VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/helm/zddc-server-dev/values.yaml.example
ZDDC 55852a9efb helm: add zddc-server-cache example chart + ZDDC_NO_AUTH on prod/dev 
New chart helm/zddc-server-cache/ deploys zddc-server in client mode
against an upstream master. Mirrors the prod chart's source-build-via-
init-container pattern but with:

- ZDDC_UPSTREAM, ZDDC_MODE, ZDDC_BEARER_FILE, ZDDC_NO_AUTH,
  ZDDC_SKIP_TLS_VERIFY, ZDDC_MIRROR_SUBTREE, ZDDC_MIRROR_MIN_INTERVAL
  wired from values.yaml. Mirror-only env vars conditionally rendered
  (only when mode=mirror) to keep the rendered manifest minimal.
- Bearer token mounted from a separately-created Kubernetes Secret
  (defaultMode 0400) at /etc/zddc/bearer/token. values.yaml.example
  documents the secret-creation flow but contains no token. Secret
  reference can be set to "" to disable bearer auth (only valid for
  upstreams running --no-auth).
- Recreate strategy + replicaCount: 1 (multiple replicas would race
  the cache directory and double the upstream walker traffic).
- TCP-socket probes instead of HTTP — HTTP probes against / would
  fail when both upstream is unreachable AND the cache is empty
  (the cache layer returns 503 + offline header in that state),
  causing crashloops. TCP verifies process liveness without depending
  on upstream reachability or cache contents.
- Mounts a separate cache PVC (operator-provided, like the master's
  data PVC). Sized to the working set you expect to mirror; can be
  much smaller than the master's data volume.

Existing prod and dev charts gain optional ZDDC_NO_AUTH wired from
zddc.env.noAuth (default false → no change to existing rendered
manifests). Useful for trusted-LAN or genuinely-public master
deployments.

Updated docs: helm/README.md gains the cache row in the chart table,
the cache-install quickstart with the secret-creation flow, and the
cache-specific structural notes (Recreate / TCP probes / single-
instance). CLAUDE.md and ARCHITECTURE.md updated to reflect three
charts instead of two.

Verified with helm template rendering: ZDDC_NO_AUTH only renders
when noAuth: true; ZDDC_MIRROR_SUBTREE / ZDDC_MIRROR_MIN_INTERVAL
only render when mode: mirror; bearer volume + ZDDC_BEARER_FILE
only render when bearer.secretName is non-empty.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 08:33:01 -05:00

79 lines
2.4 KiB
Text
Raw Blame History

# values.yaml.example — zddc-server-dev
#
# Copy to values.yaml (or pass via --values) and customize for your
# environment. Same as the prod chart's example, but defaults are
# tuned for active development:
#
# - gitRef defaults to "main" (rebuilt on every pod restart)
# - ZDDC_LOG_LEVEL=debug (every request's full header map gets logged
# — this includes auth tokens and cookies; debug builds belong in
# trusted/private namespaces only)
# - Faster liveness/readiness probes
# - Smaller resource limits (single-developer test cluster)
#
# Contains NO secrets — see helm/zddc-server-prod/values.yaml.example
# for the secrets-management note.
zddc:
gitRepo: https://codeberg.org/VARASYS/ZDDC.git
gitRef: main # tracks the latest commit; rebuilt on pod restart
env:
rootPath: /srv
addr: ":8080"
emailHeader: X-Auth-Request-Email
# Empty (default) disables CORS — fine for embedded-tools / same-origin.
# Dev typically keeps localhost in here for the iterate-on-tool-builds
# workflow where you load a tool from `./dev-server start` (8000) and
# point it at this server. Add other tool-host origins as needed.
corsOrigin: "http://localhost:8000"
logLevel: debug # full request headers logged; sensitive!
indexPath: ".archive"
# Skip ACL enforcement entirely. Useful in trusted-LAN dev clusters
# where authentication isn't needed and you want to iterate without
# configuring an upstream auth proxy. Default false.
noAuth: false
# Token system: enabled automatically — tokens persist at
# <ZDDC_ROOT>/.zddc.d/tokens/ on the data PVC. Sign in via your
# cluster's auth proxy and visit /.tokens to issue one.
data:
pvcName: zddc-root-dev # name of an existing PVC in your dev namespace
subPath: ""
service:
type: ClusterIP
port: 8080
ingress:
enabled: false
className: ""
host: zddc-dev.example.com
tls:
enabled: false
secretName: zddc-dev-tls
# Smaller than prod — dev clusters are usually resource-constrained.
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 250m
memory: 256Mi
# Dev runs single-replica. The init container always pulls main HEAD,
# so two replicas would race on different SHAs.
replicaCount: 1
buildImage:
repository: docker.io/golang
tag: 1.24-alpine
runtimeImage:
repository: docker.io/alpine
tag: "3.19"
imagePullSecrets: []
Reference in a new issue View git blame Copy permalink