arcodange-org/erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3f0586c77e6310c66e25626c6cde169a63891ca
erp/chart/values.yaml
Gabriel Radureau a3f0586c77 feat(backup): skip-if-unchanged + scheduled CronJob in the chart 
Builds on the dedicated backup (erp#31).

Skip-if-unchanged: each half (DB / documents) carries a content fingerprint at
erp/<env>/.fp-{db,docs} and is dumped+uploaded only if it differs from the last
run — a quiet ERP day re-uploads nothing. Fingerprint = durable BUSINESS content
only: DB = count+max(tms) over tms tables EXCEPT volatile churn (llx_const,
llx_user, session/cron); docs EXCLUDE */temp/* (Dolibarr stats cache) — from both
the fingerprint and the tar. Proven live: 1st run uploads both, immediate 2nd run
skips both (uploaded=0).

Automation: the in-container logic moves to chart/files/backup-job.sh (single
source of truth, read by the orchestrator AND the chart). New
chart/templates/backup-cronjob.yaml renders a daily CronJob + ConfigMap +
VaultStaticSecret, gated by backup.enabled (default false). Helm-verified: off by
default (0 CronJobs), on renders correctly, env-aware (PREFIX erp/prod vs
erp/sandbox), script embedded.

Activation (documented): store GCS HMAC creds at kvv2/<backup.vaultS3Path>
(default erp/backup), grant the erp `auth` Vault role read on it (tools change),
set backup.enabled=true. Until then the orchestrator runs on demand.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-30 15:53:13 +02:00

147 lines
4.6 KiB
YAML
Raw Blame History

# Default values for erp.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# ----------------------------------------------------------------------------
# Multi-environment coordinates (default = prod, elision rule applies).
# Override in values-<env>.yaml for any non-prod instance — see SKILL.md
# of the factory runbook (doc/runbooks/new-web-app/conventions.md).
# By the elision rule, env=prod produces names identical to single-env apps;
# env=sandbox produces "<app>-sandbox" everywhere except the Postgres owner
# role which uses snake-case "<app>_sandbox_role".
# ----------------------------------------------------------------------------
env: prod
instance: erp # derived id: env=prod → erp, else <app>-<env>
host: erp.arcodange.lab # internal hostname for this instance
db:
name: erp # PostgreSQL database name (matches factory tfvars)
ownerRole: erp_role # Postgres owner role; snake-case <app>_role for prod / <app>_<env>_role for non-prod (matches factory/postgres/iac)
vault:
k8sRole: erp # VaultAuth role (postgres/iac issues this per instance)
dynamicPath: creds/erp # path under postgres/ mount for short-lived DB creds
staticPath: erp/config # path under kvv2/ mount for the static admin config
replicaCount: 1
image:
repository: dolibarr/dolibarr
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 80
ingress:
enabled: true
className: ""
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
traefik.ingress.kubernetes.io/router.tls.domains.0.sans: erp.arcodange.lab
traefik.ingress.kubernetes.io/router.middlewares: localIp@file
hosts:
- host: erp.arcodange.lab
paths:
- path: /
pathType: Prefix
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# livenessProbe:
# exec:
# command: [timeout, '10', ls, /var/www/]
# initialDelaySeconds: 5
# periodSeconds: 5
# readinessProbe:
# httpGet:
# path: /
# port: http
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
# Dedicated offsite backup of the Dolibarr DB + documents (see ops/backup/README.md).
# DISABLED by default — enable once the S3 creds VaultStaticSecret resolves (the
# `auth` Vault role must be granted read on kvv2/<vaultS3Path>). The manual
# orchestrator ops/backup/dolibarr-backup.sh works today without this.
backup:
enabled: false
schedule: "0 3 * * *" # daily 03:00 UTC
bucket: arcodange-backup
pgHost: "192.168.1.202" # direct Postgres host (matches ops/sandbox + ops/backup)
image: postgres:16-alpine
vaultS3Path: erp/backup # kvv2/<this> → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS
Reference in New Issue View Git Blame Copy Permalink