu: 100m
    limits:
      memory: 800Mi
      cpu: 2

maintenancePage:
  image:
    repository: placeholder-maintenance-page
    tag: placeholder-tag

postfix:
  enabled: true
  image: registry.rohea.com/ops/docker-images/postfix:1.0.0

  # The myhostname postfix configuration. This will be the name of the relay used in the 'HELO something' part of the
  # SMTP session. When not provided, the nodeName of the node where postfix is running will be used instead.
  # hostname: default.rohea.com

  # Space-separated list of domains from which to allow sending
  allowedSenderDomains: rohea.com

  # Optional list of DKIM selectors. 'pace' is the default selector for all domains unless specified otherwise.
  # The selector defines the DNS record where a public DKIM key is expected.
  # In this example, these two records are checked:
  #   - pace-topdanmark-prod._domainkey.rohea.com   # specific for rohea.com
  #   - pace._domainkey.DOMAIN.ORG                  # default for all other sender domains
  # dkim:
  #   selector: pace,rohea.com=pace-topdanmark-prod
  #             ^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  #              |    |
  #              |    `- use selector "pace-topdanmark-prod" when sending e-mail from the @rohea.com domain
  #              `- use "pace" as the default selector if no domain matches
  #
  # https://github.com/bokysan/docker-postfix#changing-the-dkim-selector
  #
  # Note that in order for the selector to work, there must also be an associated 'dkimkeys' secret available for
  # the postfix pod, with the DKIM keys inside:
  #   $ kubectl create secret generic dkimkeys --from-file=rohea.com.private=my-key-file.key
  #                                                        ^^^^^^^^^^^^^^^^^
  #                             This is a required format. It must be "domain".private. With this secret object,
  #                             postfix will apply dkim on e-mails sent from "domain". It is possible to specify
  #                             more domains.
  dkim:
    selector: pace

    # Configuration for the 'dkimkeys' Kubernetes secret object. In production environments, you will want to keep this
    # disabled and create the 'dkimkeys' secret manually (or use e.g. Sendgrid for e-mail sending).
    dkimkeysSecret:
      # If false, the dkimkeys secret is not created through the Helm chart.
      create: false
      # The dkimkeys Secret content.
      # Keys must be in format "domain.private", e.g. "rohea.com.private".
      # Values are the DKIM private keys.
      data: {}

  # Node selector labels for the postfix pod
  nodeSelector: {}

express:
  enabled: false
  image:
    repository: undefined-repo
    tag: undefined-tag
  resources:
    requests:
      memory: 128Mi
      cpu: 100m
    limits:
      memory: 512Mi
      cpu: 500m

paceDev:
  enabled: false
  image: placeholder-pacedev

mongoAtlasLogforwarder:
  enabled: false
  image: empty

sshTunneller:
  enabled: false
  image: empty
  tunnel:
    remoteForwardTo: localhost
    remotePort: 27017
    remoteHost: ~
    remoteHostSshPort: 22
    autosshPort: ~

migrationsJob:
  env:
    DB_BOOTSTRAP_KIND: 'none'
    # MIGRATIONS_RUN_MULTIPLE_MAJOR: 'false'
    # DB_BOOTSTRAP_SRC_MONGODB_URL: ~
    # DB_BOOTSTRAP_SRC_MONGODB_DB_NAME: ~
    # DB_BOOTSTRAP_FIXTURES_GROUPS: ~

  enabled: false
  datetime: undefined
  resources:
    requests:
      memory: 1024Mi
      cpu: 100m
    limits:
      memory: 1024Mi
      cpu: 1

deleteDbJob:
  enabled: false
  datetime: undefined
  resources:
    requests:
      memory: 256Mi
      cpu: 0.1
    limits:
      memory: 512Mi
      cpu: 2

# Sentry integration
sentry:
  # If true, Sentry relay will be deployed and Sentry events reported through it
  enabled: false

imagePullSecrets:
- name: k8s-pull-project
- name: k8s-pull-docker-images

networkPolicies:
  enabled: false

entrypoints:
  portal:
    enabled: false

mercure:
  enabled: true

  # Debug mode. If enabled, the dev Caddyfile configuration is used when starting the Mercure Hub (https://github.com/dunglas/mercure/blob/main/Caddyfile.dev)
  # This enables an Admin UI at '/.well-known/mercure/ui/'
  debug: false

  image:
    repository: registry.rohea.com/ops/docker-images/mercure
    tag: 0.15.0

  resources:
    requests:
      memory: 50Mi
      cpu: 100m
    limits:
      memory: 100Mi
      cpu: 300m

  env:
    extraDirectives:
      - anonymous

# If true, Kubernetes liveness, startup and readiness probes will be configured for the resources. Disabling this
# may be useful in dev where one manually fiddles with the deployed environment and does not want Kubernetes to
# restart the containers automatically.
enableKubernetesProbes: true

# If true, will render the "meta" notes.yaml file, which is a replacement for the NOTES.txt file.
# See the file contents for more details.
renderNotes: false

availableContexts:
  - microk8s
  - azure
  - aws # TODO is this needed?

gitlab:
  gitlabBasedDeploy: false
  gitlabEnvironment: n/a
  symfonyEnvironment: n/a
  kubernetesNamespace: n/a
  kubernetesCluster: n/a
  sentryRelease: n/a

##
## CSI SecretProviderClass resources to create
## These classes configure integration with cloud providers' secrets management services (AWS Secrets Manager, Azure KeyVault)
#secretProviderClasses:
#  someProvider:
#    # The name of the SecretProviderClass resource to create
#    name: pace-config
#
#    # The secrets manager provider (aws, azure)
#    provider: azure
#
#    # Azure-specific configuration
#    azure:
#      # The client ID of the AKS nodepool identity. Obtain with: `az aks show --name "$AKS_NAME" --query 'identityProfile.kubeletidentity.clientId' -o tsv`
#      # or by looking into the AD details of this identity.
#      userAssignedIdentityID: abcd1234-ef56-ab12-cd34-1234567890ab
#
#      # The tenant ID of the AKS resource. Obtain with: `az aks show --name "$AKS_NAME" --query 'identity.tenantId' -o tsv`
#      tenantId: abcd1234-ef56-ab12-cd34-1234567890ab
#
#      # The name of the KeyVault to integrate with
#      keyvaultName: kv-some-name
#
#    # The objects config - this is (usually) a multiline, YAML-compatible string
#    objects: |
#      # For AWS
#      - objectName: "arn:aws:secretsmanager:eu-central-1:930955222283:secret:sandbox/pace.env-qsoQBr"
#        jmesPath:
#        - path: envfile
#          objectAlias: pace-env
#
#      # For Azure
#      array:
#        - |
#          objectName: pace-env
#          objectType: secret
#
#    secretObjects:
#      - secretName: mongo-forwarder # Name of the Kubernetes secret object to create
#        type: Opaque
#        data:
#          - objectName: mongo-atlas-cluster-name
#            key: CLUSTER_NAME

_meta:
  # Require the given kubectl context name to be active (in 'kubectl config use-context xxxxx'). This is useful in
  # manual deployments (Business Finland) to ensure the deployment is not accidentaly ran against an unexpected context.
  # If not present or empty, no check for the context is performed.
  requiredKubectlContext:

  # If true, the deployment process will stop and wait for user interaction in place where a database backup should
  # be made. Useful for cases where fully automatic database backup is not implemented.
  stopOnDeployForDbBackup: false