e78000831e
Hearth is the infrastructure home for the letemcook ecosystem. Ported from coherence-mcp/infra: - Terraform modules (VPC, EKS, IAM, NLB, S3, storage) - Kubernetes manifests (Forgejo, ingress, cert-manager, karpenter) - Deployment scripts (phased rollout) Status: Not deployed. EKS cluster needs to be provisioned. Next steps: 1. Bootstrap terraform backend 2. Deploy phase 1 (foundation) 3. Deploy phase 2 (core services including Forgejo) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
102 lines
2 KiB
YAML
102 lines
2 KiB
YAML
# cert-manager Helm Values
|
|
# RFC 0039: ADR-Compliant Foundation Infrastructure
|
|
#
|
|
# Install with:
|
|
# helm repo add jetstack https://charts.jetstack.io
|
|
# helm install cert-manager jetstack/cert-manager \
|
|
# --namespace cert-manager \
|
|
# --create-namespace \
|
|
# --values helm-values.yaml
|
|
---
|
|
# Install CRDs
|
|
installCRDs: true
|
|
|
|
# Replica count for HA
|
|
replicaCount: 2
|
|
|
|
# Resource requests and limits
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 256Mi
|
|
|
|
# Webhook configuration
|
|
webhook:
|
|
replicaCount: 2
|
|
resources:
|
|
requests:
|
|
cpu: 25m
|
|
memory: 32Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# CA Injector configuration
|
|
cainjector:
|
|
replicaCount: 2
|
|
resources:
|
|
requests:
|
|
cpu: 25m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
|
|
# Pod disruption budgets
|
|
podDisruptionBudget:
|
|
enabled: true
|
|
minAvailable: 1
|
|
|
|
# Prometheus metrics
|
|
prometheus:
|
|
enabled: true
|
|
servicemonitor:
|
|
enabled: true
|
|
namespace: monitoring
|
|
labels:
|
|
release: prometheus
|
|
|
|
# Pod anti-affinity for HA
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: cert-manager
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
# Topology spread constraints
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: topology.kubernetes.io/zone
|
|
whenUnsatisfiable: ScheduleAnyway
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: cert-manager
|
|
|
|
# Security context
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
# DNS configuration for Route53
|
|
dns01RecursiveNameservers: "8.8.8.8:53,1.1.1.1:53"
|
|
dns01RecursiveNameserversOnly: true
|
|
|
|
# Global options
|
|
global:
|
|
leaderElection:
|
|
namespace: cert-manager
|