fischer-agentkit/deploy/helm/agentkit/values.yaml

244 lines
8.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Fischer AgentKit — Helm values
#政企生产级配置;所有密钥通过 Sealed Secrets 或 External Secrets Operator 注入,
# 禁止明文 Kubernetes Secret + Git 提交KTD-4 / R2a
# ---------------------------------------------------------------------------
# 镜像配置
# ---------------------------------------------------------------------------
image:
repository: fischer-agentkit
tag: 0.1.0
pullPolicy: IfNotPresent
# 私有镜像仓库时配置 pullSecretsecret 引用名,由外部创建)
pullSecret: ""
# ---------------------------------------------------------------------------
# 副本与调度
# ---------------------------------------------------------------------------
replicaCount: 1
# ponytail: 暂不支持 HPA单副本起步扩容由运维手动 rollout。
# 升级路径: values.replicaCount > 1 + PodDisruptionBudgetP1
# ---------------------------------------------------------------------------
# ServiceAccount
# ---------------------------------------------------------------------------
serviceAccount:
create: true
name: "" # 留空则用 fullname
annotations: {} # 云厂商 workload identity 注解(如 EKS/GKE
# ---------------------------------------------------------------------------
# Service
# ---------------------------------------------------------------------------
service:
type: ClusterIP
apiPort: 8001 # API 服务agentkit serve
guiPort: 8002 # Web GUIagentkit gui
# ---------------------------------------------------------------------------
# IngressTLS 终止)
# ---------------------------------------------------------------------------
ingress:
enabled: true
className: nginx
annotations: {}
host: agentkit.example.com
tls:
enabled: true
# 引用 secrets.tlsServerCert 对应的 TLS Secret
secretName: agentkit-tls
# ---------------------------------------------------------------------------
# 资源
# ---------------------------------------------------------------------------
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: "1000m"
memory: 2Gi
# ---------------------------------------------------------------------------
# Pod 安全上下文(非 root 用户,与 Dockerfile appuser 对齐)
# ---------------------------------------------------------------------------
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
securityContext:
readOnlyRootFilesystem: false # agentkit 需写临时文件(缓存/日志)
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
# ---------------------------------------------------------------------------
# 探针
# ---------------------------------------------------------------------------
probes:
liveness:
httpGet:
path: /api/v1/health
port: api
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readiness:
httpGet:
path: /api/v1/health
port: api
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
# ---------------------------------------------------------------------------
# OTel 可观测性
# ---------------------------------------------------------------------------
otel:
enabled: true
endpoint: http://otel-collector:4317 # OTLP gRPC
serviceName: fischer-agentkit
# exporter token 从 secrets.otelExporterToken 引用OTel collector 启用鉴权时)
headers: {}
# ---------------------------------------------------------------------------
# Redis / PostgreSQL 连接(密码从 secrets 引用)
# ---------------------------------------------------------------------------
redis:
url: redis://redis:6379/0
# 实际密码通过 env REDIS_PASSWORD 注入(来自 secrets.redisPgPasswords
postgres:
# DATABASE_URL不含密码密码通过 ${POSTGRES_PASSWORD} 占位由 env 注入)
url: postgresql+asyncpg://agentkit@postgres:5432/agentkit
# ---------------------------------------------------------------------------
# 认证 / IDP引用 secrets
# ---------------------------------------------------------------------------
auth:
scimToken: "" # 从 secrets.apiKey 引用SCIM bearer
idps: [] # IDP 配置列表(非密部分),密钥引用 secrets.idpSigningCerts
# ---------------------------------------------------------------------------
# 密钥清单 — 10 个 secret slotKTD-4 / R2a
# ---------------------------------------------------------------------------
# backend 选择:
# sealed-secrets — 使用 Bitnami Sealed Secrets模板 templates/sealed-secret.yaml
# external-secrets — 使用 External Secrets Operator模板 templates/external-secret.yaml
# 客户按环境二选一;模板按 backend 条件渲染。禁止明文 Kubernetes Secret + Git 提交。
secrets:
backend: sealed-secrets
# External Secrets Operator 配置(仅当 backend: external-secrets 时生效)
externalSecret:
# SecretStore 名称(运维预创建,指向 Vault / AWS SM / GCP SM / Azure KV
secretStoreName: agentkit-vault-store
# 后端类型vault | aws | gcp | azure
backend: vault
# --- 10 个 secret slot ---
# 每个 slotname=Kubernetes Secret keydescription=用途rotation=轮换周期
# 1) JWT 签名密钥HS256— access(15m) + refresh(7d) token 签名
jwtSigningKey:
key: jwt-signing-key
description: "JWT access/refresh token HS256 签名密钥"
rotation: 90d
# 2) API Key — 服务间 / SCIM / 客户端鉴权(恒定时间比较)
apiKey:
key: api-key
description: "服务间调用 / SCIM bearer / agentkit pair 生成的 API Key"
rotation: 180d
# 3) DB 凭据 — 应用层 DATABASE_URL含用户名密码占位由 env 注入)
dbCredentials:
key: database-url
description: "应用层 DATABASE_URL DSNpostgresql+asyncpg://agentkit:***@postgres:5432/agentkit"
rotation: 90d
# 4) IDP 签名证书 — OIDC/SAML IdP 签名证书 PEM多 IDP 信任边界)
idpSigningCerts:
key: idp-signing-certs
description: "OIDC/SAML IdP 签名证书 PEMJSON map: {idp_name: pem},支持多 IDP 热轮换)"
rotation: 365d
# 5) 第三方 API KeyLLM providers— DashScope / DeepSeek / OpenAI / Anthropic 等
thirdPartyApiKeys:
key: third-party-api-keys
description: "LLM provider API KeyJSON map: {provider: key}DashScope/DeepSeek/OpenAI/Anthropic"
rotation: 90d
# 6) TLS 服务器证书私钥 — Ingress TLS 终止用的 cert + key
tlsServerCert:
key: tls-server-cert
description: "Ingress TLS 服务器证书 + 私钥PEMtls.crt + tls.key"
rotation: 365d
# 7) mTLS 客户端证书私钥 — 与下游服务KMS/HSM、内部 API双向 TLS
mtlsClientCert:
key: mtls-client-cert
description: "mTLS 客户端证书 + 私钥PEMclient.crt + client.key + ca.crt"
rotation: 180d
# 8) KMS/HSM PKCS#11 PIN — 硬件安全模块访问 PIN
kmsHsmPin:
key: kms-hsm-pin
description: "KMS/HSM PKCS#11 访问 PIN用于密钥托管 / 签名 / 解密)"
rotation: 365d
# 9) OTel exporter token — OTLP collector 鉴权 token
otelExporterToken:
key: otel-exporter-token
description: "OTLP exporter 鉴权 tokencollector 启用 bearer auth 时)"
rotation: 90d
# 10) Redis 密码 — Redis requirepass基础设施层
redisPassword:
key: redis-password
description: "Redis requirepass基础设施层"
rotation: 90d
# 11) PostgreSQL 密码 — POSTGRES_PASSWORD基础设施层
postgresPassword:
key: postgres-password
description: "PostgreSQL POSTGRES_PASSWORD基础设施层"
rotation: 90d
# ---------------------------------------------------------------------------
# workload identity — KMS/HSM projected service account token
# ---------------------------------------------------------------------------
workloadIdentity:
enabled: false # 启用后 serviceaccount.yaml 注入 projected SA token
audience: sts.example.com # 受众(云厂商 STS / 内部 KMS
expirationSeconds: 3600
# ---------------------------------------------------------------------------
# agentkit.yaml 非密配置(注入 ConfigMap
# ---------------------------------------------------------------------------
config:
server:
host: 0.0.0.0
port: 8001
workers: 1
rate_limit: 60
session:
backend: redis
bus:
backend: redis
task_store:
backend: redis
skills:
auto_discover: true
paths: ["./configs/skills"]
experts:
paths: ["./configs/experts"]
logging:
level: INFO
format: text
# 注意llm / auth / telemetry 等含密钥的段由 env 注入,不进 ConfigMap