sync

2026-04-22 21:56:43 +02:00
parent acc9bb1a85
commit f1dd61cece
30 changed files with 104 additions and 86 deletions
--- a/infra/values/aks-dev/gitea-values.yaml
+++ b/infra/values/aks-dev/gitea-values.yaml
@@ -1,4 +1,4 @@
-# Azure Managed Disk (Premium SSD via CSI driver)
+# AKS-specific: Azure managed disk storage class
 persistence:
  storageClass: managed-csi-premium
 postgresql:
--- a/infra/values/aks-dev/grafana-values.yaml
+++ b/infra/values/aks-dev/grafana-values.yaml
@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net
--- a/infra/values/aks-dev/keycloak-values.yaml
+++ b/infra/values/aks-dev/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net
--- a/infra/values/aks-dev/opencost-values.yaml
+++ b/infra/values/aks-dev/opencost-values.yaml
@@ -1,11 +1,8 @@
-# Azure native pricing via Billing API
+# AKS-specific: Azure pricing via Cloud Billing API
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: azure
+      enabled: false
    azure:
-      subscriptionID: ""          # <- populate
-      clientID: ""
-      clientSecret: ""
-      tenantID: ""
+      secretName: opencost-azure-billing
--- a/infra/values/aks-dev/traefik-values.yaml
+++ b/infra/values/aks-dev/traefik-values.yaml
@@ -1,16 +1,11 @@
-# Azure AKS — Standard Load Balancer
-# Note: Azure Standard LB does not support Proxy Protocol.
-# Use externalTrafficPolicy: Local on the Traefik service to preserve
-# client IPs, or deploy behind Azure Application Gateway.
+# AKS-specific: Azure Load Balancer for Traefik
 service:
  annotations:
-    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
-  spec:
-    externalTrafficPolicy: Local
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
 ports:
  web:
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"    # <- VNet CIDR + Azure health probe
+      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"
+      trustedIPs: "10.0.0.0/8"
--- a/infra/values/aks-prod/gitea-values.yaml
+++ b/infra/values/aks-prod/gitea-values.yaml
@@ -1,4 +1,4 @@
-# Azure Managed Disk (Premium SSD via CSI driver)
+# AKS-specific: Azure managed disk storage class (prod)
 persistence:
  storageClass: managed-csi-premium
 postgresql:
--- a/infra/values/aks-prod/grafana-values.yaml
+++ b/infra/values/aks-prod/grafana-values.yaml
@@ -0,0 +1,4 @@
+# AKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com
--- a/infra/values/aks-prod/keycloak-values.yaml
+++ b/infra/values/aks-prod/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# AKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com
--- a/infra/values/aks-prod/opencost-values.yaml
+++ b/infra/values/aks-prod/opencost-values.yaml
@@ -1,11 +1,8 @@
-# Azure native pricing via Billing API
+# AKS-specific: Azure pricing via Cloud Billing API (prod)
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: azure
+      enabled: false
    azure:
-      subscriptionID: ""          # <- populate
-      clientID: ""
-      clientSecret: ""
-      tenantID: ""
+      secretName: opencost-azure-billing
--- a/infra/values/aks-prod/traefik-values.yaml
+++ b/infra/values/aks-prod/traefik-values.yaml
@@ -1,16 +1,12 @@
-# Azure AKS — Standard Load Balancer
-# Note: Azure Standard LB does not support Proxy Protocol.
-# Use externalTrafficPolicy: Local on the Traefik service to preserve
-# client IPs, or deploy behind Azure Application Gateway.
+# AKS-specific: Azure Load Balancer for Traefik (prod)
 service:
  annotations:
-    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/ping"
-  spec:
-    externalTrafficPolicy: Local
+    service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /ping
+    service.beta.kubernetes.io/azure-load-balancer-internal: "false"
 ports:
  web:
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"    # <- VNet CIDR + Azure health probe
+      trustedIPs: "10.0.0.0/8"
  websecure:
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,168.63.129.16/32"
+      trustedIPs: "10.0.0.0/8"
--- a/infra/values/eks-dev/gitea-values.yaml
+++ b/infra/values/eks-dev/gitea-values.yaml
@@ -1,4 +1,4 @@
-# AWS EBS gp3 storage class (requires EBS CSI driver)
+# EKS-specific: gp3 storage class
 persistence:
  storageClass: gp3
 postgresql:
--- a/infra/values/eks-dev/grafana-values.yaml
+++ b/infra/values/eks-dev/grafana-values.yaml
@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net
--- a/infra/values/eks-dev/keycloak-values.yaml
+++ b/infra/values/eks-dev/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net
--- a/infra/values/eks-dev/opencost-values.yaml
+++ b/infra/values/eks-dev/opencost-values.yaml
@@ -1,12 +1,10 @@
-# AWS native pricing via Cost and Usage Reports
+# EKS-specific: AWS pricing via Cost and Usage Report
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: aws
+      enabled: false
    aws:
-      service_key_name: ""      # <- populate or use IRSA
-      service_key_secret: ""
      spot_data_region: ""
      spot_data_bucket: ""
      spot_data_prefix: ""
--- a/infra/values/eks-dev/traefik-values.yaml
+++ b/infra/values/eks-dev/traefik-values.yaml
@@ -1,14 +1,13 @@
-# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
+# EKS-specific: AWS NLB for Traefik
 service:
  annotations:
-    service.beta.kubernetes.io/aws-load-balancer-type: "external"
-    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
-    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
 ports:
  web:
    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"       # <- adjust to your VPC CIDR
+      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
--- a/infra/values/eks-prod/gitea-values.yaml
+++ b/infra/values/eks-prod/gitea-values.yaml
@@ -1,4 +1,4 @@
-# AWS EBS gp3 storage class (requires EBS CSI driver)
+# EKS-specific: gp3 storage class (prod)
 persistence:
  storageClass: gp3
 postgresql:
--- a/infra/values/eks-prod/grafana-values.yaml
+++ b/infra/values/eks-prod/grafana-values.yaml
@@ -0,0 +1,4 @@
+# EKS-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com
--- a/infra/values/eks-prod/keycloak-values.yaml
+++ b/infra/values/eks-prod/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# EKS-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com
--- a/infra/values/eks-prod/opencost-values.yaml
+++ b/infra/values/eks-prod/opencost-values.yaml
@@ -1,12 +1,10 @@
-# AWS native pricing via Cost and Usage Reports
+# EKS-specific: AWS pricing via Cost and Usage Report (prod)
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: aws
+      enabled: false
    aws:
-      service_key_name: ""      # <- populate or use IRSA
-      service_key_secret: ""
      spot_data_region: ""
      spot_data_bucket: ""
      spot_data_prefix: ""
--- a/infra/values/eks-prod/traefik-values.yaml
+++ b/infra/values/eks-prod/traefik-values.yaml
@@ -1,14 +1,14 @@
-# AWS EKS — NLB with Proxy Protocol v2 for real client IPs
+# EKS-specific: AWS NLB for Traefik (prod)
 service:
  annotations:
-    service.beta.kubernetes.io/aws-load-balancer-type: "external"
-    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
-    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
+    service.beta.kubernetes.io/aws-load-balancer-type: nlb
+    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
+    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
 ports:
  web:
    proxyProtocol:
-      trustedIPs: "10.0.0.0/8"       # <- adjust to your VPC CIDR
+      trustedIPs: "10.0.0.0/8"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8"
  websecure:
--- a/infra/values/gke-dev/gitea-values.yaml
+++ b/infra/values/gke-dev/gitea-values.yaml
@@ -1,4 +1,4 @@
-# GCP Persistent Disk (SSD via CSI driver)
+# GKE-specific: SSD persistent disk storage class
 persistence:
  storageClass: premium-rwo
 postgresql:
--- a/infra/values/gke-dev/grafana-values.yaml
+++ b/infra/values/gke-dev/grafana-values.yaml
@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname
+ingress:
+  hosts:
+  - grafana.forteapps.net
--- a/infra/values/gke-dev/keycloak-values.yaml
+++ b/infra/values/gke-dev/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname
+ingress:
+  hostname: id.forteapps.net
--- a/infra/values/gke-dev/opencost-values.yaml
+++ b/infra/values/gke-dev/opencost-values.yaml
@@ -1,9 +1,10 @@
-# GCP native pricing via Cloud Billing API
+# GKE-specific: GCP pricing via BigQuery billing export
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: gcp
-    gcp:
-      projectID: ""               # <- populate with your GCP project ID
-      key: ""                     # <- or use Workload Identity
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""
--- a/infra/values/gke-dev/traefik-values.yaml
+++ b/infra/values/gke-dev/traefik-values.yaml
@@ -1,15 +1,12 @@
-# GCP GKE — External passthrough Network Load Balancer
+# GKE-specific: Google Cloud Load Balancer for Traefik
 service:
  annotations:
-    cloud.google.com/l4-rbs: "enabled"
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
 ports:
  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"   # <- subnet CIDR + GCP health checks
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+      trustedIPs: "10.0.0.0/8"
  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+      trustedIPs: "10.0.0.0/8"
--- a/infra/values/gke-prod/gitea-values.yaml
+++ b/infra/values/gke-prod/gitea-values.yaml
@@ -1,4 +1,4 @@
-# GCP Persistent Disk (SSD via CSI driver)
+# GKE-specific: SSD persistent disk storage class (prod)
 persistence:
  storageClass: premium-rwo
 postgresql:
--- a/infra/values/gke-prod/grafana-values.yaml
+++ b/infra/values/gke-prod/grafana-values.yaml
@@ -0,0 +1,4 @@
+# GKE-specific: Grafana hostname (prod)
+ingress:
+  hosts:
+  - grafana.fortedigital.com
--- a/infra/values/gke-prod/keycloak-values.yaml
+++ b/infra/values/gke-prod/keycloak-values.yaml
@@ -0,0 +1,3 @@
+# GKE-specific: Keycloak hostname (prod)
+ingress:
+  hostname: id.fortedigital.com
--- a/infra/values/gke-prod/opencost-values.yaml
+++ b/infra/values/gke-prod/opencost-values.yaml
@@ -1,9 +1,10 @@
-# GCP native pricing via Cloud Billing API
+# GKE-specific: GCP pricing via BigQuery billing export (prod)
 opencost:
  exporter:
+    cloudProviderApiKey: ""
    customPricing:
-      enabled: true
-      provider: gcp
-    gcp:
-      projectID: ""               # <- populate with your GCP project ID
-      key: ""                     # <- or use Workload Identity
+      enabled: false
+    google:
+      key: ""
+      project_id: ""
+      billing_account: ""
--- a/infra/values/gke-prod/traefik-values.yaml
+++ b/infra/values/gke-prod/traefik-values.yaml
@@ -1,15 +1,12 @@
-# GCP GKE — External passthrough Network Load Balancer
+# GKE-specific: Google Cloud Load Balancer for Traefik (prod)
 service:
  annotations:
-    cloud.google.com/l4-rbs: "enabled"
+    cloud.google.com/neg: '{"ingress":true}'
+    networking.gke.io/load-balancer-type: External
 ports:
  web:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"   # <- subnet CIDR + GCP health checks
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+      trustedIPs: "10.0.0.0/8"
  websecure:
-    proxyProtocol:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
    forwardedHeaders:
-      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
+      trustedIPs: "10.0.0.0/8"