odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eccb648276c08588148208dd6bd9786e942f47ed
cluster-platform-v3/values.yaml
pro-777 eccb648276 0.2.0 — vendor cert-manager + traefik; parameterized substrate 
bootstrap.sh-equivalent K8s manifests now ship as part of this
chart instead of being installed inline by the customer's
`curl … | sudo bash`. Result: customer terminal time drops from
~5 min to ~1 min once Tower's SubmitConnect (B2) creates the
per-cluster Argo Application that points here.

What's vendored:
  - cert-manager v1.16.1 (helm dep, charts/cert-manager-v1.16.1.tgz)
  - traefik 33.2.1       (helm dep, charts/traefik-33.2.1.tgz)

What's parameterized via .Values.tenant.{domain,wildcardHost}:
  - letsencrypt-prod ClusterIssuer (DNS-01 + tenant's Cloudflare zone)
  - tenants Namespace
  - tenants-wildcard Certificate (commonName + dnsNames from helm.values)

What stays out of Git (Tower kubectl-applies via kubeconfig at
Connect time, sourced from the tenant's Vault paths):
  - cloudflare-api-token Secret (cert-manager ns)
  - s3-backup-creds Secret      (tenants ns)

The chart references both Secrets by name only.

Argo health roll-up: a tenant server is "Ready" when this
Application's Health is `Healthy` and the tenants-wildcard
Certificate's Ready condition is True. Tower's Server card UI
will surface this as "Provisioning…" → "Ready" in B4.

Lint + template clean with a real tenant value set; clean with
empty values too (templates skip themselves so a default-rendered
chart doesn't fail without a tenant).
2026-04-29 15:09:33 +03:00

92 lines
3.1 KiB
YAML
Raw Blame History

# cluster-platform-v3 — defaults.
#
# Most knobs you'd flip live here so customer-cluster overlays can
# tune sizing without forking the chart.
namespace: odoosky-system
# tenant — per-tenant identity injected by Tower as helm.values on
# the per-cluster Argo Application. Empty defaults are safe to lint
# but a real deploy MUST set domain + wildcardHost (the Certificate
# template fails with `required` on an empty value).
tenant:
# Domain the Cloudflare zone covers, e.g. "acme-erp.com".
domain: ""
# Wildcard hostname the cluster-wide tenants-wildcard cert covers,
# e.g. "*.tenants.acme-erp.com". Every tenant instance Ingress
# references the resulting Secret (`tenants-wildcard-tls` in the
# `tenants` namespace) by name.
wildcardHost: ""
# acme — Let's Encrypt registration. Operator email is per-platform,
# not per-tenant.
acme:
email: m@havari.me
server: https://acme-v02.api.letsencrypt.org/directory
# certManager — the upstream jetstack chart, pinned at v1.16.1 by
# Chart.yaml's dependency. We turn on CRDs + force the namespace so
# the ClusterIssuer template below can reference solver Secrets in
# `cert-manager` ns.
certManager:
enabled: true
installCRDs: true
# traefik — upstream chart. LoadBalancer Service so the customer's
# k3s servicelb maps :80/:443 to the host. Tower currently doesn't
# rely on Traefik's IngressRoute features here; instances are on
# their own per-tenant Traefik later. This Traefik gives the cluster
# a default ingress for the registry + future platform endpoints.
traefik:
enabled: true
service:
type: LoadBalancer
# secrets — Tower applies these out-of-band via the registered
# kubeconfig at Connect time (B2). The chart references them by
# name only; values never enter Git.
secrets:
cloudflareTokenSecret:
namespace: cert-manager
name: cloudflare-api-token
key: api-token
s3CredentialsSecret:
namespace: tenants
name: s3-backup-creds
registry:
enabled: true
image:
repository: registry
tag: "2.8"
pullPolicy: IfNotPresent
# ClusterIP service hostname:
# registry.odoosky-system.svc.cluster.local:5000
# Used internally by build Jobs (push) and the Odoo Deployment's
# image volumes (pull). Plain HTTP — the registry never sees
# off-cluster traffic; node-side k3s registries.yaml whitelists
# the hostname for HTTP image pulls.
service:
port: 5000
# NodePort the kubelet on each node uses to reach the registry
# (via the host-side 127.0.0.1:<nodePort> mirror entry in
# /etc/rancher/k3s/registries.yaml). Picked outside the default
# 30000-32767 NodePort range's busy zone; change if the cluster
# already uses 30500 for something else.
nodePort: 30500
# Storage. The registry survives node restarts but is recreatable —
# if the PVC is wiped, Tower's ensureAddonImage will rebuild any
# missing images from Gitea source on demand. So we don't need a
# large or replicated PV here.
persistence:
enabled: true
size: 10Gi
storageClass: "" # "" = use the cluster's default; on k3s that's local-path
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
Reference in New Issue View Git Blame Copy Permalink