fix: optimize Helm chart for landing page

- Remove duplicate application-credentials.yaml template
- Fix Reflex environment: production -> prod, staging -> dev
- Switch from Nginx to Traefik ingress controller
- Optimize resources for simple landing page (1 replica, minimal CPU/RAM)
- Disable autoscaling and PDB for landing page
- Add registry credentials for hub.peikarband.ir
- Clean up secrets configuration

helm/peikarband/templates/application-credentials.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.appSecrets.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.appSecrets.name }}
-  labels:
-    {{- include "peikarband.labels" . | nindent 4 }}
-type: Opaque
-stringData:
-  db-username: {{ .Values.appSecrets.dbUsername | quote }}
-  db-password: {{ .Values.appSecrets.dbPassword | quote }}
-  redis-password: {{ .Values.appSecrets.redisPassword | quote }}
-{{- end }}
-

helm/peikarband/values-production.yaml

@@ -11,19 +11,19 @@ registrySecret:
   enabled: true
   name: hub-registry-secret
   server: hub.peikarband.ir
-  username: "admin"  # Set via ArgoCD UI: Parameters → registrySecret.username
+  username: "admin"
-  password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c"  # Set via ArgoCD UI: Parameters → registrySecret.password
+  password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c"
 
 imagePullSecrets:
   - name: hub-registry-secret
 
 # Auto-create application secrets (database, redis, etc)
 appSecrets:
-  enabled: true
+  enabled: false  # Set to true if you need database/redis
   name: peikarband-prod-secrets
-  dbUsername: "REPLACE_ME"  # Set via ArgoCD UI: Parameters → appSecrets.dbUsername
+  dbUsername: ""
-  dbPassword: "REPLACE_ME"  # Set via ArgoCD UI: Parameters → appSecrets.dbPassword
+  dbPassword: ""
-  redisPassword: "REPLACE_ME"  # Set via ArgoCD UI: Parameters → appSecrets.redisPassword
+  redisPassword: ""
 
 # Reflex configuration for production
 reflex:
@@ -36,28 +36,28 @@ podAnnotations:
 
 resources:
   limits:
-    cpu: 500m
-    memory: 1Gi
-  requests:
     cpu: 200m
     memory: 256Mi
+  requests:
+    cpu: 50m
+    memory: 128Mi
 
 autoscaling:
   enabled: false
-  minReplicas: 3
+  minReplicas: 1
-  maxReplicas: 20
+  maxReplicas: 5
-  targetCPUUtilizationPercentage: 60
+  targetCPUUtilizationPercentage: 70
-  targetMemoryUtilizationPercentage: 70
+  targetMemoryUtilizationPercentage: 80
 
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.tls: "true"
-    nginx.ingress.kubernetes.io/rate-limit: "100"
+    # Rate limiting and body size should be configured via Traefik Middleware
-    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    # Example: traefik.ingress.kubernetes.io/router.middlewares: default-ratelimit@kubernetescrd
   hosts:
     - host: peikarband.ir
       paths:
@@ -99,11 +99,11 @@ configMap:
   data:
     APP_NAME: "peikarband"
     LOG_LEVEL: "warning"
-    ENVIRONMENT: "production"
+    ENVIRONMENT: "prod"
 
 podDisruptionBudget:
-  enabled: true
+  enabled: false
-  minAvailable: 2
+  minAvailable: 1
 
 networkPolicy:
   enabled: true

helm/peikarband/values-staging.yaml

@@ -22,10 +22,11 @@ autoscaling:
 
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-staging"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
+    traefik.ingress.kubernetes.io/router.tls: "true"
   hosts:
     - host: staging.peikarband.ir
       paths:
@@ -53,7 +54,7 @@ configMap:
   data:
     APP_NAME: "peikarband-staging"
     LOG_LEVEL: "debug"
-    ENVIRONMENT: "staging"
+    ENVIRONMENT: "dev"
 
 podDisruptionBudget:
   enabled: false

helm/peikarband/values.yaml

@@ -15,8 +15,8 @@ registrySecret:
   enabled: false  # Set to true in production values
   name: hub-registry-secret
   server: hub.peikarband.ir
-  username: "admin"  # Set via ArgoCD values or --set
+  username: ""  # MUST be set via ArgoCD values or --set (DO NOT commit passwords)
-  password: "5459ed7590d37656410fae38bdf59eb7ee33b68cd4c"  # Set via ArgoCD values or --set
+  password: ""  # MUST be set via ArgoCD values or --set (DO NOT commit passwords)
 
 # Application secrets (database, redis, etc)
 appSecrets:
@@ -62,11 +62,11 @@ service:
 
 ingress:
   enabled: true
-  className: "nginx"
+  className: "traefik"
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.tls: "true"
   hosts:
     - host: peikarband.ir
       paths:
@@ -134,7 +134,7 @@ readinessProbe:
 
 env:
   - name: REFLEX_ENV
-    value: "production"
+    value: "prod"
   - name: PYTHONUNBUFFERED
     value: "1"
 
@@ -148,7 +148,7 @@ configMap:
   data:
     APP_NAME: "peikarband"
     LOG_LEVEL: "info"
-    ENVIRONMENT: "production"
+    ENVIRONMENT: "prod"
 
 secretRef:
   name: "peikarband-secrets"