hyperfleet-api/charts/values.yaml at main · openshift-hyperfleet/hyperfleet-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
# Default values for hyperfleet-api
# This is a YAML-formatted file.

replicaCount: 1

image:
  registry: CHANGE_ME  # Set to your actual container registry (e.g. quay.io)
  repository: CHANGE_ME # e.g. openshift-hyperfleet/hyperfleet-api
  pullPolicy: Always
  tag: ""  # Required — no default. Set via --set image.tag=<version>

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

# ============================================================
# Container Ports
# ============================================================
# These ports must match the application configuration
ports:
  api: 8000      # Must match config.server.port
  health: 8080   # Must match config.health.port
  metrics: 9090  # Must match config.metrics.port

# ============================================================
# Application Configuration
# ============================================================
# All application settings are configurable via this section.
# These values generate the ConfigMap used by the application.
# ============================================================
config:
  # Use existing ConfigMap instead of generating one
  # If set, all config.* values below are ignored
  existingConfigMap: ""

  # Server configuration
  server:
    hostname: ""
    host: "0.0.0.0"
    port: 8000

    timeouts:
      read: 5s
      write: 30s

    tls:
      enabled: false
      cert_file: ""
      key_file: ""

    jwt:
      enabled: true

    authz:
      enabled: false

    jwk:
      cert_file: ""
      cert_url: "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/certs"

    acl:
      file: ""

  # Database configuration
  database:
    dialect: postgres

    # Connection settings
    # Note: username/password MUST be provided via Secret (not ConfigMap)
    # See database.external.secretName or database.postgresql.enabled for credentials
    host: ""  # Auto-set for built-in DB, or specify external host
    port: 5432
    name: hyperfleet

    # Application behavior settings
    debug: false

    ssl:
      mode: disable
      root_cert_file: ""

    pool:
      max_connections: 50
      max_idle_connections: 10
      conn_max_lifetime: 5m
      conn_max_idle_time: 1m
      request_timeout: 30s
      conn_retry_attempts: 10
      conn_retry_interval: 3s

  # Logging configuration
  logging:
    level: info
    format: json
    output: stdout

    # OpenTelemetry tracing (HyperFleet standard)
    # Configuration via standard environment variables.
    # See: https://github.com/openshift-hyperfleet/architecture/blob/main/hyperfleet/standards/tracing.md#configuration
    otel:
      enabled: true

    masking:
      enabled: true
      headers:
        - Authorization
        - X-API-Key
        - Cookie
        - X-Auth-Token
        - X-Forwarded-Authorization
      fields:
        - password
        - secret
        - token
        - api_key
        - access_token
        - refresh_token
        - client_secret

  # Metrics configuration
  metrics:
    host: 0.0.0.0  # Must be 0.0.0.0 in Kubernetes for Service to access
    port: 9090

    tls:
      enabled: false

    label_metrics_inclusion_duration: 168h

  # Health check configuration
  health:
    host: 0.0.0.0  # Must be 0.0.0.0 in Kubernetes for liveness/readiness probes
    port: 8080

    tls:
      enabled: false

    shutdown_timeout: 20s
    db_ping_timeout: 2s

  # Adapters required for resources to reach "Ready" state
  # Production deployments should specify adapters
  adapters:
    required:
      cluster: []  # Example: [validation, dns, pullsecret, hypershift]
      nodepool: []  # Example: [validation, hypershift]

# ============================================================
# Kubernetes Resources
# ============================================================
serviceAccount:
  create: true
  annotations: {}
  name: ""

podAnnotations: {}
podLabels: {}

podSecurityContext:
  fsGroup: 65532
  runAsNonRoot: true
  runAsUser: 65532

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  seccompProfile:
    type: RuntimeDefault

service:
  type: ClusterIP
  # Service ports are set to match container ports (ports.api, ports.health, ports.metrics)

resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 128Mi

nodeSelector: {}

tolerations: []

affinity: {}

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 10
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80

# Pod Disruption Budget configuration
podDisruptionBudget:
  enabled: false
  minAvailable: 1
  # Maximum number of pods that can be unavailable during disruption
  # maxUnavailable: 1

# ============================================================
# Infrastructure Configuration
# ============================================================
# These settings control Kubernetes infrastructure components
# (PostgreSQL pod, secrets, pgbouncer sidecar)
# ============================================================

# Database infrastructure
database:
  # For PRODUCTION: Use external database (GCP Cloud SQL, etc.)
  # Set external.enabled=true and provide connection details
  #
  # For DEVELOPMENT: Use built-in PostgreSQL pod
  # Set postgresql.enabled=true (default)

  # External database configuration (production)
  external:
    enabled: false
    # Name of existing secret with db.host, db.port, db.name, db.user, db.password keys
    secretName: ""

  # PgBouncer connection pooler sidecar (opt-in for production)
  # Runs as a sidecar container, proxying connections to PostgreSQL
  pgbouncer:
    enabled: false
    image: public.ecr.aws/bitnami/pgbouncer:1.25.1
    port: 6432
    poolMode: transaction
    defaultPoolSize: 50
    maxClientConn: 100
    minPoolSize: 5
    serverIdleTimeout: 600
    serverLifetime: 3600
    resources:
      limits:
        cpu: 200m
        memory: 128Mi
      requests:
        cpu: 50m
        memory: 64Mi

  # Built-in PostgreSQL for development/testing
  postgresql:
    enabled: true
    image: docker.io/library/postgres:14.2
    database: hyperfleet
    user: hyperfleet
    password: hyperfleet-dev-password
    port: 5432
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 128Mi
    persistence:
      enabled: false
      size: 1Gi
      storageClass: ""

# ServiceMonitor for Prometheus Operator
serviceMonitor:
  enabled: false
  interval: 30s
  scrapeTimeout: 10s
  labels: {}
  namespace: ""

# ============================================================
# Advanced Overrides (Escape Hatch)
# ============================================================
# Additional environment variables to override ConfigMap values.
# Use sparingly - prefer modifying config.* values above.
# See docs/deployment.md#environment-variables for examples.
extraEnv: []

# Volume mounts for additional configs
extraVolumeMounts: []

# Additional volumes
extraVolumes: []