Introduction

Magicorn’s Helm charts represent a comprehensive solution for deploying containerized applications on Kubernetes. Built through extensive production experience, these charts provide a structured approach that balances flexibility with operational best practices. This documentation covers architecture decisions, implementation patterns, and advanced configuration options for teams deploying business-critical applications.

Architecture Overview

This is a versatile Helm chart designed to deploy generic service applications on private Kubernetes platforms. While it was primarily developed for AWS, integrating seamlessly with AWS Elastic Kubernetes Service and the AWS ALB Ingress Controller, it also supports deployment on Huawei Cloud as well as on-premises or alternative cloud environments.

The deployment section is mandatory when using this Helm chart, as it defines how your application runs on Kubernetes. All other templates such as service, ingress, autoscaling, etc., are optional and can be enabled or disabled via values.yaml depending on your needs.

Configuration Hierarchy

The `values.yaml` file is the heart of the chart’s customization and defines the deployment configuration hierarchy for various components:

├── deployment       / Application containers
├── service          / Network exposure
├── ingress          / External access
├── autoscaling      / Dynamic scaling
├── configmap        / Mount external ConfigMaps
├── prehooks         / Pre‑deployment tasks
├── cronjobs         / Batch processing
├── security         / Access controls
└── pvc              / Persistent storage

Detailed Configuration Guide

 1. Deployment Specifications

destination: aws          # choose AWS | HCP | Azure | Datacenter

deployment:
  image:
    uri: __INSERTURIHERE__
    pullPolicy: IfNotPresent
    imagePullSecrets: []
  env:
    - name: foo
      value: bar
  replicaCount: 1
  resources:
    requests:
      cpu: 250m
      memory: 1Gi
    limits:
      memory: 1Gi
  readiness:
    httpGet:
      port: one
      path: /healthz
    initialDelaySeconds: 15
    periodSeconds: 15
    failureThreshold: 2
    successThreshold: 1
    timeoutSeconds: 5
  liveness:
    httpGet:
      port: one
      path: /healthz
    initialDelaySeconds: 30
    periodSeconds: 15
    failureThreshold: 2
    successThreshold: 1
    timeoutSeconds: 5
  podAnnotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  lifecycle:
    preStop:
      exec:
        command: ["/bin/bash", "-c", "sleep 60"]
  deregistrationTime: 60
  failSeconds: 600
  revisionHistory: 25
  nodeSelector: {}
  tolerations: []
  affinity: {}

Key Features:

  • Image & pullPolicy

Use IfNotPresent locally and CI-friendly registries; switch to Always in dev/test if you push images on the same tag. imagePullSecrets lets you reference private‐registry credentials.

  • Environment variables

Define any API keys or feature flags here. If you have many, consider mounting them via ConfigMap or Secret instead.

  • Replica count vs. HPA

replicaCount is your static baseline; once autoscaling.enabled: true, HPA will control pod counts instead.

  • Resource requests/limits

Requests reserve capacity; limits prevent runaway memory use. We omit CPU limits by default to avoid pods being throttled.

  • Health checks

Readiness (/healthz) gates traffic until your app returns 200. Liveness (/healthz) restarts hung pods. We delay probes (~15 s for readiness, 30 s for liveness) to give the app time to boot, and retry a couple of times before declaring failure.

  • Pod annotations

Mark pods “safe to evict” for cluster autoscaler so they can be gracefully removed when scaling down and if one of the deployments are so crucial for you to not move around a lot (at least by cluster autoscaler) mark it safe-to-evict: false.

  • Rolling update

maxSurge: 1 ensures only one extra pod spins up while the old one is terminating, keeping availability at 100%.

  • Lifecycle hooks

preStop: sleep 60 gives any in‑flight requests time to finish before the container SIGTERM arrives.

 2. Service

service:
  enabled: true
  annotations: {}
  type: ClusterIP    # or NodePort | LoadBalancer
  ports:
    one:
      inner: 80
      outer: 80
    two:
      inner: 443
      outer: 443

Type choices

  • ClusterIP (default): internal only.
  • NodePort: exposes a port on each node; good for simple on‑prem load balancers.
  • LoadBalancer: provisions a cloud LB (e.g. AWS NLB/ELB).

Annotations
Usually used for third party ingress controllers, like nginx or HAProxy, etc. When the deployment destination is not datacenter, there usually built-in annotations integrated. You can add more annotations on your choice.

Ports map
Naming ports (onetwo) decouples code changes from service definitions—just point your app at port name one.

 3. Ingress

ingress:
- enabled: true
  annotations: {}
  className: null
  idleTimeout: 60
  scheme: internet-facing
  certificateId: arn:aws:acm:…  
  wafId: null
  sslPolicy: ELBSecurityPolicy-TLS13-1-2-2021-06
  lbId: externalloadBalancerNameHere
  lbOrder: 100
  hosts:
    - host: hostname.example
      paths:
        - path: /
          pathType: Prefix

Multiple entries
You can define both public and private ingresses by toggling enabled and changing scheme.

Annotations
For AWS ALB: add alb.ingress.kubernetes.io/target-type: ip or cert-manager.io/cluster-issuer here.

LB settings

  • idleTimeout controls how long connections stay open.
  • lbOrder sets rule priority if multiple ingresses overlap.

Certificates
Use ACM ARNs for TLS; if you use cert-manager instead, set certificateId: null and configure annotations.

4. Autoscaling

autoscaling:
  enabled: false
  minReplicas: 2
  maxReplicas: 100
  targetCPUUtilizationPercentage: 40
  behavior:
    scaleUp:
      stabilizationWindowSeconds: 60
      selectPolicy: Max
      policies:
        - type: Pods
          value: 4
          periodSeconds: 60
    scaleDown:
      stabilizationWindowSeconds: 300
      selectPolicy: Min
      policies:
        - type: Percent
          value: 25
          periodSeconds: 60

HPA basics
Enables Kubernetes HorizontalPodAutoscaler; pods spin up when CPU > 40%, back down when below.

Scaling policies

  • scaleUp: at most 4 pods per minute.
  • scaleDown: at most 25% of pods per minute, with a 5‑minute cooldown to avoid flapping.

Metrics
Both CPU and Memory metrics are supported.

5. ConfigMap Mount

configMap:
  enabled: false
  name: configMapName
  fileName: .env.prod
  mountPath: /var/www/html

When to use
Ideal for environment‑specific settings, feature toggles, or secrets (though Secrets are preferred for sensitive data).

mountPath
Files from the ConfigMap appear under the given directory; fileName controls the filename in the pod.

6. Pre‑hooks

prehooks:
  dbMigrations:
    enabled: false
    command: ["/usr/local/bin/python"]
    args: ["manage.py", "migrate", "--noinput"]

  otherPrehooks:
    enabled: false
    command: ["/usr/local/bin/python"]
    args: ["manage.py", "some_action_here"]
  • Order
    dbMigrations always runs first if enabled, then otherPrehooks. It applies any pending Django (or similar) database migrations so your schema is up‑to‑date before new code lands.
  • Failure behavior
    If any hook fails, the deployment will abort, so please use with caution in CI/CD pipelines.

7. CronJobs

cronjobs:
- name: cron1
  enabled: false
  schedule: "* * * * *"
  command: ["/usr/local/bin/php"]
  args: ["artisan", "schedule:run"]
  resources:
    requests:
      cpu: 50m
      memory: 256Mi
    limits:
      memory: 256Mi
  failedJobsHistoryLimit: 3
  successfulJobsHistoryLimit: 5
  concurrencyPolicy: Forbid
  restartPolicy: OnFailure

 ConcurrencyPolicy

  • Forbid: skip new runs if prior job is still active.
  • Allow: let multiple overlap.
  • Replace: kill the old job and start a new one..

History limits

Control how many past jobs are retained for debugging

8. Security

security:
  serviceAccount:
    enabled: false
    annotations: {}
    clusterWideAccess: false
    rules:
      - resources: ["configmaps","events","pods","pods/exec","secrets","services"]
        verbs: ["get","list","watch","create","patch","update","delete"]

  sgPolicy:
    enabled: false
    securityGroupId: sg-0123456789abcdef

  podSecurityContext: {}
  securityContext: {}
  • ServiceAccount & RBAC
    Enable this to grant your pods specific API permissions (e.g. to read Secrets or exec into other pods).
  • AWS Security Groups
    If you use the AWS VPC CNI, you can attach ENIs to pods via SGPolicy—set up the SG externally, then reference it here.
  • Security contexts
    Use podSecurityContext or per‑container securityContext to enforce non‑root, read‑only root filesystem, capabilities drop, etc.

9. PVC

pvc:
  enabled: false
  mountPath: /efs/test
  subPath: test
  size: 100Gi
  accessModes:
    - ReadWriteMany
  storageClass: azurefile-csi
  • Use case
  • Stateful applications that need shared storage (e.g. CMS uploads, batch data processing).

Access Modes

  • ReadWriteOnce: single‑node attach.
  • ReadWriteMany: multi‑attach (Azure Files, EFS).
  • StorageClass

Points to the CSI driver (e.g. azurefile-csi for Azure Files, efs.csi.aws.com for EFS).

Environment-Specific Configuration

Use separate values files to tailor your deployment to each environment (e.g. development, staging, production). For example:

helm upgrade --install \
  --create-namespace \
<service_name> \
  oci://public.ecr.aws/magicorn/charts-deployment \
  -f "<values_path>/<values-name>" \
  -n "<name_space>" \
  --set deployment.image.uri=$(cat "$CODEBUILD_SRC_DIR_BuildArtifact/imagedefinitions.txt") \
  --version "$CHART_VERSION"

For production support inquiries, please contact su*****@******rn.co

Resources: