248 lines
9.2 KiB
YAML
248 lines
9.2 KiB
YAML
# Fischer AgentKit — Helm values
|
||
#政企生产级配置;所有密钥通过 Sealed Secrets 或 External Secrets Operator 注入,
|
||
# 禁止明文 Kubernetes Secret + Git 提交(KTD-4 / R2a)。
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 镜像配置
|
||
# ---------------------------------------------------------------------------
|
||
image:
|
||
repository: fischer-agentkit
|
||
tag: 0.1.0
|
||
pullPolicy: IfNotPresent
|
||
# DEPLOY-9: 可选 digest pinning(政企生产场景防篡改)。
|
||
# 设置后 image 引用变为 <repository>@sha256:<digest>,覆盖 tag。
|
||
# 获取 digest: crane digest <repo>:<tag> 或 skopeo inspect --format '{{.Digest}}' docker://<repo>:<tag>
|
||
digest: ""
|
||
# 私有镜像仓库时配置 pullSecret(secret 引用名,由外部创建)
|
||
pullSecret: ""
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 副本与调度
|
||
# ---------------------------------------------------------------------------
|
||
replicaCount: 1
|
||
# ponytail: 暂不支持 HPA,单副本起步;扩容由运维手动 rollout。
|
||
# 升级路径: values.replicaCount > 1 + PodDisruptionBudget(P1)
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# ServiceAccount
|
||
# ---------------------------------------------------------------------------
|
||
serviceAccount:
|
||
create: true
|
||
name: "" # 留空则用 fullname
|
||
annotations: {} # 云厂商 workload identity 注解(如 EKS/GKE)
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# Service
|
||
# ---------------------------------------------------------------------------
|
||
service:
|
||
type: ClusterIP
|
||
apiPort: 8001 # API 服务(agentkit serve)
|
||
guiPort: 8002 # Web GUI(agentkit gui)
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# Ingress(TLS 终止)
|
||
# ---------------------------------------------------------------------------
|
||
ingress:
|
||
enabled: true
|
||
className: nginx
|
||
annotations: {}
|
||
host: agentkit.example.com
|
||
tls:
|
||
enabled: true
|
||
# 引用 secrets.tlsServerCert 对应的 TLS Secret
|
||
secretName: agentkit-tls
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 资源
|
||
# ---------------------------------------------------------------------------
|
||
resources:
|
||
requests:
|
||
cpu: 250m
|
||
memory: 512Mi
|
||
limits:
|
||
cpu: "1000m"
|
||
memory: 2Gi
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# Pod 安全上下文(非 root 用户,与 Dockerfile appuser 对齐)
|
||
# ---------------------------------------------------------------------------
|
||
podSecurityContext:
|
||
runAsNonRoot: true
|
||
runAsUser: 1000
|
||
runAsGroup: 1000
|
||
fsGroup: 1000
|
||
|
||
securityContext:
|
||
readOnlyRootFilesystem: false # agentkit 需写临时文件(缓存/日志)
|
||
allowPrivilegeEscalation: false
|
||
capabilities:
|
||
drop: [ALL]
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 探针
|
||
# ---------------------------------------------------------------------------
|
||
probes:
|
||
liveness:
|
||
httpGet:
|
||
path: /api/v1/health
|
||
port: api
|
||
initialDelaySeconds: 30
|
||
periodSeconds: 30
|
||
timeoutSeconds: 10
|
||
failureThreshold: 3
|
||
readiness:
|
||
httpGet:
|
||
path: /api/v1/health
|
||
port: api
|
||
initialDelaySeconds: 10
|
||
periodSeconds: 10
|
||
timeoutSeconds: 5
|
||
failureThreshold: 3
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# OTel 可观测性
|
||
# ---------------------------------------------------------------------------
|
||
otel:
|
||
enabled: true
|
||
endpoint: http://otel-collector:4317 # OTLP gRPC
|
||
serviceName: fischer-agentkit
|
||
# exporter token 从 secrets.otelExporterToken 引用(OTel collector 启用鉴权时)
|
||
headers: {}
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# Redis / PostgreSQL 连接(密码从 secrets 引用)
|
||
# ---------------------------------------------------------------------------
|
||
redis:
|
||
url: redis://redis:6379/0
|
||
# 实际密码通过 env REDIS_PASSWORD 注入(来自 secrets.redisPassword)
|
||
|
||
postgres:
|
||
# DATABASE_URL(不含密码,密码通过 ${POSTGRES_PASSWORD} 占位由 env 注入)
|
||
url: postgresql+asyncpg://agentkit@postgres:5432/agentkit
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 认证 / IDP(引用 secrets)
|
||
# ---------------------------------------------------------------------------
|
||
auth:
|
||
scimToken: "" # 从 secrets.apiKey 引用(SCIM bearer)
|
||
idps: [] # IDP 配置列表(非密部分),密钥引用 secrets.idpSigningCerts
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# 密钥清单 — 11 个 secret slot(KTD-4 / R2a)
|
||
# ---------------------------------------------------------------------------
|
||
# backend 选择:
|
||
# sealed-secrets — 使用 Bitnami Sealed Secrets(模板 templates/sealed-secret.yaml)
|
||
# external-secrets — 使用 External Secrets Operator(模板 templates/external-secret.yaml)
|
||
# 客户按环境二选一;模板按 backend 条件渲染。禁止明文 Kubernetes Secret + Git 提交。
|
||
secrets:
|
||
backend: sealed-secrets
|
||
|
||
# External Secrets Operator 配置(仅当 backend: external-secrets 时生效)
|
||
externalSecret:
|
||
# SecretStore 名称(运维预创建,指向 Vault / AWS SM / GCP SM / Azure KV)
|
||
secretStoreName: agentkit-vault-store
|
||
# 后端类型:vault | aws | gcp | azure
|
||
backend: vault
|
||
|
||
# --- 11 个 secret slot ---
|
||
# 每个 slot:name=Kubernetes Secret key;description=用途;rotation=轮换周期
|
||
|
||
# 1) JWT 签名密钥(HS256)— access(15m) + refresh(7d) token 签名
|
||
jwtSigningKey:
|
||
key: jwt-signing-key
|
||
description: "JWT access/refresh token HS256 签名密钥"
|
||
rotation: 90d
|
||
|
||
# 2) API Key — 服务间 / SCIM / 客户端鉴权(恒定时间比较)
|
||
apiKey:
|
||
key: api-key
|
||
description: "服务间调用 / SCIM bearer / agentkit pair 生成的 API Key"
|
||
rotation: 180d
|
||
|
||
# 3) DB 凭据 — 应用层 DATABASE_URL(含用户名,密码占位由 env 注入)
|
||
dbCredentials:
|
||
key: database-url
|
||
description: "应用层 DATABASE_URL DSN(postgresql+asyncpg://agentkit:***@postgres:5432/agentkit)"
|
||
rotation: 90d
|
||
|
||
# 4) IDP 签名证书 — OIDC/SAML IdP 签名证书 PEM(多 IDP 信任边界)
|
||
idpSigningCerts:
|
||
key: idp-signing-certs
|
||
description: "OIDC/SAML IdP 签名证书 PEM(JSON map: {idp_name: pem},支持多 IDP 热轮换)"
|
||
rotation: 365d
|
||
|
||
# 5) 第三方 API Key(LLM providers)— DashScope / DeepSeek / OpenAI / Anthropic 等
|
||
thirdPartyApiKeys:
|
||
key: third-party-api-keys
|
||
description: "LLM provider API Key(JSON map: {provider: key},DashScope/DeepSeek/OpenAI/Anthropic)"
|
||
rotation: 90d
|
||
|
||
# 6) TLS 服务器证书私钥 — Ingress TLS 终止用的 cert + key
|
||
tlsServerCert:
|
||
key: tls-server-cert
|
||
description: "Ingress TLS 服务器证书 + 私钥(PEM,tls.crt + tls.key)"
|
||
rotation: 365d
|
||
|
||
# 7) mTLS 客户端证书私钥 — 与下游服务(KMS/HSM、内部 API)双向 TLS
|
||
mtlsClientCert:
|
||
key: mtls-client-cert
|
||
description: "mTLS 客户端证书 + 私钥(PEM,client.crt + client.key + ca.crt)"
|
||
rotation: 180d
|
||
|
||
# 8) KMS/HSM PKCS#11 PIN — 硬件安全模块访问 PIN
|
||
kmsHsmPin:
|
||
key: kms-hsm-pin
|
||
description: "KMS/HSM PKCS#11 访问 PIN(用于密钥托管 / 签名 / 解密)"
|
||
rotation: 365d
|
||
|
||
# 9) OTel exporter token — OTLP collector 鉴权 token
|
||
otelExporterToken:
|
||
key: otel-exporter-token
|
||
description: "OTLP exporter 鉴权 token(DEPLOY-5: 值格式必须为 'Authorization=Bearer <token>',符合 OTEL_EXPORTER_OTLP_HEADERS key=value 规范)"
|
||
rotation: 90d
|
||
|
||
# 10) Redis 密码 — Redis requirepass(基础设施层)
|
||
redisPassword:
|
||
key: redis-password
|
||
description: "Redis requirepass(基础设施层,env REDIS_PASSWORD 注入应用)"
|
||
rotation: 90d
|
||
|
||
# 11) PostgreSQL 密码 — POSTGRES_PASSWORD(基础设施层,PG StatefulSet 初始化用)
|
||
postgresPassword:
|
||
key: postgres-password
|
||
description: "PostgreSQL POSTGRES_PASSWORD(DEPLOY-4: 仅 PG StatefulSet 初始化消费,应用通过 DATABASE_URL Slot 3 内嵌密码连接,不读此 env)"
|
||
rotation: 90d
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# workload identity — KMS/HSM projected service account token
|
||
# ---------------------------------------------------------------------------
|
||
workloadIdentity:
|
||
enabled: false # 启用后 serviceaccount.yaml 注入 projected SA token
|
||
audience: sts.example.com # 受众(云厂商 STS / 内部 KMS)
|
||
expirationSeconds: 3600
|
||
|
||
# ---------------------------------------------------------------------------
|
||
# agentkit.yaml 非密配置(注入 ConfigMap)
|
||
# ---------------------------------------------------------------------------
|
||
config:
|
||
server:
|
||
host: 0.0.0.0
|
||
port: 8001
|
||
workers: 1
|
||
rate_limit: 60
|
||
session:
|
||
backend: redis
|
||
bus:
|
||
backend: redis
|
||
task_store:
|
||
backend: redis
|
||
skills:
|
||
auto_discover: true
|
||
paths: ["./configs/skills"]
|
||
experts:
|
||
paths: ["./configs/experts"]
|
||
logging:
|
||
level: INFO
|
||
format: text
|
||
# 注意:llm / auth / telemetry 等含密钥的段由 env 注入,不进 ConfigMap
|