SocialGouv
diff --git a/‎.kontinuous/Chart.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.kontinuous/Chart.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.kontinuous/env/dev/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.kontinuous/env/dev/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.kontinuous/env/preprod/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.kontinuous/env/preprod/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.kontinuous/env/prod/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions b/‎.kontinuous/env/prod/templates/valkey.configmap.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.kontinuous/env/prod/values.yaml‎
Lines changed: 21 additions & 0 deletions b/‎.kontinuous/env/prod/values.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎.kontinuous/values.yaml‎
Lines changed: 31 additions & 0 deletions b/‎.kontinuous/values.yaml‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 5 deletions b/‎README.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎docker-compose.yml‎
Lines changed: 13 additions & 0 deletions b/‎docker-compose.yml‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎packages/app/.env.example‎
Lines changed: 2 additions & 0 deletions b/‎packages/app/.env.example‎
Lines changed: 2 additions & 0 deletions
@@ -0,0 +1,4 @@
+dependencies:
+  - name: valkey
+    repository: https://valkey.io/valkey-helm
+    version: 0.9.4
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: valkey
+data:
+  VALKEY_URL: "redis://valkey:6379"
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: valkey
+data:
+  VALKEY_URL: "redis://valkey:6379"
@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: valkey
+data:
+  VALKEY_URL: "redis://valkey:6379"
@@ -16,3 +16,24 @@ app:
     limits:
       cpu: 1
       memory: 2G
+
+valkey:
+  replica:
+    enabled: true
+    # One replica pod per always-on app pod (= app.autoscale.minReplicas below).
+    # valkey-helm deploys 1 primary + N replicas, so this gives 3 total pods,
+    # matching the app HA floor. valkey has no HPA, so we pin to minReplicas
+    # rather than maxReplicas to avoid over-provisioning cache storage.
+    replicas: 2
+    persistence:
+      size: 1Gi
+  podDisruptionBudget:
+    enabled: true
+    maxUnavailable: 1
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1
+      memory: 1Gi
@@ -5,6 +5,7 @@ app:
   ~chart: app
   ~needs:
     - pg
+    - valkey
   imagePackage: app
   probesPath: /api/healthz
   containerPort: 3000
@@ -46,6 +47,9 @@ app:
     - secretRef:
         name: "audit-cleanup"
         optional: true
+    - configMapRef:
+        name: "valkey"
+        optional: true
   env:
     - name: POSTGRES_HOST
       valueFrom:
@@ -84,5 +88,32 @@ app:
 pg:
   ~chart: pg
 
+# Valkey cache. Official valkey-io/valkey-helm chart pulled as a Helm dependency
+# from .kontinuous/Chart.yaml. Values below flow straight through to that chart.
+valkey:
+  # Pin service name so VALKEY_URL (redis://valkey:6379) resolves in every namespace.
+  fullnameOverride: valkey
+  image:
+    tag: "9.0.2"
+  service:
+    type: ClusterIP
+    port: 6379
+  # Dev and preprod run a single-pod standalone deployment — cache loss on
+  # restart is acceptable, and it keeps infra cost minimal. Prod overrides
+  # this to a master/replica topology sized against app.autoscale.
+  replica:
+    enabled: false
+  dataStorage:
+    enabled: false
+  auth:
+    enabled: false
+  resources:
+    requests:
+      cpu: 50m
+      memory: 128Mi
+    limits:
+      cpu: 500m
+      memory: 512Mi
+
 clamav:
   ~chart: clamav
@@ -193,12 +193,12 @@ Implémenté dans `packages/app/src/server/services/suitApiAuth.ts`.
 
 ```bash
 # Première génération
-./scripts/generate-suit-signing-keys.sh generate dev       # → ./suit-signing-keys/dev/
-./scripts/generate-suit-signing-keys.sh generate prod      # → ./suit-signing-keys/prod/
-./scripts/generate-suit-signing-keys.sh generate all       # → les deux
+./packages/app/scripts/generate-suit-signing-keys.sh generate dev       # → ./suit-signing-keys/dev/
+./packages/app/scripts/generate-suit-signing-keys.sh generate prod      # → ./suit-signing-keys/prod/
+./packages/app/scripts/generate-suit-signing-keys.sh generate all       # → les deux
 
 # Rotation (sauvegarde les anciennes clés, génère de nouvelles)
-./scripts/generate-suit-signing-keys.sh renew prod
+./packages/app/scripts/generate-suit-signing-keys.sh renew prod
 ```
 
 `generate` refuse d'écraser des clés existantes. `renew` les sauvegarde dans un dossier `backup-{date}` avant de regénérer.
@@ -237,7 +237,7 @@ Implémenté dans `packages/app/src/server/services/suitApiAuth.ts`.
 
 ### Procédure de rotation
 
-1. `./scripts/generate-suit-signing-keys.sh renew <env>` — génère une nouvelle paire, sauvegarde l'ancienne
+1. `./packages/app/scripts/generate-suit-signing-keys.sh renew <env>` — génère une nouvelle paire, sauvegarde l'ancienne
 2. Mettre à jour le sealed-secret K8s avec la nouvelle clé publique
 3. Déployer EgaPro
 4. Transmettre la nouvelle clé privée à SUIT — ils doivent basculer juste après le déploiement
 
@@ -81,7 +81,20 @@ services:
       retries: 10
       start_period: 300s
 
+  valkey:
+    image: valkey/valkey:8-alpine
+    ports:
+      - 6379:6379
+    volumes:
+      - valkeydata:/data
+    healthcheck:
+      test: ["CMD", "valkey-cli", "ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
 volumes:
   pgdata:
   miniodata:
   clamdata:
+  valkeydata:
@@ -28,3 +28,5 @@ MAIL_ENABLED="true"
 SMTP_HOST="localhost"
 SMTP_PORT="1025"
 MAIL_FROM="no-reply@egapro.local"
+# Valkey cache — optional, app works without it (in-memory fallback)
+VALKEY_URL="redis://localhost:6379"