Gabriel Radureau
13dc7aee13
All checks were successful
Docker Build / build-and-push-image (push) Successful in 44s
Aligns the project name with the public URL (tg.arcodange.fr) and the Arcodange organization conventions. The 'homelab-gateway' name was too generic. Touches: chart name + helpers, image registry path, Go module path, secret/configmap names, deployment mountPath, all docs.
107 lines
2.3 KiB
YAML
107 lines
2.3 KiB
YAML
replicaCount: 1
|
|
|
|
image:
|
|
repository: gitea.arcodange.lab/arcodange/telegram-gateway
|
|
pullPolicy: Always
|
|
tag: ""
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
create: true
|
|
automount: true
|
|
annotations: {}
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
runAsGroup: 65532
|
|
fsGroup: 65532
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
# Public exposure via Traefik. Cloudflare routes *.arcodange.fr to the home lab
|
|
# already, so we just declare the hostname here. CF terminates TLS, Traefik
|
|
# receives plain HTTP on entrypoint `web`.
|
|
ingress:
|
|
enabled: true
|
|
className: ""
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: web
|
|
traefik.ingress.kubernetes.io/router.middlewares: kube-system-crowdsec@kubernetescrd
|
|
hosts:
|
|
- host: tg.arcodange.fr
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 200m
|
|
memory: 256Mi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: http
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /readyz
|
|
port: http
|
|
|
|
autoscaling:
|
|
enabled: false
|
|
minReplicas: 1
|
|
maxReplicas: 3
|
|
targetCPUUtilizationPercentage: 80
|
|
|
|
# Bot routing config — non-secret, becomes the bots.yaml ConfigMap entry.
|
|
# Tokens & secret_token values live in a k8s Secret named `secret.name`.
|
|
# In Phase 1 the Secret is created out-of-band (kubectl create secret); in a
|
|
# later phase Vault will produce it via VSO (toggle `vault.enabled`).
|
|
bots:
|
|
factory:
|
|
handler: echo
|
|
|
|
# k8s Secret consumed by `envFrom`. Phase 1: create it manually with kubectl.
|
|
# kubectl -n telegram-gateway create secret generic telegram-gateway-bots \
|
|
# --from-literal=BOT_FACTORY_TOKEN=… --from-literal=BOT_FACTORY_SECRET=…
|
|
secret:
|
|
name: telegram-gateway-bots
|
|
|
|
# Vault Secrets Operator integration (Phase 2+). When enabled, VSO writes the
|
|
# secret named `secret.name` automatically from `kvv2/telegram-gateway/config`.
|
|
vault:
|
|
enabled: false
|
|
role: telegram-gateway
|
|
mount: kvv2
|
|
path: telegram-gateway/config
|
|
refreshAfter: 30s
|
|
|
|
nodeSelector:
|
|
kubernetes.io/hostname: pi1
|
|
|
|
tolerations: []
|
|
affinity: {}
|