Configuration Reference¶
Comprehensive reference for all configuration files and settings in the RCIIS DevOps platform.
Helm Values Configuration¶
Common Configuration Patterns¶
# Standard application configuration
app:
name: service-name
version: "1.0.0"
environment: staging
replicas: 2
# Image configuration
image:
repository: harbor.devops.africa/rciis/service-name
tag: latest
pullPolicy: Always
pullSecrets:
- name: harbor-registry
# Service configuration
service:
type: ClusterIP
port: 80
targetPort: 8080
annotations: {}
# Ingress configuration
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: service.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: service-tls
hosts:
- service.example.com
# Resource configuration
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
# Health checks
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
ArgoCD Configuration¶
Application Template¶
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: service-environment
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: rciis
sources:
# Values repository
- repoURL: git@github.com:MagnaBC/rciis-devops.git
targetRevision: master
path: apps/rciis/service/environment
ref: values
# Chart repository
- repoURL: oci://harbor.devops.africa/rciis
targetRevision: "0.1.306"
chart: rciis
helm:
valueFiles:
- $values/values.yaml
destination:
server: https://kubernetes.default.svc
namespace: service-namespace
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
ApplicationSet Template¶
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: rciis-services
namespace: argocd
spec:
generators:
- matrix:
generators:
- git:
repoURL: git@github.com:MagnaBC/rciis-devops.git
revision: master
directories:
- path: apps/rciis/*
exclude: "apps/rciis/secrets"
- list:
elements:
- env: testing
cluster: https://kubernetes.default.svc
wave: "1"
- env: staging
cluster: https://kubernetes.default.svc
wave: "2"
template:
metadata:
name: '{{path.basename}}-{{env}}'
annotations:
argocd.argoproj.io/sync-wave: '{{wave}}'
spec:
project: rciis
sources:
- repoURL: git@github.com:MagnaBC/rciis-devops.git
targetRevision: master
path: '{{path}}/{{env}}'
ref: values
- repoURL: oci://harbor.devops.africa/rciis
targetRevision: "0.1.306"
chart: rciis
helm:
valueFiles:
- $values/values.yaml
destination:
server: '{{cluster}}'
namespace: '{{path.basename}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Kustomize Configuration¶
Kustomization Template¶
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: service-namespace
resources:
- ../../../secrets/environment/service/
generators:
- secret-generator.yaml
configurations:
- extra/default.conf
transformers:
- ksops-transformer.yaml
replicas:
- name: service-deployment
count: 2
images:
- name: service-image
newTag: v1.2.3
patchesStrategicMerge:
- environment-patch.yaml
patchesJson6902:
- target:
group: apps
version: v1
kind: Deployment
name: service-deployment
path: patches/deployment-patch.yaml
KSOPS Secret Generator¶
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: service-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ../../../secrets/environment/service/appsettings.yaml
- ../../../secrets/environment/service/database.yaml
- ../../../secrets/environment/service/container-registry.yaml
Secret Management¶
SOPS Configuration (.sops.yaml)¶
creation_rules:
- path_regex: secrets/local/.*\.yaml$
unencrypted_regex: '^(apiVersion|metadata|kind|type)$'
age: age1234567890abcdef
- path_regex: secrets/testing/.*\.yaml$
unencrypted_regex: '^(apiVersion|metadata|kind|type)$'
age: age0987654321fedcba
- path_regex: secrets/staging/.*\.yaml$
unencrypted_regex: '^(apiVersion|metadata|kind|type)$'
age: age1111222233334444
Secret Template¶
apiVersion: v1
kind: Secret
metadata:
name: service-config
namespace: service-namespace
type: Opaque
stringData:
config.json: |
{
"ConnectionStrings": {
"DefaultConnection": "Server=sql-server;Database=ServiceDB;User Id=user;Password=encrypted_password;"
},
"ApiKeys": {
"ExternalService": "encrypted_api_key"
},
"Logging": {
"LogLevel": {
"Default": "Information"
}
}
}
Infrastructure Configuration¶
Cilium Values¶
# Cilium CNI configuration
operator:
replicas: 1
hubble:
enabled: true
relay:
enabled: true
ui:
enabled: true
cluster:
name: rciis-local
id: 1
ipam:
mode: kubernetes
kubeProxyReplacement: partial
l7Proxy: true
loadBalancer:
algorithm: maglev
mode: dsr
NGINX Ingress Values¶
controller:
replicaCount: 2
service:
type: LoadBalancer
loadBalancerIP: 172.18.255.200
config:
use-forwarded-headers: "true"
compute-full-forwarded-for: "true"
ssl-redirect: "true"
force-ssl-redirect: "true"
metrics:
enabled: true
serviceMonitor:
enabled: true
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
admissionWebhooks:
enabled: true
patch:
enabled: true
Cert-Manager Values¶
global:
leaderElection:
namespace: cert-manager
installCRDs: true
replicaCount: 1
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
prometheus:
enabled: true
servicemonitor:
enabled: true
webhook:
replicaCount: 1
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
cainjector:
replicaCount: 1
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
Application-Specific Configuration¶
Nucleus Service Configuration¶
# Nucleus-specific values
app:
name: nucleus
component: api
image:
repository: harbor.devops.africa/rciis/nucleus
tag: "latest"
service:
type: ClusterIP
port: 80
targetPort: 8080
env:
- name: ASPNETCORE_ENVIRONMENT
value: Staging
- name: ConnectionStrings__DefaultConnection
valueFrom:
secretKeyRef:
name: nucleus-database
key: connection-string
- name: Kafka__BootstrapServers
value: kafka-cluster-kafka-bootstrap:9092
- name: MinIO__Endpoint
value: minio:9000
volumeFiles:
appsettings.json:
secret: nucleus-appsettings
key: appsettings.json
path: /app/appsettings.json
persistence:
enabled: true
storageClass: standard
size: 10Gi
mountPath: /app/data
Kafka Configuration¶
# Strimzi Kafka configuration
kafka:
version: 3.6.0
replicas: 3
listeners:
- name: plain
port: 9092
type: internal
tls: false
- name: tls
port: 9093
type: internal
tls: true
config:
offsets.topic.replication.factor: 3
transaction.state.log.replication.factor: 3
transaction.state.log.min.isr: 2
default.replication.factor: 3
min.insync.replicas: 2
log.message.format.version: "3.6"
inter.broker.protocol.version: "3.6"
storage:
type: persistent-claim
size: 10Gi
class: standard
resources:
requests:
memory: 2Gi
cpu: 500m
limits:
memory: 4Gi
cpu: 1000m
zookeeper:
replicas: 3
storage:
type: persistent-claim
size: 5Gi
class: standard
resources:
requests:
memory: 1Gi
cpu: 250m
limits:
memory: 2Gi
cpu: 500m
Environment-Specific Overrides¶
Local Environment¶
# Local development overrides
replicas: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
service:
type: NodePort
nodePort: 30080
ingress:
enabled: false
persistence:
enabled: false
env:
- name: ENVIRONMENT
value: Local
- name: LOG_LEVEL
value: Debug
Testing Environment¶
# Testing environment overrides
replicas: 1
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
autoscaling:
enabled: false
env:
- name: ENVIRONMENT
value: Testing
- name: LOG_LEVEL
value: Information
monitor:
enabled: true
Staging Environment¶
# Staging environment overrides
replicas: 2
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
targetCPUUtilizationPercentage: 70
env:
- name: ENVIRONMENT
value: Staging
- name: LOG_LEVEL
value: Information
monitor:
enabled: true
alerts:
enabled: true
Network Policies¶
Default Deny Policy¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: service-namespace
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
Service-Specific Policy¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: service-network-policy
namespace: service-namespace
spec:
podSelector:
matchLabels:
app: service-name
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 8080
- from:
- podSelector:
matchLabels:
app: allowed-client
ports:
- protocol: TCP
port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
name: database
ports:
- protocol: TCP
port: 1433
- to: []
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 53
- protocol: UDP
port: 53
Monitoring Configuration¶
ServiceMonitor¶
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: service-metrics
namespace: service-namespace
spec:
selector:
matchLabels:
app: service-name
endpoints:
- port: metrics
interval: 30s
path: /metrics
PrometheusRule¶
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: service-alerts
namespace: service-namespace
spec:
groups:
- name: service.rules
rules:
- alert: ServiceDown
expr: up{job="service-name"} == 0
for: 1m
labels:
severity: critical
annotations:
summary: "Service {{ $labels.instance }} is down"
description: "{{ $labels.instance }} has been down for more than 1 minute"
- alert: HighErrorRate
expr: rate(http_requests_total{status=~"5.."}[5m]) > 0.1
for: 5m
labels:
severity: warning
annotations:
summary: "High error rate on {{ $labels.instance }}"
description: "Error rate is {{ $value }} errors per second"
For implementation examples, refer to the specific service documentation in the Applications section.