From c76f3fcc39cf2ef8712a227d485d7e2a979ed10b Mon Sep 17 00:00:00 2001
From: Antonio Cascais <acascais@indocresearch.org>
Date: Thu, 16 Apr 2026 07:37:30 +0200
Subject: [PATCH] feat: add prod workspace-service (wave 12)

Last individual app before workbench AppSets. Copies dev config
with env=prod and GUACAMOLE_HOSTNAME pointed at hdc.ebrains.eu.
Adds secret/workspace to vault-secrets.md.
---
 clusters/prod/apps/workspace/Chart.yaml       |  7 ++
 clusters/prod/apps/workspace/application.yaml | 28 +++++++
 .../workspace/templates/external-secret.yaml  | 21 ++++++
 clusters/prod/apps/workspace/values.yaml      | 75 +++++++++++++++++++
 docs/vault-secrets.md                         |  8 ++
 5 files changed, 139 insertions(+)
 create mode 100644 clusters/prod/apps/workspace/Chart.yaml
 create mode 100644 clusters/prod/apps/workspace/application.yaml
 create mode 100644 clusters/prod/apps/workspace/templates/external-secret.yaml
 create mode 100644 clusters/prod/apps/workspace/values.yaml

diff --git a/clusters/prod/apps/workspace/Chart.yaml b/clusters/prod/apps/workspace/Chart.yaml
new file mode 100644
index 0000000..2d701e2
--- /dev/null
+++ b/clusters/prod/apps/workspace/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: workspace
+version: 0.1.0
+dependencies:
+  - name: workspace-service
+    version: "0.2.0"
+    repository: https://pilotdataplatform.github.io/helm-charts/
diff --git a/clusters/prod/apps/workspace/application.yaml b/clusters/prod/apps/workspace/application.yaml
new file mode 100644
index 0000000..cba3ea8
--- /dev/null
+++ b/clusters/prod/apps/workspace/application.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: workspace
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "12"
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/PilotDataPlatform/pilot-hdc-platform-gitops.git
+    targetRevision: main
+    path: clusters/prod/apps/workspace
+    helm:
+      valueFiles:
+        - ../../registry.yaml
+        - ../../versions.yaml
+        - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: utility
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/clusters/prod/apps/workspace/templates/external-secret.yaml b/clusters/prod/apps/workspace/templates/external-secret.yaml
new file mode 100644
index 0000000..4be34c2
--- /dev/null
+++ b/clusters/prod/apps/workspace/templates/external-secret.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: workspace-credentials
+  namespace: utility
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    name: workspace-credentials
+  data:
+    - secretKey: guacamole-username
+      remoteRef:
+        key: secret/data/workspace
+        property: guacamole-username
+    - secretKey: guacamole-password
+      remoteRef:
+        key: secret/data/workspace
+        property: guacamole-password
diff --git a/clusters/prod/apps/workspace/values.yaml b/clusters/prod/apps/workspace/values.yaml
new file mode 100644
index 0000000..a4625d1
--- /dev/null
+++ b/clusters/prod/apps/workspace/values.yaml
@@ -0,0 +1,75 @@
+workspace-service:
+  image:
+    repository: n47w5524.c1.de1.container-registry.ovh.net/hdc-services-image/workspace
+    pullPolicy: IfNotPresent
+    # chart prepends "workspace-" to tag automatically
+
+  fullnameOverride: workspace
+  replicaCount: 1
+
+  container:
+    port: 5068
+
+  service:
+    type: ClusterIP
+    port: 5068
+    targetPort: 5068
+
+  imagePullSecrets:
+    - name: docker-registry-secret
+
+  appConfig:
+    port: 5068
+    env: prod
+    config_center_enabled: "false"
+    config_center_base_url: "http://common.utility:5062/"
+    srv_namespace: service_workspace
+
+  extraEnv:
+    AUTH_SERVICE: "http://auth.utility:5061"
+    GUACAMOLE_HOSTNAME: "hdc.ebrains.eu"
+    GUACAMOLE_URL_PATH: "/workbench/{container_code}/guacamole"
+
+  extraEnvYaml:
+    - name: GUACAMOLE_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: workspace-credentials
+          key: guacamole-username
+    - name: GUACAMOLE_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: workspace-credentials
+          key: guacamole-password
+
+  resources:
+    limits:
+      cpu: "1"
+      memory: 1000Mi
+    requests:
+      cpu: 10m
+      memory: 50Mi
+
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    successThreshold: 1
+    tcpSocket:
+      port: 5068
+
+  livenessProbe:
+    failureThreshold: 3
+    httpGet:
+      path: /v1/health
+      port: 5068
+      scheme: HTTP
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 3
+
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 33%
diff --git a/docs/vault-secrets.md b/docs/vault-secrets.md
index 3fb4332..17c8937 100644
--- a/docs/vault-secrets.md
+++ b/docs/vault-secrets.md
@@ -123,6 +123,14 @@ vault kv put secret/kg-integration \
   account-secret='<kg-service-account-secret>'
 ```
 
+## Workspace (`secret/workspace`)
+
+```bash
+vault kv put secret/workspace \
+  guacamole-username='guacadmin' \
+  guacamole-password='<guacamole-admin-password>'
+```
+
 ## BFF CLI (`secret/bff-cli`)
 
 ```bash