Base Helm chart for HelpDev microservices with integrated support for:
- Istio Service Mesh (VirtualService, DestinationRule, RequestAuthentication, AuthorizationPolicy)
- KEDA Autoscaling (ScaledObject for event-driven scaling)
- Keycloak Authentication (JWT validation via Istio)
- External Secrets (AWS Secrets Manager integration)
- Observability (ServiceMonitor, metrics, tracing)
- Security (NetworkPolicy, PodSecurityContext, IRSA)
This chart implements the patterns defined in:
- PRD Section 5.2:
platform-helm-charts - PRD Section 5.4: Standard Labels and Annotations
# Chart.yaml
apiVersion: v2
name: my-service
version: 1.0.0
dependencies:
- name: service-base
version: "1.x.x"
repository: "oci://123456789012.dkr.ecr.us-east-1.amazonaws.com/charts"# values.yaml
service-base:
service:
name: my-service
domain: payments
owner: payments-team
tier: tier-1
component: api
image:
repository: my-service
digest: sha256:abc123...
replicaCount: 3
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi| Parameter | Description |
|---|---|
service.name |
Service name (used for all resources) |
image.repository |
Container image repository |
| Parameter | Default | Description |
|---|---|---|
service.domain |
"" |
Business domain (e.g., payments, orders) |
service.owner |
"" |
Owning team |
service.tier |
tier-2 |
Criticality tier |
service.component |
api |
Component type (api, worker, cronjob) |
| Parameter | Default | Description |
|---|---|---|
image.repository |
"" |
Image repository |
image.digest |
"" |
Image digest (recommended for production) |
image.tag |
latest |
Image tag (fallback if no digest) |
global.imageRegistry |
"" |
ECR registry URL |
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 70keda:
enabled: true
minReplicaCount: 0 # Scale to zero!
maxReplicaCount: 10
triggers:
- type: aws-sqs-queue
metadata:
queueURL: https://sqs.us-east-1.amazonaws.com/123456789012/my-queue
queueLength: "5"
awsRegion: us-east-1
identityOwner: operatorserviceMesh:
enabled: true
timeout: 30s
retries:
enabled: true
attempts: 3
circuitBreaker:
enabled: trueauth:
enabled: true
jwt:
enabled: true
issuer: https://auth.helpdev.io/realms/helpdev-services
audiences:
- my-service
authorizationPolicy:
enabled: true
rules:
- from:
- source:
principals: ["cluster.local/ns/apps-orders/sa/order-api"]
to:
- operation:
methods: ["POST"]
paths: ["/payments/*"]externalSecrets:
enabled: true
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
data:
- secretKey: DATABASE_URL
remoteRef:
key: helpdev/prod/us-east-1/payments/my-service/database
property: urlserviceAccount:
create: true
irsaRoleArn: arn:aws:iam::123456789012:role/my-service-role| Template | Description |
|---|---|
deployment.yaml |
Main deployment with all security contexts |
service.yaml |
Kubernetes Service |
serviceaccount.yaml |
ServiceAccount with IRSA support |
hpa.yaml |
HorizontalPodAutoscaler |
pdb.yaml |
PodDisruptionBudget |
networkpolicy.yaml |
NetworkPolicy for network isolation |
configmap.yaml |
ConfigMap for application configuration |
_helpers.tpl |
Template helper functions |
All resources include standard labels per PRD Section 5.4:
labels:
app.kubernetes.io/name: my-service
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/component: api
app.kubernetes.io/part-of: payments
app.kubernetes.io/managed-by: helm
helpdev.io/environment: prod
helpdev.io/region: us-east-1
helpdev.io/tier: tier-1
helpdev.io/owner: payments-teamServices are deployed to namespaces following the pattern: apps-{domain}
Example: A service with service.domain: payments will be deployed to apps-payments.
| Version | Changes |
|---|---|
| 1.0.0 | Initial release with full feature set |
- Platform Team (platform@helpdev.io)