bakery-ia/infrastructure/environments/prod/k8s-manifests/kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

metadata:
  name: bakery-ia-prod

# NOTE: Do NOT set a global namespace here.
# Each resource already has its namespace explicitly defined.
# A global namespace would incorrectly transform cluster-scoped resources
# like flux-system and cert-manager namespaces.

resources:
  - ../../../environments/common/configs
  - ../../../platform/infrastructure
  - ../../../platform/cert-manager
  - ../../../platform/networking/ingress/overlays/prod
  - ../../../platform/storage
  - ../../../services/databases
  - ../../../services/microservices
  - ../../../cicd
  - prod-certificate.yaml


  # SigNoz is managed via Helm deployment (see infrastructure/helm/deploy-signoz.sh)
  # Monitoring is handled by SigNoz (no separate monitoring components needed)
  # SigNoz paths are now included in the main ingress (ingress-https.yaml)

labels:
  - includeSelectors: true
    pairs:
      environment: production
      tier: production

# Production configuration patches
patches:
  # Override ConfigMap values for production
  - target:
      kind: ConfigMap
      name: bakery-config
    patch: |-
      - op: replace
        path: /data/ENVIRONMENT
        value: "production"
      - op: replace
        path: /data/DEBUG
        value: "false"
      - op: replace
        path: /data/LOG_LEVEL
        value: "INFO"
      - op: replace
        path: /data/PROFILING_ENABLED
        value: "false"
      - op: replace
        path: /data/MOCK_EXTERNAL_APIS
        value: "false"
      - op: add
        path: /data/REQUEST_TIMEOUT
        value: "30"
      - op: add
        path: /data/MAX_CONNECTIONS
        value: "100"
      - op: replace
        path: /data/ENABLE_TRACING
        value: "true"
      - op: replace
        path: /data/ENABLE_METRICS
        value: "true"
      - op: replace
        path: /data/ENABLE_LOGS
        value: "true"
      - op: add
        path: /data/OTEL_EXPORTER_OTLP_ENDPOINT
        value: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
      - op: add
        path: /data/OTEL_EXPORTER_OTLP_PROTOCOL
        value: "grpc"
      - op: add
        path: /data/OTEL_SERVICE_NAME
        value: "bakery-ia"
      - op: add
        path: /data/OTEL_RESOURCE_ATTRIBUTES
        value: "deployment.environment=production,cluster.name=bakery-ia-prod"
      - op: add
        path: /data/SIGNOZ_ENDPOINT
        value: "http://signoz.signoz.svc.cluster.local:8080"
      - op: add
        path: /data/SIGNOZ_FRONTEND_URL
        value: "https://monitoring.bakewise.ai"
      - op: add
        path: /data/SIGNOZ_ROOT_URL
        value: "https://monitoring.bakewise.ai"
      - op: add
        path: /data/RATE_LIMIT_ENABLED
        value: "true"
      - op: add
        path: /data/RATE_LIMIT_PER_MINUTE
        value: "60"
      - op: add
        path: /data/CORS_ORIGINS
        value: "https://bakewise.ai"
      - op: add
        path: /data/CORS_ALLOW_CREDENTIALS
        value: "true"
      - op: add
        path: /data/VITE_API_URL
        value: "/api"
      - op: add
        path: /data/VITE_ENVIRONMENT
        value: "production"
  # SigNoz resource patches for production
  # SigNoz ClickHouse production configuration
  - target:
      group: apps
      version: v1
      kind: StatefulSet
      name: signoz-clickhouse
      namespace: bakery-ia
    patch: |-
      - op: replace
        path: /spec/replicas
        value: 2
      - op: replace
        path: /spec/template/spec/containers/0/resources
        value:
          requests:
            memory: "2Gi"
            cpu: "500m"
          limits:
            memory: "4Gi"
            cpu: "1000m"
  # SigNoz Main Service production configuration (v0.106.0+ unified service)
  - target:
      group: apps
      version: v1
      kind: StatefulSet
      name: signoz
      namespace: bakery-ia
    patch: |-
      - op: replace
        path: /spec/replicas
        value: 2
      - op: replace
        path: /spec/template/spec/containers/0/resources
        value:
          requests:
            memory: "2Gi"
            cpu: "1000m"
          limits:
            memory: "4Gi"
            cpu: "2000m"
  # SigNoz AlertManager production configuration
  - target:
      group: apps
      version: v1
      kind: Deployment
      name: signoz-alertmanager
      namespace: bakery-ia
    patch: |-
      - op: replace
        path: /spec/replicas
        value: 2
      - op: replace
        path: /spec/template/spec/containers/0/resources
        value:
          requests:
            memory: "512Mi"
            cpu: "250m"
          limits:
            memory: "1Gi"
            cpu: "500m"

images:
  # Application services
  - name: bakery/auth-service
    newTag: latest
  - name: bakery/tenant-service
    newTag: latest
  - name: bakery/training-service
    newTag: latest
  - name: bakery/forecasting-service
    newTag: latest
  - name: bakery/sales-service
    newTag: latest
  - name: bakery/external-service
    newTag: latest
  - name: bakery/notification-service
    newTag: latest
  - name: bakery/inventory-service
    newTag: latest
  - name: bakery/recipes-service
    newTag: latest
  - name: bakery/suppliers-service
    newTag: latest
  - name: bakery/pos-service
    newTag: latest
  - name: bakery/orders-service
    newTag: latest
  - name: bakery/production-service
    newTag: latest
  - name: bakery/alert-processor
    newTag: latest
  - name: bakery/gateway
    newTag: latest
  - name: bakery/dashboard
    newTag: latest
  # =============================================================================
  # Production Base Images - mapped to production registry
  # TODO: Update PROD_REGISTRY_URL to your production registry (e.g., ghcr.io/your-org)
  # =============================================================================
  # Database images (using canonical Docker Hub - no rate limits in prod with auth)
  - name: postgres
    newTag: 17-alpine
  - name: redis
    newTag: 7.4-alpine
  - name: rabbitmq
    newTag: 4.1-management-alpine
  # Utility images
  - name: busybox
    newTag: "1.36"
  - name: curlimages/curl
    newTag: latest
  - name: bitnami/kubectl
    newTag: latest
  # DNS resolver
  - name: mvance/unbound
    newTag: latest
  # Alpine variants
  - name: alpine
    newTag: "3.19"
  - name: alpine/git
    newTag: 2.43.0
  # CI/CD images (GCR/registry.k8s.io - no rate limits)
  - name: gcr.io/kaniko-project/executor
    newTag: v1.23.0
  - name: gcr.io/go-containerregistry/crane
    newTag: latest
  - name: registry.k8s.io/kustomize/kustomize
    newTag: v5.3.0
  # Storage images
  - name: minio/minio
    newTag: RELEASE.2024-11-07T00-52-20Z
  - name: minio/mc
    newTag: RELEASE.2024-11-17T19-35-25Z
  # Geocoding
  - name: mediagis/nominatim
    newTag: "4.4"
  # Python base image
  - name: python
    newTag: 3.11-slim

replicas:
  - name: auth-service
    count: 3
  - name: tenant-service
    count: 2
  - name: training-service
    count: 3  # Safe with MinIO storage - no PVC conflicts
  - name: forecasting-service
    count: 3
  - name: sales-service
    count: 2
  - name: external-service
    count: 2
  - name: notification-service
    count: 3
  - name: inventory-service
    count: 2
  - name: recipes-service
    count: 2
  - name: suppliers-service
    count: 2
  - name: pos-service
    count: 2
  - name: orders-service
    count: 3
  - name: production-service
    count: 2
  - name: alert-processor
    count: 3
  - name: procurement-service
    count: 2
  - name: orchestrator-service
    count: 2
  - name: ai-insights-service
    count: 2
  - name: gateway
    count: 3
  - name: frontend
    count: 2