up

deploy/helm/stellaops/values-console.yaml

@@ -0,0 +1,84 @@
+# Console (Angular SPA) values overlay
+# Use: helm install stellaops . -f values-console.yaml
+
+console:
+  enabled: true
+  image: registry.stella-ops.org/stellaops/console:2025.10.0-edge
+  replicas: 1
+  port: 8080
+
+  # Backend API URL injected via config.json at startup
+  apiBaseUrl: ""
+  # Authority URL for OAuth/OIDC
+  authorityUrl: ""
+  # Tenant header name
+  tenantHeader: "X-StellaOps-Tenant"
+
+  # Resource limits (nginx is lightweight)
+  resources:
+    limits:
+      cpu: "200m"
+      memory: "128Mi"
+    requests:
+      cpu: "50m"
+      memory: "64Mi"
+
+  # Service configuration
+  service:
+    type: ClusterIP
+    port: 80
+    targetPort: 8080
+
+  # Ingress configuration (enable for external access)
+  ingress:
+    enabled: false
+    className: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    hosts:
+      - host: console.local
+        paths:
+          - path: /
+            pathType: Prefix
+    tls: []
+
+  # Health probes
+  livenessProbe:
+    httpGet:
+      path: /
+      port: 8080
+    initialDelaySeconds: 10
+    periodSeconds: 30
+  readinessProbe:
+    httpGet:
+      path: /
+      port: 8080
+    initialDelaySeconds: 5
+    periodSeconds: 10
+
+  # Pod security context (non-root per DOCKER-44-001)
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 101
+    runAsGroup: 101
+    fsGroup: 101
+
+  # Container security context
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+
+  # Volume mounts for nginx temp directories (RO rootfs)
+  volumeMounts:
+    - name: nginx-cache
+      mountPath: /var/cache/nginx
+    - name: nginx-run
+      mountPath: /var/run
+  volumes:
+    - name: nginx-cache
+      emptyDir: {}
+    - name: nginx-run
+      emptyDir: {}