payouts/helm/payouts

payouts Helm Chart

Helm chart for deploying the payouts service to Kubernetes.

Prerequisites

• Kubernetes 1.21+
• Helm 3.2+

Installing the Chart

helm install payouts ./helm

To install into a specific namespace:

helm install payouts ./helm --namespace payouts --create-namespace

Uninstalling the Chart

helm uninstall payouts

Configuration

All parameters are set via values.yaml or --set flags.

Image

Parameter	Description	Default
image.repository	Container image repository	payouts
image.tag	Container image tag	latest
image.pullPolicy	Image pull policy	IfNotPresent

Service

Parameter	Description	Default
service.type	Kubernetes service type	ClusterIP
service.port	Service port	8080

Ingress

Parameter	Description	Default
ingress.enabled	Enable ingress	false
ingress.className	IngressClass name	""
ingress.annotations	Ingress annotations	{}
ingress.host	Ingress hostname	payouts.example.com
ingress.path	Ingress path	/
ingress.pathType	Ingress path type	Prefix
ingress.tls	TLS configuration	[]

TLS (application-level)

When config.Server.Tls.Enabled is true the chart mounts a TLS secret as files into the pod at the paths defined by config.Server.Tls.CertFile and config.Server.Tls.KeyFile.

Two modes are supported:

Option A — use an existing secret (type kubernetes.io/tls):

config:
  Server:
    Tls:
      Enabled: true
tls:
  existingSecret: "my-tls-secret"

Option B — let the chart create the secret (supply PEM values, do not commit to VCS):

config:
  Server:
    Tls:
      Enabled: true
tls:
  cert: |
    -----BEGIN CERTIFICATE-----
    ...
  key: |
    -----BEGIN PRIVATE KEY-----
    ...

Parameter	Description	Default
config.Server.Tls.Enabled	Enable TLS on the HTTP server	false
config.Server.Tls.CertFile	Path to the certificate file inside the pod	/etc/payouts/tls/tls.crt
config.Server.Tls.KeyFile	Path to the private key file inside the pod	/etc/payouts/tls/tls.key
tls.existingSecret	Name of an existing kubernetes.io/tls secret to use	""
tls.cert	PEM-encoded certificate (used when existingSecret is empty)	""
tls.key	PEM-encoded private key (used when existingSecret is empty)	""

When TLS is enabled, either tls.existingSecret or both tls.cert and tls.key must be provided — the chart will fail with a descriptive error otherwise.

Application Config

Non-secret application parameters are stored in a ConfigMap and mounted as /etc/payouts/config.yaml inside the pod. The path is passed to the application via the CONFIG_PATH environment variable.

All keys preserve the exact casing from config/payouts.properties.

Parameter	Description	Default
config.Server.Port	HTTP listen address	:8080
config.Server.WriteTimeout	HTTP write timeout	35s
config.Server.ReadTimeout	HTTP read timeout	35s
config.Server.EnablePProfEndpoints	Expose pprof endpoints	false
config.Socket.MaxHttpBufferSize	Max HTTP buffer size for socket	2097152
config.Socket.PingInterval	Socket ping interval	25s
config.Socket.PingTimeout	Socket ping timeout	20s
config.Socket.Debug	Enable socket debug logging	false
config.Metrics.Endpoint	Prometheus metrics endpoint	/metrics
config.Metrics.HistogramBuckets	Global histogram buckets	0.001,...,10
config.Metrics.Http.HistogramEnabled	Enable HTTP latency histogram	true
config.Metrics.Http.Buckets	HTTP histogram buckets	0.001,...,10
config.Log.Level	Log level	DEBUG
config.Log.FilePath	Log file path	./logs/payouts.log
config.Log.TextOutput	Use plain-text log format	false
config.Log.StdoutEnabled	Log to stdout	true
config.Log.FileEnabled	Log to file	false
config.Database.Type	Database type (sqlite or postgres)	""
config.Database.LogLevel	Database query log level	Info
config.Database.TraceRequests	Trace all DB requests	false
config.Cache.TTL	Session cache TTL	24h
config.YooKassa.BaseUrl	YooKassa API base URL	https://api.yookassa.ru/v3
config.YooKassa.Timeout	YooKassa request timeout	2s
config.YooKassa.Retry.Enabled	Enable request retries	false
config.YooKassa.Retry.Count	Retry count (incl. initial)	3
config.YooKassa.Retry.WaitTime	Wait time between retries	200ms
config.YooKassa.Retry.MaxWaitTime	Max wait time (exponential backoff)	5s
config.YooKassa.Test	Enable YooKassa test mode	false
config.YooKassa.CheckAllowedCallbackAddress	Validate callback source IP	true
config.YooKassa.AllowedCallbackSubnets	Allowed callback CIDR list	YooKassa subnets
config.YooKassa.CallbackProcessTimeout	Timeout to process callback	1s

Secrets

Secret values are stored in a Kubernetes Secret and injected as environment variables. Variable names are the uppercased property key with . replaced by _.

These values are empty by default and must be supplied before deploying to production.

Env variable	Original property
DATABASE_CONNECTION	Database.Connection
YOOKASSA_APIBASEKEY	YooKassa.ApiBaseKey
YOOKASSA_APIBASESECRET	YooKassa.ApiBaseSecret
YOOKASSA_APIPAYMENTKEY	YooKassa.ApiPaymentKey
YOOKASSA_APIPAYMENTSECRET	YooKassa.ApiPaymentSecret

Provide secrets at install/upgrade time:

helm install payouts ./helm \
  --set secrets.DATABASE_CONNECTION="host=127.0.0.1 user=app password=s3cr3t dbname=payouts port=5432 sslmode=disable" \
  --set secrets.YOOKASSA_APIBASEKEY="<key>" \
  --set secrets.YOOKASSA_APIBASESECRET="<secret>" \
  --set secrets.YOOKASSA_APIPAYMENTKEY="<key>" \
  --set secrets.YOOKASSA_APIPAYMENTSECRET="<secret>"

Or keep them in a separate values file that is not committed to version control:

helm install payouts ./helm -f secrets.values.yaml

Example secrets.values.yaml:

secrets:
  DATABASE_CONNECTION: "host=127.0.0.1 user=app password=s3cr3t dbname=payouts port=5432 sslmode=disable"
  YOOKASSA_APIBASEKEY: "<key>"
  YOOKASSA_APIBASESECRET: "<secret>"
  YOOKASSA_APIPAYMENTKEY: "<key>"
  YOOKASSA_APIPAYMENTSECRET: "<secret>"

Ingress example

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  host: payouts.example.com
  tls:
    - secretName: payouts-tls
      hosts:
        - payouts.example.com