# cluster-platform-v3 — defaults. # # Most knobs you'd flip live here so customer-cluster overlays can # tune sizing without forking the chart. namespace: odoosky-system # tenant — per-tenant identity injected by Tower as helm.values on # the per-cluster Argo Application. Empty defaults are safe to lint # but a real deploy MUST set domain + wildcardHost (the Certificate # template fails with `required` on an empty value). tenant: # Domain the Cloudflare zone covers, e.g. "acme-erp.com". domain: "" # Wildcard hostname the cluster-wide tenants-wildcard cert covers, # e.g. "*.tenants.acme-erp.com". Every tenant instance Ingress # references the resulting Secret (`tenants-wildcard-tls` in the # `tenants` namespace) by name. wildcardHost: "" # acme — Let's Encrypt registration. Operator email is per-platform, # not per-tenant. acme: email: m@havari.me server: https://acme-v02.api.letsencrypt.org/directory # certManager — gate for the conditional in Chart.yaml dependencies. # Helm reads this for the `condition: certManager.enabled` flag only; # the actual subchart values live below under the dep name `cert-manager`. certManager: enabled: true # cert-manager — values passed THROUGH to the upstream jetstack subchart # (Chart.yaml dependency name = "cert-manager"). Subchart values must # nest under the dep name, not under our top-level `certManager` alias — # putting them under `certManager:` does nothing. # # crds.enabled — install the cert-manager CRDs in the same release. The # v1.14+ jetstack chart renamed `installCRDs` to `crds.enabled`; the # old key is silently ignored, leaving the CRDs absent and any # Certificate / ClusterIssuer manifest failing with "no matches for kind". # crds.keep — leave CRDs in place if the chart is uninstalled. Safer for # disconnect flows where the customer might re-add the cluster later. cert-manager: crds: enabled: false keep: false # ignored when enabled=false # traefik — upstream chart. LoadBalancer Service so the customer's # k3s servicelb maps :80/:443 to the host. Tower currently doesn't # rely on Traefik's IngressRoute features here; instances are on # their own per-tenant Traefik later. This Traefik gives the cluster # a default ingress for the registry + future platform endpoints. traefik: enabled: true service: type: LoadBalancer # secrets — Tower applies these out-of-band via the registered # kubeconfig at Connect time (B2). The chart references them by # name only; values never enter Git. secrets: cloudflareTokenSecret: namespace: odoosky-system name: cloudflare-api-token key: api-token s3CredentialsSecret: namespace: tenants name: s3-backup-creds registry: enabled: true image: repository: registry tag: "2.8" pullPolicy: IfNotPresent # ClusterIP service hostname: # registry.odoosky-system.svc.cluster.local:5000 # Used internally by build Jobs (push) and the Odoo Deployment's # image volumes (pull). Plain HTTP — the registry never sees # off-cluster traffic; node-side k3s registries.yaml whitelists # the hostname for HTTP image pulls. service: port: 5000 # NodePort the kubelet on each node uses to reach the registry # (via the host-side 127.0.0.1: mirror entry in # /etc/rancher/k3s/registries.yaml). Picked outside the default # 30000-32767 NodePort range's busy zone; change if the cluster # already uses 30500 for something else. nodePort: 30500 # Storage. The registry survives node restarts but is recreatable — # if the PVC is wiped, Tower's ensureAddonImage will rebuild any # missing images from Gitea source on demand. So we don't need a # large or replicated PV here. persistence: enabled: false size: 10Gi storageClass: "" # "" = use the cluster's default; on k3s that's local-path resources: requests: cpu: 50m memory: 64Mi limits: cpu: 500m memory: 256Mi