microservice-helm/values-secrets.yaml

# Helm Values for Secret and ConfigMap Management
# Kubernetes Secret 和 ConfigMap 管理的 Helm Values 示例

# 全局配置
global:
  # 命名空间
  namespace: production
  
  # 是否启用 Secret 管理
  enableSecretManagement: true
  
  # 是否启用 ConfigMap 管理
  enableConfigMapManagement: true
  
  # Secret 加密配置
  secretEncryption:
    enabled: true
    algorithm: "aes-256-cbc"
  
  # 安全策略
  securityPolicy:
    # Secret 访问日志记录
    auditSecretAccess: true
    
    # Secret 轮换周期（天）
    secretRotationDays: 90
    
    # 是否启用 Pod Security Policy
    podSecurityPolicy: true

# Secret 配置
secrets:
  # 数据库 Secret（所有数据库服务共用）
  database:
    name: database-credentials
    type: Opaque
    data:
      # 从环境变量或 Vault 获取
      db-username: "${DB_USERNAME}"
      db-password: "${DB_PASSWORD}"
      db-host: "mysql-master.internal"
      db-port: "3306"
  
  # WeChat API Secret
  wechat:
    name: wechat-api-credentials
    type: Opaque
    data:
      payment-app-id: "${WECHAT_PAYMENT_APP_ID}"
      payment-app-secret: "${WECHAT_PAYMENT_APP_SECRET}"
      platform-app-id: "${WECHAT_PLATFORM_APP_ID}"
      platform-app-secret: "${WECHAT_PLATFORM_APP_SECRET}"
  
  # API Keys
  apiKeys:
    name: api-keys-secret
    type: Opaque
    data:
      import-secret-key: "${IMPORT_SECRET_KEY}"
      oss-secret-key: "${OSS_SECRET_KEY}"

# ConfigMap 配置
configMaps:
  # 服务通用配置
  common:
    name: app-common-config
    data:
      log.level: "INFO"
      app.timezone: "Asia/Shanghai"
      app.encoding: "UTF-8"
  
  # 数据库连接池配置
  databasePool:
    name: database-pool-config
    data:
      hikari.maximum-pool-size: "20"
      hikari.minimum-idle: "5"
      hikari.connection-timeout: "30000"
      hikari.idle-timeout: "600000"
      hikari.max-lifetime: "1800000"

# 服务特定配置（示例）
services:
  shop-recycle-payment-web:
    replicas: 3
    resources:
      requests:
        memory: "512Mi"
        cpu: "250m"
      limits:
        memory: "1Gi"
        cpu: "500m"
    
    # Secret 引用
    secrets:
      - name: shop-recycle-payment-web-secret
        keyMapping:
          - key: database-password
            env: SPRING_DATASOURCE_PASSWORD
          - key: wechat-app-id
            env: SPRING_WECHAT_APP_ID
    
    # ConfigMap 引用
    configMaps:
      - name: shop-recycle-payment-web-configmap
        env: SPRING_CONFIG_NAME
  
  shop-recycle-merchant-wechat-web:
    replicas: 2
    resources:
      requests:
        memory: "256Mi"
        cpu: "200m"
      limits:
        memory: "512Mi"
        cpu: "400m"
    
    secrets:
      - name: shop-recycle-merchant-wechat-web-secret
        keyMapping:
          - key: database-password
            env: SPRING_DATASOURCE_PASSWORD
          - key: wechat-app-secret
            env: SPRING_WECHAT_APP_SECRET

# RBAC 配置
rbac:
  enabled: true
  
  # Secret 阅读角色
  secretReaderRole:
    name: secret-reader
    rules:
      - apiGroups: [""]
        resources: ["secrets"]
        verbs: ["get", "list"]
  
  # ConfigMap 阅读角色
  configMapReaderRole:
    name: configmap-reader
    rules:
      - apiGroups: [""]
        resources: ["configmaps"]
        verbs: ["get", "list", "watch"]

# 监控和日志
monitoring:
  # Prometheus 指标
  prometheusMetrics:
    enabled: true
    port: 8080
    path: /metrics
  
  # 审计日志
  auditLog:
    enabled: true
    level: "DEBUG"
    secretAudit: true

# 备份和恢复
backup:
  # 启用 Secret 备份
  enabled: true
  
  # 备份频率
  schedule: "0 2 * * *"  # 每天凌晨 2 点
  
  # 备份位置
  location: "/backup/k8s-secrets"
  
  # 备份加密
  encryption: true
  
  # 保留天数
  retentionDays: 30

# 部署策略
deployment:
  # 灰度发布
  canary:
    enabled: true
    initialPercentage: 5
    incrementPercentage: 10
  
  # 金丝雀检查
  canaryChecks:
    - name: "health-check"
      interval: 30
      failureThreshold: 3
    - name: "secret-access-check"
      interval: 60
      failureThreshold: 1