# Fischer AgentKit — Helm values #政企生产级配置;所有密钥通过 Sealed Secrets 或 External Secrets Operator 注入, # 禁止明文 Kubernetes Secret + Git 提交(KTD-4 / R2a)。 # --------------------------------------------------------------------------- # 镜像配置 # --------------------------------------------------------------------------- image: repository: fischer-agentkit tag: 0.1.0 pullPolicy: IfNotPresent # DEPLOY-9: 可选 digest pinning(政企生产场景防篡改)。 # 设置后 image 引用变为 @sha256:,覆盖 tag。 # 获取 digest: crane digest : 或 skopeo inspect --format '{{.Digest}}' docker://: digest: "" # 私有镜像仓库时配置 pullSecret(secret 引用名,由外部创建) pullSecret: "" # --------------------------------------------------------------------------- # 副本与调度 # --------------------------------------------------------------------------- replicaCount: 1 # ponytail: 暂不支持 HPA,单副本起步;扩容由运维手动 rollout。 # 升级路径: values.replicaCount > 1 + PodDisruptionBudget(P1) # --------------------------------------------------------------------------- # ServiceAccount # --------------------------------------------------------------------------- serviceAccount: create: true name: "" # 留空则用 fullname annotations: {} # 云厂商 workload identity 注解(如 EKS/GKE) # --------------------------------------------------------------------------- # Service # --------------------------------------------------------------------------- service: type: ClusterIP apiPort: 8001 # API 服务(agentkit serve) guiPort: 8002 # Web GUI(agentkit gui) # --------------------------------------------------------------------------- # Ingress(TLS 终止) # --------------------------------------------------------------------------- ingress: enabled: true className: nginx annotations: {} host: agentkit.example.com tls: enabled: true # 引用 secrets.tlsServerCert 对应的 TLS Secret secretName: agentkit-tls # --------------------------------------------------------------------------- # 资源 # --------------------------------------------------------------------------- resources: requests: cpu: 250m memory: 512Mi limits: cpu: "1000m" memory: 2Gi # --------------------------------------------------------------------------- # Pod 安全上下文(非 root 用户,与 Dockerfile appuser 对齐) # --------------------------------------------------------------------------- podSecurityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 securityContext: readOnlyRootFilesystem: false # agentkit 需写临时文件(缓存/日志) allowPrivilegeEscalation: false capabilities: drop: [ALL] # --------------------------------------------------------------------------- # 探针 # --------------------------------------------------------------------------- probes: liveness: httpGet: path: /api/v1/health port: api initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readiness: httpGet: path: /api/v1/health port: api initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 # --------------------------------------------------------------------------- # OTel 可观测性 # --------------------------------------------------------------------------- otel: enabled: true endpoint: http://otel-collector:4317 # OTLP gRPC serviceName: fischer-agentkit # exporter token 从 secrets.otelExporterToken 引用(OTel collector 启用鉴权时) headers: {} # --------------------------------------------------------------------------- # Redis / PostgreSQL 连接(密码从 secrets 引用) # --------------------------------------------------------------------------- redis: url: redis://redis:6379/0 # 实际密码通过 env REDIS_PASSWORD 注入(来自 secrets.redisPassword) postgres: # DATABASE_URL(不含密码,密码通过 ${POSTGRES_PASSWORD} 占位由 env 注入) url: postgresql+asyncpg://agentkit@postgres:5432/agentkit # --------------------------------------------------------------------------- # 认证 / IDP(引用 secrets) # --------------------------------------------------------------------------- auth: scimToken: "" # 从 secrets.apiKey 引用(SCIM bearer) idps: [] # IDP 配置列表(非密部分),密钥引用 secrets.idpSigningCerts # --------------------------------------------------------------------------- # 密钥清单 — 11 个 secret slot(KTD-4 / R2a) # --------------------------------------------------------------------------- # backend 选择: # sealed-secrets — 使用 Bitnami Sealed Secrets(模板 templates/sealed-secret.yaml) # external-secrets — 使用 External Secrets Operator(模板 templates/external-secret.yaml) # 客户按环境二选一;模板按 backend 条件渲染。禁止明文 Kubernetes Secret + Git 提交。 secrets: backend: sealed-secrets # External Secrets Operator 配置(仅当 backend: external-secrets 时生效) externalSecret: # SecretStore 名称(运维预创建,指向 Vault / AWS SM / GCP SM / Azure KV) secretStoreName: agentkit-vault-store # 后端类型:vault | aws | gcp | azure backend: vault # --- 11 个 secret slot --- # 每个 slot:name=Kubernetes Secret key;description=用途;rotation=轮换周期 # 1) JWT 签名密钥(HS256)— access(15m) + refresh(7d) token 签名 jwtSigningKey: key: jwt-signing-key description: "JWT access/refresh token HS256 签名密钥" rotation: 90d # 2) API Key — 服务间 / SCIM / 客户端鉴权(恒定时间比较) apiKey: key: api-key description: "服务间调用 / SCIM bearer / agentkit pair 生成的 API Key" rotation: 180d # 3) DB 凭据 — 应用层 DATABASE_URL(含用户名,密码占位由 env 注入) dbCredentials: key: database-url description: "应用层 DATABASE_URL DSN(postgresql+asyncpg://agentkit:***@postgres:5432/agentkit)" rotation: 90d # 4) IDP 签名证书 — OIDC/SAML IdP 签名证书 PEM(多 IDP 信任边界) idpSigningCerts: key: idp-signing-certs description: "OIDC/SAML IdP 签名证书 PEM(JSON map: {idp_name: pem},支持多 IDP 热轮换)" rotation: 365d # 5) 第三方 API Key(LLM providers)— DashScope / DeepSeek / OpenAI / Anthropic 等 thirdPartyApiKeys: key: third-party-api-keys description: "LLM provider API Key(JSON map: {provider: key},DashScope/DeepSeek/OpenAI/Anthropic)" rotation: 90d # 6) TLS 服务器证书私钥 — Ingress TLS 终止用的 cert + key tlsServerCert: key: tls-server-cert description: "Ingress TLS 服务器证书 + 私钥(PEM,tls.crt + tls.key)" rotation: 365d # 7) mTLS 客户端证书私钥 — 与下游服务(KMS/HSM、内部 API)双向 TLS mtlsClientCert: key: mtls-client-cert description: "mTLS 客户端证书 + 私钥(PEM,client.crt + client.key + ca.crt)" rotation: 180d # 8) KMS/HSM PKCS#11 PIN — 硬件安全模块访问 PIN kmsHsmPin: key: kms-hsm-pin description: "KMS/HSM PKCS#11 访问 PIN(用于密钥托管 / 签名 / 解密)" rotation: 365d # 9) OTel exporter token — OTLP collector 鉴权 token otelExporterToken: key: otel-exporter-token description: "OTLP exporter 鉴权 token(DEPLOY-5: 值格式必须为 'Authorization=Bearer ',符合 OTEL_EXPORTER_OTLP_HEADERS key=value 规范)" rotation: 90d # 10) Redis 密码 — Redis requirepass(基础设施层) redisPassword: key: redis-password description: "Redis requirepass(基础设施层,env REDIS_PASSWORD 注入应用)" rotation: 90d # 11) PostgreSQL 密码 — POSTGRES_PASSWORD(基础设施层,PG StatefulSet 初始化用) postgresPassword: key: postgres-password description: "PostgreSQL POSTGRES_PASSWORD(DEPLOY-4: 仅 PG StatefulSet 初始化消费,应用通过 DATABASE_URL Slot 3 内嵌密码连接,不读此 env)" rotation: 90d # --------------------------------------------------------------------------- # workload identity — KMS/HSM projected service account token # --------------------------------------------------------------------------- workloadIdentity: enabled: false # 启用后 serviceaccount.yaml 注入 projected SA token audience: sts.example.com # 受众(云厂商 STS / 内部 KMS) expirationSeconds: 3600 # --------------------------------------------------------------------------- # agentkit.yaml 非密配置(注入 ConfigMap) # --------------------------------------------------------------------------- config: server: host: 0.0.0.0 port: 8001 workers: 1 rate_limit: 60 session: backend: redis bus: backend: redis task_store: backend: redis skills: auto_discover: true paths: ["./configs/skills"] experts: paths: ["./configs/experts"] logging: level: INFO format: text # 注意:llm / auth / telemetry 等含密钥的段由 env 注入,不进 ConfigMap