Environment-specific configuration values for the service deployment across all environments and flavors.
This repository contains ONLY environment-specific Helm values. It does NOT contain:
- Helm chart templates (see
helm-charts-paved-roadrepository) - ArgoCD/Kargo GitOps configuration (see
gitops-platformrepository)
environments/
├── dev/
│ ├── dev.yaml # Default dev environment
│ └── devprod.yaml # Shadow production (follows prod)
├── lab/
│ ├── qa1.yaml # QA environment 1
│ ├── qa2.yaml # QA environment 2
│ ├── qa3.yaml # QA environment 3
│ └── qaprod.yaml # Shadow production (follows prod)
└── prod/
├── preview.yaml # Pre-production (deploys before prod)
├── prod.yaml # Production default
├── pp1.yaml # Production variant 1
├── apptest1.yaml # Application testing 1
└── apptest2.yaml # Application testing 2
- dev: Default development environment with auto-sync enabled
- devprod: Shadow production - mirrors production configuration for testing
- qa1-qa3: Three QA environments for parallel testing
- qaprod: Shadow production - mirrors production configuration
- preview: Pre-production validation (sync wave 0 - deploys first)
- prod: Production default (sync wave 1 - deploys after preview)
- pp1: Production variant for A/B testing
- apptest1-apptest2: Application-level testing in production
Kargo watches the container registry for new images and automatically updates the image.tag field:
# Before Kargo promotion
image:
tag: ""
# After Kargo promotion
image:
tag: "sha-abc123" # or "v1.2.3"Important: Do NOT manually edit image.tag - Kargo manages this field.
ArgoCD ApplicationSet references this repository for environment-specific configuration:
sources:
- chart: paved-road-service
repoURL: oci://registry.cloudwalkersinc.com/helm-charts
targetRevision: 0.1.0
helm:
valueFiles:
- $values/environments/prod/prod.yaml # References this repo
- repoURL: https://github.com/cloudwalkersinc/paved-road-service-config.git
targetRevision: main
ref: valuesreplicaCount: 1
image:
repository: cloudwalkersinc/paved-road-service
tag: "" # Kargo fills this
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
autoscaling:
enabled: false
ingress:
enabled: true
className: nginx
hosts:
- host: paved-road-dev.cloudwalkersinc.comreplicaCount: 3
image:
repository: cloudwalkersinc/paved-road-service
tag: "" # Kargo fills this
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2000m
memory: 2Gi
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
targetCPUUtilizationPercentage: 70
ingress:
enabled: true
className: nginx
hosts:
- host: paved-road.cloudwalkersinc.com
tls:
- secretName: paved-road-tls
hosts:
- paved-road.cloudwalkersinc.com-
Edit environment values:
git checkout -b config/update-resources vim environments/prod/prod.yaml
-
Commit and push:
git add environments/prod/prod.yaml git commit -m "Increase production memory limits" git push origin config/update-resources -
Create Pull Request for review
-
Merge to main - ArgoCD auto-syncs changes
- New image pushed to container registry
- Kargo Warehouse detects new version
- Kargo updates
image.tagin dev.yaml - Kargo commits to this repository
- ArgoCD syncs and deploys to dev environment
- Manual promotion (or auto) to QA → preview → prod
- Override resource requests/limits per environment
- Configure environment-specific ingress hosts
- Set replica counts appropriate for environment
- Use ConfigMaps/Secrets for environment variables
- Include pod annotations for monitoring/logging
- Don't manually edit
image.tag(Kargo manages this) - Don't commit secrets in plain text (use SealedSecrets or ExternalSecrets)
- Don't create feature branches (Kargo writes to main)
- Don't duplicate values across environments (use defaults in chart)
This repository should NOT contain secrets. Use one of these patterns:
# Reference sealed secret
envFrom:
- secretRef:
name: paved-road-secrets-sealedCreate sealed secret separately:
kubeseal -f secret.yaml -w sealed-secret.yaml
kubectl apply -f sealed-secret.yaml# Reference external secret
envFrom:
- secretRef:
name: paved-road-secretsCreate ExternalSecret in cluster:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: paved-road-secrets
spec:
secretStoreRef:
name: aws-secrets-manager
target:
name: paved-road-secrets
data:
- secretKey: DATABASE_URL
remoteRef:
key: paved-road/database-urlThis repository requires Kargo bot write access via SSH deploy key:
# Generate SSH key
ssh-keygen -t ed25519 -C "kargo-bot@cloudwalkersinc.com" -f kargo-deploy-key
# Add public key to GitHub repository deploy keys (with write access)
# Add private key to Kargo as secret
kubectl create secret generic kargo-git-credentials \
--namespace kargo-project-paved-road-service \
--from-file=sshPrivateKey=kargo-deploy-keyMain Branch Only - Kargo commits directly to main.
- ✅ DO use feature branches for manual configuration changes
- ❌ DON'T use feature branches for image tag updates (Kargo writes to main)
- ✅ DO require PR reviews for human changes
- ❌ DON'T block Kargo commits (configure branch protection carefully)
Branch: main
- Require pull request reviews: ✅ (for human commits)
- Allow specific actors to bypass: ✅ kargo-bot
- Require status checks: ✅ (optional)
- Require signed commits: ❌ (Kargo may not support)
Track Kargo commits vs human commits:
# Show recent commits
git log --oneline
# Filter Kargo commits
git log --author="kargo-bot"
# Filter human commits
git log --author="kargo-bot" --invert-grep- Helm Chart: https://github.com/cloudwalkersinc/helm-charts-paved-road
- GitOps Platform: https://github.com/cloudwalkersinc/gitops-platform
- Container Registry: registry.cloudwalkersinc.com/cloudwalkersinc/paved-road-service
For configuration issues:
- Check ArgoCD Application status
- Verify Helm values syntax with
helm template - Review Kargo stage logs for image tag updates
- Ensure config changes are synced by ArgoCD