bakery-ia/Tiltfile

# =============================================================================
# Bakery IA - Tiltfile for Secure Local Development
# =============================================================================
# Features:
#   - TLS encryption for PostgreSQL and Redis
#   - Strong 32-character passwords with PersistentVolumeClaims
#   - PostgreSQL pgcrypto extension and audit logging
#   - Organized resource dependencies and live-reload capabilities
#   - Local registry for faster image builds and deployments
# =============================================================================

# =============================================================================
# TILT CONFIGURATION
# =============================================================================

# Ensure we're running in the correct context
allow_k8s_contexts('kind-bakery-ia-local')

# Use local registry for faster builds and deployments
# This registry is created by kubernetes_restart.sh script
default_registry('localhost:5001')

# =============================================================================
# SECURITY & INITIAL SETUP
# =============================================================================

print("""
======================================
🔐 Bakery IA Secure Development Mode
======================================

Security Features:
  ✅ TLS encryption for PostgreSQL and Redis
  ✅ Strong 32-character passwords
  ✅ PersistentVolumeClaims (no data loss)
  ✅ pgcrypto extension for encryption
  ✅ PostgreSQL audit logging

Monitoring:
  📊 Service metrics available at /metrics endpoints
  🔍 Telemetry ready (traces, metrics, logs)
  ℹ️  SigNoz deployment optional for local dev (see signoz-info resource)

Applying security configurations...
""")

# Apply security configurations before loading main manifests
local_resource(
    'security-setup',
    cmd='''
        echo "📦 Applying security secrets and configurations..."
        kubectl apply -f infrastructure/kubernetes/base/secrets.yaml
        kubectl apply -f infrastructure/kubernetes/base/secrets/postgres-tls-secret.yaml
        kubectl apply -f infrastructure/kubernetes/base/secrets/redis-tls-secret.yaml
        kubectl apply -f infrastructure/kubernetes/base/configs/postgres-init-config.yaml
        kubectl apply -f infrastructure/kubernetes/base/configmaps/postgres-logging-config.yaml
        echo "✅ Security configurations applied"
    ''',
    labels=['00-security'],
    auto_init=True
)

# Verify TLS certificates are mounted correctly
local_resource(
    'verify-tls',
    cmd='''
        echo "🔍 Verifying TLS configuration..."
        sleep 5  # Wait for pods to be ready

        # Check if auth-db pod exists and has TLS certs
        AUTH_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=auth-db -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")

        if [ -n "$AUTH_POD" ]; then
            echo "  Checking PostgreSQL TLS certificates..."
            kubectl exec -n bakery-ia "$AUTH_POD" -- ls -la /tls/ 2>/dev/null && \
                echo "  ✅ PostgreSQL TLS certificates mounted" || \
                echo "  ⚠️  PostgreSQL TLS certificates not found (pods may still be starting)"
        fi

        # Check if redis pod exists and has TLS certs
        REDIS_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=redis -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")

        if [ -n "$REDIS_POD" ]; then
            echo "  Checking Redis TLS certificates..."
            kubectl exec -n bakery-ia "$REDIS_POD" -- ls -la /tls/ 2>/dev/null && \
                echo "  ✅ Redis TLS certificates mounted" || \
                echo "  ⚠️  Redis TLS certificates not found (pods may still be starting)"
        fi

        echo "✅ TLS verification complete"
    ''',
    resource_deps=['auth-db', 'redis'],
    auto_init=True,
    trigger_mode=TRIGGER_MODE_MANUAL,
    labels=['00-security']
)

# Verify PVCs are bound
local_resource(
    'verify-pvcs',
    cmd='''
        echo "🔍 Verifying PersistentVolumeClaims..."
        kubectl get pvc -n bakery-ia | grep -E "NAME|db-pvc" || echo "  ⚠️  PVCs not yet bound"
        PVC_COUNT=$(kubectl get pvc -n bakery-ia -o json | jq '.items | length')
        echo "  Found $PVC_COUNT PVCs"
        echo "✅ PVC verification complete"
    ''',
    resource_deps=['auth-db'],
    auto_init=True,
    trigger_mode=TRIGGER_MODE_MANUAL,
    labels=['00-security']
)

# Install and verify cert-manager
local_resource(
    'cert-manager-install',
    cmd='''
        echo "📦 Installing cert-manager..."

        # Check if cert-manager CRDs already exist
        if kubectl get crd certificates.cert-manager.io >/dev/null 2>&1; then
            echo "  ✅ cert-manager CRDs already installed"
        else
            echo "  Installing cert-manager v1.13.2..."
            kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml

            echo "  Waiting for cert-manager to be ready..."
            kubectl wait --for=condition=available --timeout=120s deployment/cert-manager -n cert-manager
            kubectl wait --for=condition=available --timeout=120s deployment/cert-manager-webhook -n cert-manager

            echo "  ✅ cert-manager installed and ready"
        fi

        echo "✅ cert-manager verification complete"
    ''',
    labels=['00-security'],
    auto_init=True
)

# =============================================================================
# LOAD KUBERNETES MANIFESTS
# =============================================================================

k8s_yaml(kustomize('infrastructure/kubernetes/overlays/dev'))

# =============================================================================
# DOCKER BUILD HELPERS
# =============================================================================

# Helper function for Python services with live updates
def build_python_service(service_name, service_path):
    docker_build(
        'bakery/' + service_name,
        context='.',
        dockerfile='./services/' + service_path + '/Dockerfile',
        live_update=[
            # Fall back to full image build if Dockerfile or requirements change
            fall_back_on([
                './services/' + service_path + '/Dockerfile',
                './services/' + service_path + '/requirements.txt'
            ]),

            # Sync service code
            sync('./services/' + service_path, '/app'),

            # Sync shared libraries
            sync('./shared', '/app/shared'),

            # Sync scripts
            sync('./scripts', '/app/scripts'),

            # Install new dependencies if requirements.txt changes
            run(
                'pip install --no-cache-dir -r requirements.txt',
                trigger=['./services/' + service_path + '/requirements.txt']
            ),

            # Restart uvicorn on Python file changes (HUP signal triggers graceful reload)
            run(
                'kill -HUP 1',
                trigger=[
                    './services/' + service_path + '/**/*.py',
                    './shared/**/*.py'
                ]
            ),
        ],
        # Ignore common patterns that don't require rebuilds
        ignore=[
            '.git',
            '**/__pycache__',
            '**/*.pyc',
            '**/.pytest_cache',
            '**/node_modules',
            '**/.DS_Store'
        ]
    )

# =============================================================================
# INFRASTRUCTURE IMAGES
# =============================================================================

# Frontend (React + Vite)
frontend_debug_env = os.getenv('FRONTEND_DEBUG', 'false')
frontend_debug = frontend_debug_env.lower() == 'true'

if frontend_debug:
    print("""
    🐛 FRONTEND DEBUG MODE ENABLED
    Building frontend with NO minification for easier debugging.
    Full React error messages will be displayed.
    To disable: unset FRONTEND_DEBUG or set FRONTEND_DEBUG=false
    """)
else:
    print("""
    📦 FRONTEND PRODUCTION MODE
    Building frontend with minification for optimized performance.
    To enable debug mode: export FRONTEND_DEBUG=true
    """)

docker_build(
    'bakery/dashboard',
    context='./frontend',
    dockerfile='./frontend/Dockerfile.kubernetes.debug' if frontend_debug else './frontend/Dockerfile.kubernetes',
    live_update=[
        sync('./frontend/src', '/app/src'),
        sync('./frontend/public', '/app/public'),
    ],
    build_args={
        'NODE_OPTIONS': '--max-old-space-size=8192'
    },
    ignore=[
        'playwright-report/**',
        'test-results/**',
        'node_modules/**',
        '.DS_Store'
    ]
)

# Gateway
docker_build(
    'bakery/gateway',
    context='.',
    dockerfile='./gateway/Dockerfile',
    live_update=[
        fall_back_on(['./gateway/Dockerfile', './gateway/requirements.txt']),
        sync('./gateway', '/app'),
        sync('./shared', '/app/shared'),
        run('kill -HUP 1', trigger=['./gateway/**/*.py', './shared/**/*.py']),
    ],
    ignore=[
        '.git',
        '**/__pycache__',
        '**/*.pyc',
        '**/.pytest_cache',
        '**/node_modules',
        '**/.DS_Store'
    ]
)

# =============================================================================
# MICROSERVICE IMAGES
# =============================================================================

# Core Services
build_python_service('auth-service', 'auth')
build_python_service('tenant-service', 'tenant')

# Data & Analytics Services
build_python_service('training-service', 'training')
build_python_service('forecasting-service', 'forecasting')
build_python_service('ai-insights-service', 'ai_insights')

# Operations Services
build_python_service('sales-service', 'sales')
build_python_service('inventory-service', 'inventory')
build_python_service('production-service', 'production')
build_python_service('procurement-service', 'procurement')
build_python_service('distribution-service', 'distribution')

# Supporting Services
build_python_service('recipes-service', 'recipes')
build_python_service('suppliers-service', 'suppliers')
build_python_service('pos-service', 'pos')
build_python_service('orders-service', 'orders')
build_python_service('external-service', 'external')

# Platform Services
build_python_service('notification-service', 'notification')
build_python_service('alert-processor', 'alert_processor')
build_python_service('orchestrator-service', 'orchestrator')

# Demo Services
build_python_service('demo-session-service', 'demo_session')

# Tell Tilt that demo-cleanup-worker uses the demo-session-service image
k8s_image_json_path(
    'bakery/demo-session-service',
    '{.spec.template.spec.containers[?(@.name=="worker")].image}',
    name='demo-cleanup-worker'
)

# =============================================================================
# INFRASTRUCTURE RESOURCES
# =============================================================================

# Redis & RabbitMQ
k8s_resource('redis', resource_deps=['security-setup'], labels=['01-infrastructure'])
k8s_resource('rabbitmq', labels=['01-infrastructure'])
k8s_resource('nominatim', labels=['01-infrastructure'])

# =============================================================================
# MONITORING RESOURCES - SigNoz (Unified Observability)
# =============================================================================

# Note: SigNoz Helm chart is complex for local dev
# For development, access SigNoz manually or use production Helm deployment
# To deploy SigNoz manually: ./infrastructure/helm/deploy-signoz.sh dev
local_resource(
    'signoz-info',
    cmd='''
        echo "📊 SigNoz Monitoring Information"
        echo ""
        echo "SigNoz Helm deployment is disabled for local development due to complexity."
        echo ""
        echo "Options:"
        echo "1. Deploy manually: ./infrastructure/helm/deploy-signoz.sh dev"
        echo "2. Use production deployment: ./infrastructure/helm/deploy-signoz.sh prod"
        echo "3. Skip monitoring for local development (use application metrics only)"
        echo ""
        echo "For simpler local monitoring, consider using just Prometheus+Grafana"
        echo "or access metrics directly from services at /metrics endpoints."
    ''',
    labels=['05-monitoring'],
    auto_init=False,
    trigger_mode=TRIGGER_MODE_MANUAL
)

# SigNoz ingress (only if manually deployed)
# Uncomment and trigger manually if you deploy SigNoz
# local_resource(
#     'signoz-ingress',
#     cmd='''
#         echo "🌐 Applying SigNoz ingress..."
#         kubectl apply -f infrastructure/kubernetes/overlays/dev/signoz-ingress.yaml
#         echo "✅ SigNoz ingress configured"
#     ''',
#     labels=['05-monitoring'],
#     auto_init=False,
#     trigger_mode=TRIGGER_MODE_MANUAL
# )

# Note: SigNoz components are managed by Helm and deployed outside of kustomize
# They will appear automatically once deployed, but we don't track them explicitly in Tilt
# to avoid startup errors. View them with: kubectl get pods -n signoz

# Optional exporters (in monitoring namespace)
k8s_resource('node-exporter', labels=['05-monitoring'])
k8s_resource('postgres-exporter', resource_deps=['auth-db'], labels=['05-monitoring'])

# =============================================================================
# DATABASE RESOURCES
# =============================================================================

# Core Service Databases
k8s_resource('auth-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('tenant-db', resource_deps=['security-setup'], labels=['06-databases'])

# Data & Analytics Databases
k8s_resource('training-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('forecasting-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('ai-insights-db', resource_deps=['security-setup'], labels=['06-databases'])

# Operations Databases
k8s_resource('sales-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('inventory-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('production-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('procurement-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('distribution-db', resource_deps=['security-setup'], labels=['06-databases'])

# Supporting Service Databases
k8s_resource('recipes-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('suppliers-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('pos-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('orders-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('external-db', resource_deps=['security-setup'], labels=['06-databases'])

# Platform Service Databases
k8s_resource('notification-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('alert-processor-db', resource_deps=['security-setup'], labels=['06-databases'])
k8s_resource('orchestrator-db', resource_deps=['security-setup'], labels=['06-databases'])

# Demo Service Databases
k8s_resource('demo-session-db', resource_deps=['security-setup'], labels=['06-databases'])

# =============================================================================
# MIGRATION JOBS
# =============================================================================

# Core Service Migrations
k8s_resource('auth-migration', resource_deps=['auth-db'], labels=['07-migrations'])
k8s_resource('tenant-migration', resource_deps=['tenant-db'], labels=['07-migrations'])

# Data & Analytics Migrations
k8s_resource('training-migration', resource_deps=['training-db'], labels=['07-migrations'])
k8s_resource('forecasting-migration', resource_deps=['forecasting-db'], labels=['07-migrations'])
k8s_resource('ai-insights-migration', resource_deps=['ai-insights-db'], labels=['07-migrations'])

# Operations Migrations
k8s_resource('sales-migration', resource_deps=['sales-db'], labels=['07-migrations'])
k8s_resource('inventory-migration', resource_deps=['inventory-db'], labels=['07-migrations'])
k8s_resource('production-migration', resource_deps=['production-db'], labels=['07-migrations'])
k8s_resource('procurement-migration', resource_deps=['procurement-db'], labels=['07-migrations'])
k8s_resource('distribution-migration', resource_deps=['distribution-db'], labels=['07-migrations'])

# Supporting Service Migrations
k8s_resource('recipes-migration', resource_deps=['recipes-db'], labels=['07-migrations'])
k8s_resource('suppliers-migration', resource_deps=['suppliers-db'], labels=['07-migrations'])
k8s_resource('pos-migration', resource_deps=['pos-db'], labels=['07-migrations'])
k8s_resource('orders-migration', resource_deps=['orders-db'], labels=['07-migrations'])
k8s_resource('external-migration', resource_deps=['external-db'], labels=['07-migrations'])

# Platform Service Migrations
k8s_resource('notification-migration', resource_deps=['notification-db'], labels=['07-migrations'])
k8s_resource('alert-processor-migration', resource_deps=['alert-processor-db'], labels=['07-migrations'])
k8s_resource('orchestrator-migration', resource_deps=['orchestrator-db'], labels=['07-migrations'])

# Demo Service Migrations
k8s_resource('demo-session-migration', resource_deps=['demo-session-db'], labels=['07-migrations'])

# =============================================================================
# DATA INITIALIZATION JOBS
# =============================================================================

k8s_resource('external-data-init', resource_deps=['external-migration', 'redis'], labels=['08-data-init'])
k8s_resource('nominatim-init', labels=['08-data-init'])

# =============================================================================
# =============================================================================
# APPLICATION SERVICES
# =============================================================================

# Core Services
k8s_resource('auth-service', resource_deps=['auth-migration', 'redis'], labels=['09-services-core'])
k8s_resource('tenant-service', resource_deps=['tenant-migration', 'redis'], labels=['09-services-core'])

# Data & Analytics Services
k8s_resource('training-service', resource_deps=['training-migration', 'redis'], labels=['10-services-analytics'])
k8s_resource('forecasting-service', resource_deps=['forecasting-migration', 'redis'], labels=['10-services-analytics'])
k8s_resource('ai-insights-service', resource_deps=['ai-insights-migration', 'redis', 'forecasting-service', 'production-service', 'procurement-service'], labels=['10-services-analytics'])

# Operations Services
k8s_resource('sales-service', resource_deps=['sales-migration', 'redis'], labels=['11-services-operations'])
k8s_resource('inventory-service', resource_deps=['inventory-migration', 'redis'], labels=['11-services-operations'])
k8s_resource('production-service', resource_deps=['production-migration', 'redis'], labels=['11-services-operations'])
k8s_resource('procurement-service', resource_deps=['procurement-migration', 'redis'], labels=['11-services-operations'])
k8s_resource('distribution-service', resource_deps=['distribution-migration', 'redis', 'rabbitmq'], labels=['11-services-operations'])

# Supporting Services
k8s_resource('recipes-service', resource_deps=['recipes-migration', 'redis'], labels=['12-services-supporting'])
k8s_resource('suppliers-service', resource_deps=['suppliers-migration', 'redis'], labels=['12-services-supporting'])
k8s_resource('pos-service', resource_deps=['pos-migration', 'redis'], labels=['12-services-supporting'])
k8s_resource('orders-service', resource_deps=['orders-migration', 'redis'], labels=['12-services-supporting'])
k8s_resource('external-service', resource_deps=['external-migration', 'external-data-init', 'redis'], labels=['12-services-supporting'])

# Platform Services
k8s_resource('notification-service', resource_deps=['notification-migration', 'redis', 'rabbitmq'], labels=['13-services-platform'])
k8s_resource('alert-processor', resource_deps=['alert-processor-migration', 'redis', 'rabbitmq'], labels=['13-services-platform'])
k8s_resource('orchestrator-service', resource_deps=['orchestrator-migration', 'redis'], labels=['13-services-platform'])

# Demo Services
k8s_resource('demo-session-service', resource_deps=['demo-session-migration', 'redis'], labels=['14-services-demo'])
k8s_resource('demo-cleanup-worker', resource_deps=['demo-session-service', 'redis'], labels=['14-services-demo'])

# =============================================================================
# FRONTEND & GATEWAY
# =============================================================================

k8s_resource('gateway', resource_deps=['auth-service'], labels=['15-frontend'])
k8s_resource('frontend', resource_deps=['gateway'], labels=['15-frontend'])

# =============================================================================
# CRONJOBS (Remaining K8s CronJobs)
# =============================================================================

k8s_resource('demo-session-cleanup', resource_deps=['demo-session-service'], labels=['16-cronjobs'])
k8s_resource('external-data-rotation', resource_deps=['external-service'], labels=['16-cronjobs'])

# =============================================================================
# CONFIGURATION & PATCHES
# =============================================================================

# Apply environment variable patch to demo-session-service with the inventory image
local_resource(
    'patch-demo-session-env',
    cmd='''
        # Wait a moment for deployments to stabilize
        sleep 2

        # Get current inventory-service image tag
        INVENTORY_IMAGE=$(kubectl get deployment inventory-service -n bakery-ia -o jsonpath="{.spec.template.spec.containers[0].image}" 2>/dev/null || echo "bakery/inventory-service:latest")

        # Update demo-session-service environment variable
        kubectl set env deployment/demo-session-service -n bakery-ia CLONE_JOB_IMAGE=$INVENTORY_IMAGE

        echo "✅ Set CLONE_JOB_IMAGE to: $INVENTORY_IMAGE"
    ''',
    resource_deps=['demo-session-service', 'inventory-service'],
    auto_init=True,
    labels=['17-config']
)

# =============================================================================
# TILT CONFIGURATION
# =============================================================================

# Update settings
update_settings(
    max_parallel_updates=2,  # Reduce parallel updates to avoid resource exhaustion
    k8s_upsert_timeout_secs=120  # Increase timeout for slower local builds
)

# Watch settings
watch_settings(
    ignore=[
        '.git/**',
        '**/__pycache__/**',
        '**/*.pyc',
        '**/.pytest_cache/**',
        '**/node_modules/**',
        '**/.DS_Store',
        '**/*.swp',
        '**/*.swo',
        '**/.venv/**',
        '**/venv/**',
        '**/.mypy_cache/**',
        '**/.ruff_cache/**',
        '**/.tox/**',
        '**/htmlcov/**',
        '**/.coverage',
        '**/dist/**',
        '**/build/**',
        '**/*.egg-info/**',
        '**/infrastructure/tls/**/*.pem',
        '**/infrastructure/tls/**/*.cnf',
        '**/infrastructure/tls/**/*.csr',
        '**/infrastructure/tls/**/*.srl',
        '**/*.tmp',
        '**/*.tmp.*',
        '**/migrations/versions/*.tmp.*',
        '**/playwright-report/**',
        '**/test-results/**',
    ]
)

# =============================================================================
# STARTUP SUMMARY
# =============================================================================

print("""
✅ Security setup complete!

Database Security Features Active:
  🔐 TLS encryption: PostgreSQL and Redis
  🔑 Strong passwords: 32-character cryptographic
  💾 Persistent storage: PVCs for all databases
  🔒 Column encryption: pgcrypto extension
  📋 Audit logging: PostgreSQL query logging

Internal Schedulers Active:
  ⏰ Alert Priority Recalculation: Hourly @ :15 (alert-processor)
  ⏰ Usage Tracking: Daily @ 2:00 AM UTC (tenant-service)

Access your application:
  Main Application:      https://localhost
  API Endpoints:         https://localhost/api/v1/...

  Service Metrics:
  Gateway:               http://localhost:8000/metrics
  Any Service:           kubectl port-forward <service> 8000:8000

  SigNoz (Optional - see SIGNOZ_DEPLOYMENT_RECOMMENDATIONS.md):
  Deploy manually:       ./infrastructure/helm/deploy-signoz.sh dev
  Access (if deployed):  https://localhost/signoz

Verify security:
  kubectl get pvc -n bakery-ia
  kubectl get secrets -n bakery-ia | grep tls
  kubectl logs -n bakery-ia <db-pod> | grep SSL

Verify schedulers:
  kubectl exec -it -n bakery-ia deployment/alert-processor -- curl localhost:8000/scheduler/status
  kubectl logs -f -n bakery-ia -l app=tenant-service | grep "usage tracking"

Documentation:
  docs/SECURITY_IMPLEMENTATION_COMPLETE.md
  docs/DATABASE_SECURITY_ANALYSIS_REPORT.md

Useful Commands:
  # Work on specific services only
  tilt up <service-name> <service-name>

  # View logs by label
  tilt logs 09-services-core
  tilt logs 13-services-platform

======================================
""")