# Modes CICD & Enterprise Defaults # Default configurations for CICD and Enterprise deployment modes let base_defaults = import "../base/defaults.ncl" in { cicd_mode = { mode_name = 'cicd, description = "CI/CD pipeline automated execution", authentication = { auth_type = 'token, token_config = { token_path = "/var/run/secrets/provisioning/token", token_format = 'jwt, expiry_seconds = 3600, refresh_enabled = false, }, ssh_key_storage = 'kms, }, services = { orchestrator = { deployment = 'remote, remote_config = { endpoint = "orchestrator.cicd.local", port = 8080, tls_enabled = true, verify_ssl = true, timeout = 60, retries = 5, }, }, control_center = { deployment = 'disabled, }, coredns = { deployment = 'remote, remote_config = { endpoint = "dns.cicd.local", port = 53, }, }, gitea = { deployment = 'remote, remote_config = { endpoint = "git.cicd.local", port = 443, tls_enabled = true, }, }, oci_registry = { deployment = 'remote, type = 'harbor, endpoint = "registry.cicd.local", tls_enabled = true, auth_required = true, remote = { timeout = 60, retries = 5, verify_ssl = true, }, namespaces = { extensions = "cicd-extensions", kcl_packages = "cicd-kcl", platform_images = "cicd-platform", test_images = "cicd-test", }, }, }, extensions = { source = 'oci, oci_registry = { enabled = true, endpoint = "registry.cicd.local", namespace = "cicd-extensions", auth_token_path = "/var/run/secrets/provisioning/oci-token", tls_enabled = true, verify_ssl = true, cache_dir = "/tmp/provisioning-oci-cache", }, }, workspaces = { locking = 'disabled, git_integration = 'required, isolation = 'strict, max_workspaces_per_user = 1, }, security = { encryption_at_rest = true, encryption_in_transit = true, secret_provider = { provider = "vault", }, dns_modification = 'coredns, audit_logging = true, audit_log_path = "/var/log/provisioning/cicd-audit.log", network_isolation = true, }, resource_limits = { max_servers_per_user = 5, max_cpu_cores_per_user = 16, max_memory_gb_per_user = 64, max_storage_gb_per_user = 200, }, }, enterprise_mode = { mode_name = 'enterprise, description = "Production enterprise deployment with full security", authentication = base_defaults.mtls_auth, services = { orchestrator = { deployment = 'k8s, k8s_config = { namespace = "provisioning-system", deployment_name = "orchestrator", service_name = "orchestrator-svc", replicas = 3, image = "harbor.enterprise.local/provisioning/orchestrator:latest", resources = { cpu_request = "500m", cpu_limit = "2000m", memory_request = "1Gi", memory_limit = "4Gi", }, }, }, control_center = { deployment = 'k8s, k8s_config = { namespace = "provisioning-system", deployment_name = "control-center", service_name = "control-center-svc", replicas = 2, image = "harbor.enterprise.local/provisioning/control-center:latest", }, }, coredns = { deployment = 'k8s, k8s_config = { namespace = "kube-system", deployment_name = "coredns", service_name = "kube-dns", replicas = 2, image = "registry.k8s.io/coredns/coredns:latest", }, }, gitea = { deployment = 'k8s, k8s_config = { namespace = "provisioning-system", deployment_name = "gitea", service_name = "gitea-svc", replicas = 2, image = "gitea/gitea:latest", }, }, oci_registry = { deployment = 'remote, type = 'harbor, endpoint = "harbor.enterprise.local", tls_enabled = true, auth_required = true, remote = { timeout = 60, retries = 5, verify_ssl = true, }, namespaces = { extensions = "prod-extensions", kcl_packages = "prod-kcl", platform_images = "prod-platform", test_images = "test-images", }, }, }, extensions = { source = 'oci, oci_registry = { enabled = true, endpoint = "harbor.enterprise.local", namespace = "prod-extensions", auth_token_path = "/etc/provisioning/tokens/oci", tls_enabled = true, verify_ssl = true, cache_dir = "/var/cache/provisioning/oci", }, }, workspaces = base_defaults.strict_locking, security = base_defaults.strict_security, resource_limits = base_defaults.prod_limits, }, }