# Default values for chart. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # ECR pulls are authenticated via the node IAM role (or IRSA on the service account), # so no imagePullSecrets entry is required for the ECR repositories below. imagePullSecrets: [] # This is to override the chart name. nameOverride: "" fullnameOverride: "" # This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ serviceAccount: # Specifies whether a service account should be created. create: true # Automatically mount a ServiceAccount's API credentials? automount: true # Annotations to add to the service account. annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template. name: "" # Pod-level security context shared by every component (component-level overrides win). podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Container-level security context shared by every component (component-level overrides win). securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL # RDS endpoint host:port consumed by the backend Secret below. # Replace `aex.<...>.rds.amazonaws.com` with the actual RDS writer endpoint. rds: host: skinc-aiagent-dev-main-postgresql.cn8yeeaaa1s1.ap-northeast-2.rds.amazonaws.com port: 5432 database: aiagtmpn_dev # Components served by this chart. Each entry produces its own Deployment, Service, and (optional) HPA. # The Ingress below references components by key (e.g. `frontend`, `backend`). components: # Frontend (aex_ft) — serves all traffic that does not match /api. frontend: # This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ replicaCount: 1 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ image: repository: public.ecr.aws/u3l9g3l8/test/aex_ft # This sets the pull policy for images. pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "0.0.0c" # nginx in the frontend image listens on 8080 (see sk_private_front/docker/nginx.conf). # Service exposes port 80 and targets the named container port `http` → 8080. containerPort: 8080 # This is for setting Kubernetes Annotations to a Pod. podAnnotations: {} # This is for setting Kubernetes Labels to a Pod. podLabels: {} # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ service: type: ClusterIP port: 80 # readOnlyRootFilesystem requires writable mounts for nginx cache and pid file. securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 101 runAsGroup: 101 # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ livenessProbe: httpGet: path: / port: http readinessProbe: httpGet: path: / port: http # Minimal requests so the scheduler can place the pod; no limits to keep the test deploy permissive. resources: requests: cpu: 50m memory: 64Mi # This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 # Writable scratch dirs required because the rootfs is read-only. # /run is needed because the upstream nginx.conf writes its pid file there # (the Dockerfile's sed targets /var/run/... and misses the actual /run/...). volumes: - name: nginx-cache emptyDir: {} - name: nginx-tmp emptyDir: {} - name: nginx-run emptyDir: {} volumeMounts: - name: nginx-cache mountPath: /var/cache/nginx - name: nginx-tmp mountPath: /tmp - name: nginx-run mountPath: /run # Backend (aex_bn) — serves traffic under /api. backend: replicaCount: 1 image: repository: public.ecr.aws/u3l9g3l8/test/aex_bn pullPolicy: IfNotPresent tag: "0.0.0c" containerPort: 8000 podAnnotations: {} podLabels: {} service: type: ClusterIP port: 8000 # uvicorn user `app` is uid/gid 1000 in sk_private/docker/dockerfile. securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 livenessProbe: httpGet: path: /health port: http readinessProbe: httpGet: path: /health port: http resources: requests: cpu: 100m memory: 256Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 # /tmp scratch for read-only rootfs (Python may write caches/temp files). volumes: - name: tmp emptyDir: {} volumeMounts: - name: tmp mountPath: /tmp # Pull configuration from the Secret rendered below. envFrom: - secretRef: name: '{{ include "chart.componentFullname" (dict "root" $ "name" "backend") }}' - configMapRef: name: '{{ include "chart.componentFullname" (dict "root" $ "name" "backend") }}-config' # Secret consumed by the backend; rendered as --backend. configMap: data: APP_LOG_LEVEL: DEBUG # APP_DATABASE_URL points at the AWS RDS endpoint configured under .Values.rds. secret: stringData: APP_DATABASE_URL: 'postgresql+asyncpg://aex_dev:qct6mjpiqo@{{ $.Values.rds.host }}:{{ $.Values.rds.port }}/{{ $.Values.rds.database }}' APP_DATABASE_SCHEMA: aex_sch # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ # AWS Load Balancer Controller provisions an ALB from this resource. ingresses: backend: enabled: true className: alb-custom annotations: # alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/group.name: appl alb.ingress.kubernetes.io/load-balancer-name: skinc-inc-lb-dev-test alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}]' alb.ingress.kubernetes.io/healthcheck-protocol: HTTP alb.ingress.kubernetes.io/healthcheck-path: /health alb.ingress.kubernetes.io/healthcheck-port: "8000" hosts: # host를 비우면 ALB가 모든 Host 헤더에 대해 매칭 → ALB DNS로 직접 접속 가능. # 운영 단계에서는 실제 도메인(예: aex.example.com)을 넣고 Route53 ALIAS 등록 권장. - host: "" paths: - path: /api pathType: Prefix component: backend tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local frontend: enabled: true className: alb-custom annotations: # alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/group.name: appl alb.ingress.kubernetes.io/load-balancer-name: skinc-inc-lb-dev-test alb.ingress.kubernetes.io/target-type: ip alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}]' alb.ingress.kubernetes.io/healthcheck-protocol: HTTP alb.ingress.kubernetes.io/healthcheck-path: / alb.ingress.kubernetes.io/healthcheck-port: "80" hosts: # host를 비우면 ALB가 모든 Host 헤더에 대해 매칭 → ALB DNS로 직접 접속 가능. # 운영 단계에서는 실제 도메인(예: aex.example.com)을 넣고 Route53 ALIAS 등록 권장. - host: "" paths: - path: / pathType: Prefix component: frontend tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local # -- Expose the services via gateway-api HTTPRoute # Disabled — routing is handled by the ALB Ingress above. httpRoute: enabled: false annotations: {} parentRefs: - name: gateway sectionName: http hostnames: - aex.sk-inc.local rules: - matches: - path: type: PathPrefix value: /api backendRefs: - component: backend - matches: - path: type: PathPrefix value: / backendRefs: - component: frontend nodeSelector: {} tolerations: [] affinity: {}