OneLab Kubernetes GitOps (Argo CD)

- Helm charts: onelab app + observability (Loki/Promtail/Grafana)
- Values under gitops/values/ with public-safe placeholders
- Argo CD Application (spec.sources, 2.6+)

Made-with: Cursor

gitops/charts/onelab/values.yaml

@@ -0,0 +1,236 @@
+# Default values for onelab — override per environment (see gitops/values/).
+
+nameOverride: ""
+fullnameOverride: ""
+
+# If non-empty, workloads mount this Secret instead of chart-generated onelab-configurations.
+# Secret must contain key `configurations.yml`. Chart will NOT create onelab-configurations.
+configuration:
+  existingSecretName: ""
+
+images:
+  registry: hub.andrewalliance.com/releases
+  tag: "1.27.0"
+  nginx: nginx
+  nginxTag: "1.29.5-alpine"
+  postgres: postgres
+  postgresTag: "17.8"
+  redis: redis
+  redisTag: "7.4.7-alpine"
+  rabbitmq: rabbitmq
+  rabbitmqTag: "3.13.7"
+
+imagePullSecrets: []
+# - name: hub-andrewalliance
+
+# Override registry credentials in gitops/values/ (see gitops/values/secrets.example.yaml).
+registry:
+  createPullSecret: false
+  pullSecretName: hub-andrewalliance
+  server: hub.andrewalliance.com
+  username: public
+  password: "REPLACE_REGISTRY_PASSWORD"
+
+# hostPath: matches typical single-node Swarm-style install (shared /data and /logs).
+# Use persistence.mode: pvc + a ReadWriteMany class for multi-node shared storage.
+persistence:
+  mode: hostPath
+  storageClass: ""
+  hostPath:
+    data: /opt/onelab/data
+    logs: /opt/onelab/logs
+  postgres:
+    size: 20Gi
+  rabbitmq:
+    size: 5Gi
+
+postgresql:
+  auth:
+    password: "DBPasswordPlaceholder"
+  resources: {}
+
+redis:
+  resources: {}
+
+rabbitmq:
+  resources: {}
+  # TLS: create Secret `onelab-rabbit-tls` in the release namespace (see README), or set embed: true.
+  tls:
+    secretName: onelab-rabbit-tls
+    embed: false
+    crt: ""
+    key: ""
+    fullchain: ""
+
+syncWaves:
+  registry: "-5"
+  postgres: "-3"
+  statefulDeps: "-2"
+  apps: "0"
+
+onelab:
+  domain: "https://localhost"
+  mailer:
+    noreply: "no-reply@example.com"
+  secrets:
+    authTokenKey: "TokenAuthPlaceholder"
+    monitoringToken: "TokenMonitoringPlaceholder"
+    rabbitToken: "TokenRabbitPlaceholder"
+  # Mirrors legacy OneLab configurations.yml params.compliance (templated from charts/onelab/files/configurations.gotmpl).
+  compliance:
+    enabled: false
+    requireElectronicSignature: true
+    executionOperatorRestrictionPolicy: "reviewed"
+    executionAdminExpertRestrictionPolicy: "reviewed"
+    preventCsvImport: true
+    preventManualMetadataEdit: true
+    deviceRestart: true
+  # Set enabled: true to turn on LDAP in configurations.yml and deploy ldap-worker (or use features.ldapWorker).
+  ldap:
+    enabled: false
+    timeout: ""
+    encryption: ""
+    policy: ""
+    tlsCaPath: ""
+    tlsCertPath: ""
+    tlsKeyPath: ""
+    tlsCiphers: ""
+    tlsSslVersion: ""
+  intercom:
+    appid: "REPLACE_INTERCOM_APP_ID"
+    secret: "REPLACE_INTERCOM_SECRET"
+
+features:
+  # Deprecated for LDAP: prefer onelab.ldap.enabled (either enables ldap-worker + ldap.enabled in config).
+  ldapWorker: false
+  mailerWorker: false
+
+website:
+  ssr: true
+
+revproxy:
+  serviceType: NodePort
+  nodePort: 30080
+  ipv6Listen: true
+
+# HTTP routing to internal nginx (revproxy). On k3s, set className: traefik (default controller).
+ingress:
+  enabled: false
+  className: ""
+  host: onelab.local
+  path: /
+  pathType: Prefix
+  annotations: {}
+  tls: false
+  tlsSecretName: ""
+  certManager:
+    # When set, adds cert-manager.io/cluster-issuer annotation (TLS secret is created automatically).
+    clusterIssuer: ""
+
+# Replica counts (api.apidevice etc. override defaults in templates/workloads.yaml via this map)
+replicas:
+  api: 2
+  apidevice: 1
+  apirabbit: 1
+  devices: 1
+  experiments: 1
+  images: 1
+  manual: 1
+  ws: 1
+  ldap: 1
+  mailer: 1
+
+resources: {}
+
+workloads:
+  - name: supervisor
+    image: onelab-supervisor-worker
+    replicas: 1
+    port: 0
+    config: true
+    mounts: [logs, data]
+  - name: file-worker
+    image: onelab-file-worker
+    replicas: 1
+    port: 0
+    config: true
+    mounts: [logs, data, shared]
+  - name: api
+    image: onelab-api
+    replicaKey: api
+    port: 3000
+    config: true
+    mounts: [logs, data]
+  - name: api-device
+    image: onelab-api-device
+    replicaKey: apidevice
+    port: 3000
+    config: true
+    mounts: [logs, data]
+  - name: api-rabbit
+    image: onelab-api-rabbit
+    replicaKey: apirabbit
+    port: 3000
+    config: true
+    mounts: [logs, data]
+  - name: devices-worker
+    image: onelab-devices-worker
+    replicaKey: devices
+    port: 0
+    config: true
+    mounts: [logs, data]
+  - name: experiments-worker
+    image: onelab-experiments-worker
+    replicaKey: experiments
+    port: 0
+    config: true
+    mounts: [logs]
+  - name: images-worker
+    image: onelab-images-worker
+    replicaKey: images
+    port: 0
+    config: true
+    mounts: [logs, data]
+  - name: manual-worker
+    image: onelab-manual-worker
+    replicaKey: manual
+    port: 0
+    config: true
+    mounts: [logs]
+  - name: websocket-worker
+    image: onelab-websocket-worker
+    replicaKey: ws
+    port: 3030
+    config: true
+    mounts: [logs]
+  - name: static
+    image: onelab-static
+    replicas: 1
+    port: 80
+    config: false
+    mounts: []
+  - name: main
+    image: onelab-main
+    replicas: 1
+    port: 80
+    config: false
+    mounts: []
+  - name: designer
+    image: onelab-designer
+    replicas: 1
+    port: 80
+    config: false
+    mounts: []
+  - name: runner
+    image: onelab-runner
+    replicas: 1
+    port: 80
+    config: false
+    mounts: []
+  - name: website
+    image: onelab-website
+    replicas: 1
+    port: 4000
+    config: false
+    mounts: []
+    website: true