Improve teh securty of teh DB

infrastructure/tls/ca/ca-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFyzCCA7OgAwIBAgIUPgOqNY+ZoKByQ1MfO8lkiGhOmxIwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcM
+DFNhbkZyYW5jaXNjbzERMA8GA1UECgwIQmFrZXJ5SUExETAPBgNVBAsMCFNlY3Vy
+aXR5MRQwEgYDVQQDDAtCYWtlcnlJQS1DQTAeFw0yNTEwMTgxNDIyMTRaFw0zNTEw
+MTYxNDIyMTRaMHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUw
+EwYDVQQHDAxTYW5GcmFuY2lzY28xETAPBgNVBAoMCEJha2VyeUlBMREwDwYDVQQL
+DAhTZWN1cml0eTEUMBIGA1UEAwwLQmFrZXJ5SUEtQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDRD5O2egkYg9HNRR5SU0bLnGHjpv/RagrM7dhusaWn
+rfDF5VpTZ4s9/9sOEJ0NyjuoKXamouTwR1nw19FdH8f1eomcQ4eKw2HkxoxqR34t
+RDaAGz3bWO+raTQ4SyMK7XFMovUUiLl+GO23l1BNPfhzkcDkZ97m434f1QVo99tb
+hV4bILaoFIqf09M0E1/faB+JCR8Ykl7LoXguz3VR/BUnd0vMsTMWueD/2nVuUZO0
+0pUmTUBQ2Qd7657k/HWd/1wcEAL9dXNRbxhDNfGgc3WtQhggcpYLQafLa81tlxyc
+wDgN6PdElUlxgX/OuoZ1ylMZE7xpsMtpn1AweodVbm3Qp5A1ydybE61u1urYz1Lt
+WNZ9eOfAqewiYQHVZWMC4a4Sa+2yM6q5PX/4g+TbITh8hZJwXPK5EDig7vF14JPl
+lERNpwia3n6a0P703HPN6rkQO5kVTdiUsfibMtcUJHLyWWQARBmyeVfkICaaeYEl
+ELkswa9NVESKvQaHKSiHZFhEI0aAvcpAjm1EOhEa+hSRhOoFyUOvG+cMOfcBSmL0
+UmlD/lfanTT0zk5aqspEkXGeBw31rmZ/0AZOjV2ppRxWWekzo9Bf7g6eLTY4UCC5
+MyPtzmx9TbXrNAnXhiF6Lg5h28R42GTe5Ad6THkF9S/Khq8u0dY5SA2GUF1EbQO8
+KwIDAQABo1MwUTAdBgNVHQ4EFgQUA+6q/kc8fTQU1EDqzGRfKQpq6m0wHwYDVR0j
+BBgwFoAUA+6q/kc8fTQU1EDqzGRfKQpq6m0wDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAQuvFh2+HQFy8VTcUgalEViayt1zQGv4rISmiq3G6IeXP
+XS4gwqHkFzTwZvmohTwmOCwW/xF4KgxmFbyWNrEJJEqcbedqUWV/0BCaFmJvUddI
++ex/iD3Febu8AFI+J8lBH/CenDiSLHhgyseY8uwRnXsshX5RnDirF1uKr1J635an
+GlyFINUrnQlguEvtr0enGUlzT5rWj4y0AWUdbXi8vRsjWoQ8Ja0BxTrYYh/kO/FI
+PtqX7wsxoJMDEQ71zhwa7WLQc2dfb2rAr1uBh3qNwiVBINB+t3JFv72xqsWgurIB
+If2soRTI2nMe5gTG1Dfd+V24jfa/yIgAsMjCzmGQK20vobX4sAVnmPVbZg9SLFZi
+Midkn9O9U68MEOe3Iascld7fp5Jk+HrbJU6/s16EER/AgD3Ooj3wRgjTCS+ADD+j
+xo2O8VX2kPo03AN+iYa3nJmlMFzCrzT+8ZxSnP5FqGg2ECEbqqA0B/5naVpmdYaV
+41oFLswcFm2iqGawbsLN9x3tvICuE93HYk1j72PzXaiSLtpvamH1dRYC+HUM1L0O
+49CNMYJeL/NlyQuZJm2X0qDNSXmRML8HU9sOwWX6pPPJOzuqtgdx/+lkGAd2wZJU
+IVbmL6Qvzdbta/cSVwsLtBzG48a1b4KBc7WLHTwbrdBRTg0TkLY4kvCZe5nNl4E=
+-----END CERTIFICATE-----

infrastructure/tls/ca/ca-cert.srl

@@ -0,0 +1 @@
+1BE074336AF19EA8C676D7E8D0185EBCA0B1D1FF

infrastructure/tls/ca/ca-key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDRD5O2egkYg9HN
+RR5SU0bLnGHjpv/RagrM7dhusaWnrfDF5VpTZ4s9/9sOEJ0NyjuoKXamouTwR1nw
+19FdH8f1eomcQ4eKw2HkxoxqR34tRDaAGz3bWO+raTQ4SyMK7XFMovUUiLl+GO23
+l1BNPfhzkcDkZ97m434f1QVo99tbhV4bILaoFIqf09M0E1/faB+JCR8Ykl7LoXgu
+z3VR/BUnd0vMsTMWueD/2nVuUZO00pUmTUBQ2Qd7657k/HWd/1wcEAL9dXNRbxhD
+NfGgc3WtQhggcpYLQafLa81tlxycwDgN6PdElUlxgX/OuoZ1ylMZE7xpsMtpn1Aw
+eodVbm3Qp5A1ydybE61u1urYz1LtWNZ9eOfAqewiYQHVZWMC4a4Sa+2yM6q5PX/4
+g+TbITh8hZJwXPK5EDig7vF14JPllERNpwia3n6a0P703HPN6rkQO5kVTdiUsfib
+MtcUJHLyWWQARBmyeVfkICaaeYElELkswa9NVESKvQaHKSiHZFhEI0aAvcpAjm1E
+OhEa+hSRhOoFyUOvG+cMOfcBSmL0UmlD/lfanTT0zk5aqspEkXGeBw31rmZ/0AZO
+jV2ppRxWWekzo9Bf7g6eLTY4UCC5MyPtzmx9TbXrNAnXhiF6Lg5h28R42GTe5Ad6
+THkF9S/Khq8u0dY5SA2GUF1EbQO8KwIDAQABAoICABaHUt1U1KAYrHDYuZtuL/CH
+H0wKAK1Pe8R4/lwctq5AIfR2x79kfBkn9jIo0NPd7tnV8LGlAijGd5xq6rvZ+JFX
+2CEdFyvOluuxXbZM5/2hc9dlmB/dZfkXHYfSHlTyIMXSaw4AbITN05LM3TFwXn1j
+FTdH3jm2sC5mpUOaL2rzD0tlwL6SIBzNwIfEbWNvdAkvZh4ev9UPxxoRmcybmVKn
+GhBVKXKR1fucTg/0/dwm3pMXELmQTwHSnU0ty3rwPBEmGecNqL9QynuLrPMjyL2X
++W5IYCpBs/70KgSyRmS57hB0V25uQVDYVK6GuTCo/JV05AE7tQqNHstqmM+Nq+BL
+ZufWkjBYI2dYH0/3e+Bm9yRypQljiDsmzuvfFgXWTXG8H1erITOZCv+9leT5OwHE
+qIWRmWtgDJ5bggUC/nUVHsIxIx6chCJ8Shuxv/X+Oj5qhmL3QvXZvykDUvhiRJ33
+goS127MfYjJoPbXeGEHMACS5z0qRuRKR474DsDljQW6QGlKDPNJjm5lh0FwV0d7P
+Kg+J9HqX1p0blCULOZMQWddCRSIqD7W9BpDW9aUsjF4XftH9DonM8lXbV0h0edkQ
+HDYL/Cf+TaCBHjw/PLtnGdLpx4Em8WTaYM9KohTNCr6DUDQ0Lwjhr0pUrDRs4urD
+786SDeXL5G3b3PVYFj8xAoIBAQDzafuco8i2J1DZtr9M1denb3YtLgpAPKIPDyux
+0sjJ7KJI8nkq1anZLWH8Bb+gtk9sFpLxD8mGgHemjjsbrhlmIOeIRnwWyqYXCNQV
+sr6P/h5Jg7F/fK2fwV3z0QyFT88Pl/WxaYEk1tExiibAN2hg0ad5CRVKpvJLy11U
+uX5iO8wSSigHyNH7i6wvNISDUjrRzLta5dyLmTup4wVtcWIeksswixWIICgnosZi
+xQ15SiVwnYNl3Or3GkTLVZ6xPRyf/nrsiwsAvbkpv56VUq3DKP+ZotI+TfpZ5n9v
+R/iLrYRdGqvCvQJdZRyUkASWqkbs44MIeERHVKO6WfznptMZAoIBAQDb3t5/poBJ
+WshTmLLQB7c8GBzAKaWrZNpDfn9jDAG5+F2OilPzO5ffCfQdmo2Vgl6aaOYOaeob
+m7pCuzLB9/rDUbzOd+RieD4Hq0mJfo2T00r+JkB59nZ4JYW51aX+0lGre0umWz0Y
+hnhy2qBp0H1BNxvA6/KSk3KD+PDLi05uYV9G7Yjmv3X6IT80yVr/XqsY6tsAkZcB
++/qzb301gDYMj05HvPlPQLdDCS2YE3faAR72OTKyEwqdG1mHXSyQWKzXY6EWNfN2
+QMJCpFtzEc5y9/INBRs7x1rKfancusON1G4QekjY+ppGCG37uVvnJ4ixZZnDkw38
+WiPiJD79IZXjAoIBAD/rovFdaUW8SVUC0nWg6kLD2GrA3lxED+KYf0bxLV0pUOyL
+EBqZhULM0iBWeh4AAhdGTkwTcz5o2gLY8tiv/Wd+WI7Gw6tQiBEgdmFEURqLBvUT
+KjdqTEXZh4yRZxJTBPL5WsG+DPXZm5HAz7BGXJigNbRpGDhEYvhYbSfkljXBsjNT
+WfPBXrMJ2KuExQ+fNmcFtmWGW0YldS+FuFUnIzcYIVecDolyuFjAPAyP5pvlRrOu
+CWVkgCdntI0Y7NVqUOwK7cjUMo19RPSbp09bKNpJF+YGheNqosWc6/YTFkfHxyyT
+5mr7K3XPKZQxxaKzEHEAxdYhjvyUU3KKUwmaG3ECggEBAJPcYFMF/NXX6EpXsUC3
+P6F5MbSFDXWiwCmNo0tPosWW4gveuLAlTm/e+L0D191IrCg5DSV6Usa4Rl1kGLFa
++9doW4maFQung0eTCEQfyEQ2XwNlZAzhEzCfQzwDEru4YtXod6prRz38CHpszl36
+qJE350EpK5so72US/5RSna8baoB/c4aCEWvh+eic1MZRusxp/Fd4kU3zT9hlzJUz
+IKX3pZQW4K5MfjHltTTFOt9vy4uYUaBxr7yRzPZ8UWDNUYcT6BvQsma/DCTW9O0A
+d47XcX8SBQuBeGwecCIRszrpNg98vQq2FROtzZDwSX69Fm7+PZbJiSlA0UreR0Hh
+2TMCggEAREXvWcBV0NR1hRigoh3WAokM34XskBfrEv+U3/VmJF63CN/YPSgXu+Fc
+qRWhPS1tv4cD2X2ePWm4UCiArI25tlNpHacFmLYbhg4Dvug8stoIEyssGzXSparO
+cRpis0xtStBN4vJ9zIIHyRvbCqbOPlZ39EjKuLunvmvVOvr7ytg7GlwFwQr2/i6x
+DEyP+1VwRkpiJIsEblEwZhJSboObp0OCCND/Zr8tvO/y0oenN7DVWJQ9ZpBMxCqG
+B9wtdGt6LGZXKobZXrFKHty7BeaqcdbS9DCs7pM2Lraoqg73PFfqjqZ9FrVpLO22
+bIhGuCSGodEUpQSPEziZ2cyPSczDrw==
+-----END PRIVATE KEY-----

infrastructure/tls/generate-certificates.sh

@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+
+# Generate TLS certificates for PostgreSQL and Redis
+# Self-signed certificates for internal cluster use
+
+set -e
+
+TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_DIR="$TLS_DIR/ca"
+POSTGRES_DIR="$TLS_DIR/postgres"
+REDIS_DIR="$TLS_DIR/redis"
+
+echo "Generating TLS certificates for Bakery IA..."
+echo "Directory: $TLS_DIR"
+echo ""
+
+# Clean up old certificates
+echo "Cleaning up old certificates..."
+rm -rf "$CA_DIR"/* "$POSTGRES_DIR"/* "$REDIS_DIR"/* 2>/dev/null || true
+
+# =====================================
+# 1. Generate Certificate Authority (CA)
+# =====================================
+
+echo "Step 1: Generating Certificate Authority (CA)..."
+
+# Generate CA private key
+openssl genrsa -out "$CA_DIR/ca-key.pem" 4096
+
+# Generate CA certificate (valid for 10 years)
+openssl req -new -x509 -days 3650 -key "$CA_DIR/ca-key.pem" -out "$CA_DIR/ca-cert.pem" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Security/CN=BakeryIA-CA"
+
+echo "✓ CA certificate generated"
+echo ""
+
+# =====================================
+# 2. Generate PostgreSQL Server Certificates
+# =====================================
+
+echo "Step 2: Generating PostgreSQL server certificates..."
+
+# Generate PostgreSQL server private key
+openssl genrsa -out "$POSTGRES_DIR/server-key.pem" 4096
+
+# Create certificate signing request (CSR)
+openssl req -new -key "$POSTGRES_DIR/server-key.pem" -out "$POSTGRES_DIR/server.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Database/CN=*.bakery-ia.svc.cluster.local"
+
+# Create SAN (Subject Alternative Names) configuration
+cat > "$POSTGRES_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Database
+CN = *.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.bakery-ia.svc.cluster.local
+DNS.2 = *.bakery-ia
+DNS.3 = auth-db-service
+DNS.4 = tenant-db-service
+DNS.5 = training-db-service
+DNS.6 = forecasting-db-service
+DNS.7 = sales-db-service
+DNS.8 = external-db-service
+DNS.9 = notification-db-service
+DNS.10 = inventory-db-service
+DNS.11 = recipes-db-service
+DNS.12 = suppliers-db-service
+DNS.13 = pos-db-service
+DNS.14 = orders-db-service
+DNS.15 = production-db-service
+DNS.16 = alert-processor-db-service
+DNS.17 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+openssl x509 -req -in "$POSTGRES_DIR/server.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$POSTGRES_DIR/server-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$POSTGRES_DIR/san.cnf"
+
+# PostgreSQL requires specific permissions on key file
+chmod 600 "$POSTGRES_DIR/server-key.pem"
+chmod 644 "$POSTGRES_DIR/server-cert.pem"
+
+# Copy CA cert for PostgreSQL clients
+cp "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/ca-cert.pem"
+
+echo "✓ PostgreSQL certificates generated"
+echo ""
+
+# =====================================
+# 3. Generate Redis Server Certificates
+# =====================================
+
+echo "Step 3: Generating Redis server certificates..."
+
+# Generate Redis server private key
+openssl genrsa -out "$REDIS_DIR/redis-key.pem" 4096
+
+# Create certificate signing request (CSR)
+openssl req -new -key "$REDIS_DIR/redis-key.pem" -out "$REDIS_DIR/redis.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Cache/CN=redis-service.bakery-ia.svc.cluster.local"
+
+# Create SAN configuration for Redis
+cat > "$REDIS_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Cache
+CN = redis-service.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = redis-service.bakery-ia.svc.cluster.local
+DNS.2 = redis-service.bakery-ia
+DNS.3 = redis-service
+DNS.4 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+openssl x509 -req -in "$REDIS_DIR/redis.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$REDIS_DIR/redis-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$REDIS_DIR/san.cnf"
+
+# Redis requires specific permissions
+chmod 600 "$REDIS_DIR/redis-key.pem"
+chmod 644 "$REDIS_DIR/redis-cert.pem"
+
+# Copy CA cert for Redis clients
+cp "$CA_DIR/ca-cert.pem" "$REDIS_DIR/ca-cert.pem"
+
+echo "✓ Redis certificates generated"
+echo ""
+
+# =====================================
+# 4. Verify Certificates
+# =====================================
+
+echo "Step 4: Verifying certificates..."
+
+# Verify PostgreSQL certificate
+echo "PostgreSQL certificate details:"
+openssl x509 -in "$POSTGRES_DIR/server-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/server-cert.pem"
+
+echo ""
+echo "Redis certificate details:"
+openssl x509 -in "$REDIS_DIR/redis-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$REDIS_DIR/redis-cert.pem"
+
+echo ""
+echo "===================="
+echo "✓ All certificates generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  CA:"
+echo "    - $CA_DIR/ca-cert.pem (Certificate Authority certificate)"
+echo "    - $CA_DIR/ca-key.pem (CA private key - keep secure!)"
+echo ""
+echo "  PostgreSQL:"
+echo "    - $POSTGRES_DIR/server-cert.pem (Server certificate)"
+echo "    - $POSTGRES_DIR/server-key.pem (Server private key)"
+echo "    - $POSTGRES_DIR/ca-cert.pem (CA certificate for clients)"
+echo ""
+echo "  Redis:"
+echo "    - $REDIS_DIR/redis-cert.pem (Server certificate)"
+echo "    - $REDIS_DIR/redis-key.pem (Server private key)"
+echo "    - $REDIS_DIR/ca-cert.pem (CA certificate for clients)"
+echo ""
+echo "Certificate validity: 3 years"
+echo "Next steps:"
+echo "  1. Create Kubernetes secrets from these certificates"
+echo "  2. Mount secrets in database pods"
+echo "  3. Configure PostgreSQL and Redis to use TLS"
+echo "  4. Update client connection strings to require SSL"

infrastructure/tls/postgres/ca-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFyzCCA7OgAwIBAgIUPgOqNY+ZoKByQ1MfO8lkiGhOmxIwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcM
+DFNhbkZyYW5jaXNjbzERMA8GA1UECgwIQmFrZXJ5SUExETAPBgNVBAsMCFNlY3Vy
+aXR5MRQwEgYDVQQDDAtCYWtlcnlJQS1DQTAeFw0yNTEwMTgxNDIyMTRaFw0zNTEw
+MTYxNDIyMTRaMHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUw
+EwYDVQQHDAxTYW5GcmFuY2lzY28xETAPBgNVBAoMCEJha2VyeUlBMREwDwYDVQQL
+DAhTZWN1cml0eTEUMBIGA1UEAwwLQmFrZXJ5SUEtQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDRD5O2egkYg9HNRR5SU0bLnGHjpv/RagrM7dhusaWn
+rfDF5VpTZ4s9/9sOEJ0NyjuoKXamouTwR1nw19FdH8f1eomcQ4eKw2HkxoxqR34t
+RDaAGz3bWO+raTQ4SyMK7XFMovUUiLl+GO23l1BNPfhzkcDkZ97m434f1QVo99tb
+hV4bILaoFIqf09M0E1/faB+JCR8Ykl7LoXguz3VR/BUnd0vMsTMWueD/2nVuUZO0
+0pUmTUBQ2Qd7657k/HWd/1wcEAL9dXNRbxhDNfGgc3WtQhggcpYLQafLa81tlxyc
+wDgN6PdElUlxgX/OuoZ1ylMZE7xpsMtpn1AweodVbm3Qp5A1ydybE61u1urYz1Lt
+WNZ9eOfAqewiYQHVZWMC4a4Sa+2yM6q5PX/4g+TbITh8hZJwXPK5EDig7vF14JPl
+lERNpwia3n6a0P703HPN6rkQO5kVTdiUsfibMtcUJHLyWWQARBmyeVfkICaaeYEl
+ELkswa9NVESKvQaHKSiHZFhEI0aAvcpAjm1EOhEa+hSRhOoFyUOvG+cMOfcBSmL0
+UmlD/lfanTT0zk5aqspEkXGeBw31rmZ/0AZOjV2ppRxWWekzo9Bf7g6eLTY4UCC5
+MyPtzmx9TbXrNAnXhiF6Lg5h28R42GTe5Ad6THkF9S/Khq8u0dY5SA2GUF1EbQO8
+KwIDAQABo1MwUTAdBgNVHQ4EFgQUA+6q/kc8fTQU1EDqzGRfKQpq6m0wHwYDVR0j
+BBgwFoAUA+6q/kc8fTQU1EDqzGRfKQpq6m0wDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAQuvFh2+HQFy8VTcUgalEViayt1zQGv4rISmiq3G6IeXP
+XS4gwqHkFzTwZvmohTwmOCwW/xF4KgxmFbyWNrEJJEqcbedqUWV/0BCaFmJvUddI
++ex/iD3Febu8AFI+J8lBH/CenDiSLHhgyseY8uwRnXsshX5RnDirF1uKr1J635an
+GlyFINUrnQlguEvtr0enGUlzT5rWj4y0AWUdbXi8vRsjWoQ8Ja0BxTrYYh/kO/FI
+PtqX7wsxoJMDEQ71zhwa7WLQc2dfb2rAr1uBh3qNwiVBINB+t3JFv72xqsWgurIB
+If2soRTI2nMe5gTG1Dfd+V24jfa/yIgAsMjCzmGQK20vobX4sAVnmPVbZg9SLFZi
+Midkn9O9U68MEOe3Iascld7fp5Jk+HrbJU6/s16EER/AgD3Ooj3wRgjTCS+ADD+j
+xo2O8VX2kPo03AN+iYa3nJmlMFzCrzT+8ZxSnP5FqGg2ECEbqqA0B/5naVpmdYaV
+41oFLswcFm2iqGawbsLN9x3tvICuE93HYk1j72PzXaiSLtpvamH1dRYC+HUM1L0O
+49CNMYJeL/NlyQuZJm2X0qDNSXmRML8HU9sOwWX6pPPJOzuqtgdx/+lkGAd2wZJU
+IVbmL6Qvzdbta/cSVwsLtBzG48a1b4KBc7WLHTwbrdBRTg0TkLY4kvCZe5nNl4E=
+-----END CERTIFICATE-----

infrastructure/tls/postgres/san.cnf

@@ -0,0 +1,37 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Database
+CN = *.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.bakery-ia.svc.cluster.local
+DNS.2 = *.bakery-ia
+DNS.3 = auth-db-service
+DNS.4 = tenant-db-service
+DNS.5 = training-db-service
+DNS.6 = forecasting-db-service
+DNS.7 = sales-db-service
+DNS.8 = external-db-service
+DNS.9 = notification-db-service
+DNS.10 = inventory-db-service
+DNS.11 = recipes-db-service
+DNS.12 = suppliers-db-service
+DNS.13 = pos-db-service
+DNS.14 = orders-db-service
+DNS.15 = production-db-service
+DNS.16 = alert-processor-db-service
+DNS.17 = localhost
+IP.1 = 127.0.0.1

infrastructure/tls/postgres/server-cert.pem

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHcjCCBVqgAwIBAgIUG+B0M2rxnqjGdtfo0BhevKCx0f4wDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcM
+DFNhbkZyYW5jaXNjbzERMA8GA1UECgwIQmFrZXJ5SUExETAPBgNVBAsMCFNlY3Vy
+aXR5MRQwEgYDVQQDDAtCYWtlcnlJQS1DQTAeFw0yNTEwMTgxNDIyMTRaFw0yODEw
+MTcxNDIyMTRaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEV
+MBMGA1UEBwwMU2FuRnJhbmNpc2NvMREwDwYDVQQKDAhCYWtlcnlJQTERMA8GA1UE
+CwwIRGF0YWJhc2UxJjAkBgNVBAMMHSouYmFrZXJ5LWlhLnN2Yy5jbHVzdGVyLmxv
+Y2FsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1b/VSfu/PMvYorbL
+295V2ZAGRRNWupHH3K9xDAPm45TudgPWLxnyA9HVz5jmKgWHQKVrSI046uLuEYA+
+Rmth7FEVCLt9i5ifhaXmAfSouG91nC2NCshmEhXtZBJX0omaNhiDDotx78kjKaLR
+A22mQoCcPvkzEqOECpiVFU9UHB3C5unmtHSC48bB+ARyiE2z7RraG1YEKkiljilF
+mJTS6N36BqabF6AxqSpIanoEgFgWC6aIXtA+fo3Ez1mJEFwfzQBWcKt/ON3nx3xD
+bRNsmorxHpsPinOA4hHVw7TcU4LqqURYddNocmbkKiVXJZEFgLengB1lm/lAYWqZ
+QdPbT1UcCfQLvSt6lVk+VB06eZ4ZKfi/koflFP0f+2SB2hQ6aj97G/RbrkCGaIFX
+Cx5d69AoqSwuExtX/Qm1UK0O2xpLv35KdScy+Z1IFOcYzcXq28fxmu+TDDNySScK
+lsbjwfu4EGKGLsktGvTAGH1EyKvKksqx0Ex9s/8vAi/2T4+FC1Bl25B5fzDED5Dp
+KHtJatxwjWiiDlayrk8Wg03RyFSf5n4F7Rbp3+oFmsSSnEEZ+RCOnCgqCZY1Ms9r
+FT9fz7hAs2+XPepu0vwFKBUwlxiWdDzH6sDIQCeS3xS243vyiatEu6K8C7x0eWls
+59IBQqv5x2TbFtTwDXgb+SJ0k2UCAwEAAaOCAeUwggHhMAsGA1UdDwQEAwIEMDAd
+BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwggFxBgNVHREEggFoMIIBZIId
+Ki5iYWtlcnktaWEuc3ZjLmNsdXN0ZXIubG9jYWyCCyouYmFrZXJ5LWlhgg9hdXRo
+LWRiLXNlcnZpY2WCEXRlbmFudC1kYi1zZXJ2aWNlghN0cmFpbmluZy1kYi1zZXJ2
+aWNlghZmb3JlY2FzdGluZy1kYi1zZXJ2aWNlghBzYWxlcy1kYi1zZXJ2aWNlghNl
+eHRlcm5hbC1kYi1zZXJ2aWNlghdub3RpZmljYXRpb24tZGItc2VydmljZYIUaW52
+ZW50b3J5LWRiLXNlcnZpY2WCEnJlY2lwZXMtZGItc2VydmljZYIUc3VwcGxpZXJz
+LWRiLXNlcnZpY2WCDnBvcy1kYi1zZXJ2aWNlghFvcmRlcnMtZGItc2VydmljZYIV
+cHJvZHVjdGlvbi1kYi1zZXJ2aWNlghphbGVydC1wcm9jZXNzb3ItZGItc2Vydmlj
+ZYIJbG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBR+ZyMAMCMyCv50MJTcHSw13VV9
+3TAfBgNVHSMEGDAWgBQD7qr+Rzx9NBTUQOrMZF8pCmrqbTANBgkqhkiG9w0BAQsF
+AAOCAgEAC7WCN3aJw4vT3Nr5fWqjkzxcl+spTRyBDEbJZYp3HdK3QOixhTd0B3bF
+FzWSIX79Gvvs/rj8SZDXP3BdsSpoIxTJf+inzPm8hPRo2cuSNjO9yhf1u1AByb2g
+eWm2L58dLLIYngcsl/AaThifOuKfVc7kX5F5+ppHlWE4INGaOKl2ZqBLpOm+4nXp
+78iBAtfHKVLmMBkIDsYgX9EDU4gYYerSEuY3Tac94ea9nEcGpvHDhGRbNRS46Fl/
+O3Vj18OS+KddMerAueNjvop5vsK0T6MCelLOhlrtoMeNHEcwzkBLwjvDo2GWaHmO
+SyJNwSEAjlyU1rra0TXtpyMg6/cnWbr9gKhrnf+O0CMGLuV08FiPCwa6/qmPaiKA
+i0+6TbusbFLGkeWCPK3jyZFalSZnWPH5dLJEwuSYe9SFxZVZSHSMWn0ytv5HuZNj
+ZInxvbjj6S+a5SeRc5pvjJ5VMDkkQJ34mBl22noyBip8cruQgA7yzHn9sycbAyTk
+YgNXJHnb4QmutrbM7zbqkGPNFXEByyVaY/m7ZrlE3oG4GRlNssmKyUgvLPxUmgYK
+p4X5xDhRQl4MV49//A5F6+qS6ur+B+p9xHoLJfoBRTSW+S6Pubb4wQH49zp3Nmm9
+94aThjKHK8TiMbJA+bQ/kF2OnJYunkucYjYzNvjWwf1S/reBg2E=
+-----END CERTIFICATE-----

infrastructure/tls/postgres/server-key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDVv9VJ+788y9ii
+tsvb3lXZkAZFE1a6kcfcr3EMA+bjlO52A9YvGfID0dXPmOYqBYdApWtIjTjq4u4R
+gD5Ga2HsURUIu32LmJ+FpeYB9Ki4b3WcLY0KyGYSFe1kElfSiZo2GIMOi3HvySMp
+otEDbaZCgJw++TMSo4QKmJUVT1QcHcLm6ea0dILjxsH4BHKITbPtGtobVgQqSKWO
+KUWYlNLo3foGppsXoDGpKkhqegSAWBYLpohe0D5+jcTPWYkQXB/NAFZwq3843efH
+fENtE2yaivEemw+Kc4DiEdXDtNxTguqpRFh102hyZuQqJVclkQWAt6eAHWWb+UBh
+aplB09tPVRwJ9Au9K3qVWT5UHTp5nhkp+L+Sh+UU/R/7ZIHaFDpqP3sb9FuuQIZo
+gVcLHl3r0CipLC4TG1f9CbVQrQ7bGku/fkp1JzL5nUgU5xjNxerbx/Ga75MMM3JJ
+JwqWxuPB+7gQYoYuyS0a9MAYfUTIq8qSyrHQTH2z/y8CL/ZPj4ULUGXbkHl/MMQP
+kOkoe0lq3HCNaKIOVrKuTxaDTdHIVJ/mfgXtFunf6gWaxJKcQRn5EI6cKCoJljUy
+z2sVP1/PuECzb5c96m7S/AUoFTCXGJZ0PMfqwMhAJ5LfFLbje/KJq0S7orwLvHR5
+aWzn0gFCq/nHZNsW1PANeBv5InSTZQIDAQABAoICAAXpngfuCklaEX6CvvCF3cBn
+Dv1XKRrVEH8RbUzvSLI6kD68dsQWcXmF6DurV5E0VkbwAcqKeYIUepBfs0P1vB+H
+ffpKsWYsonEAeJ8iOjk2gBLXYbjkIoqqh5wGiTOzhwwAW+kJlhe+Fmu+62LZuXPK
+efKgqGHXcGjDSrsXAX/GRPoSi0VU7w/yPghTGytGYaKT5RJE1q2oFR2calFBAJ/c
+urSiDtU1owSyZ467xvxuiKw+1DPcinYBYZR4vhAGnwHn2fxDiiveW4cgRVSIPoSn
+MOnvURvme7Cv3JwNbdtzhMk025uQGFSzID7tidO/XLRwSsECTylkLic5Bc8/1yeg
+JrlrEMa5o/kxoDkRZ3P0xYwofKx11eeEp7Jchhtfj4saCVxL7hyfO5PE1RY5vPuf
+9jpEFQ3Il0l24QQ58Mka7H3d+Rw3cnMLbJSHA71GR9aje/VQUOray0mWftdV6+Ta
+ZP/t0k/jjqlqRiqzOY08k0f8tjmjhstx1CYZiRPAXruiEoSwS4FAUvTwRyo087I2
+kgsXm9FwcEZDUmzl0lTG/1bNlHElulyqRLwZeQwLpAte3EvjMC17NuBnFT8Wxltc
+8sTdTs3MHFMvvb3r/irczY0Nw/w7ws8NZFuUlW2n1LObZCkMCHiW6FWOEAaJcsmy
+1yPlAZ1ptpbwor1w0/17AoIBAQD8AI2Zo6KL94Q0jObimrnrBTWQnZHZxSn4/VPM
+SChNgn9lttBRq2F2aveSLG2TaF4BQdcGKRA5u86Ovzw7eEYJdtK/BpPF6EkHDFTv
+/DUpSha/gbBkqmRaDJfFjg9pMPZdvgEVxyLYmsRYb//E8R7uLel04iypCU0ISl2c
+fUNLfWkCA4i4cmdHMqtGtnoKnsWqV3Uk2mEQJJYI66PDmr3KVwoRMoqZMP4pr175
+RHnkA6f9lEW8tkUXnutVi41ns8JhFZfnQZDKfXduT417GCHeGkkWnXizt5z6MuWm
+hLlQ+P69S6iVSQQNnKrZZuEuFNTMnnTSgVOufnRLVX1cd4ELAoIBAQDZI+ziaqzp
+FKjvlZRyBkp7iF+JjdP79BdfeK0SJVOt+G4NUNQOPLUxcuB1yeXwvv5XVikd8txJ
+FmVLqCM69a81RnHG6uNNSU1moE1VAX0wjwj1hi+nAGcegIpditzJrBiP8ldkV5+r
+ZHiC5/QvH7+QZaAuQ6s0fghPI7qsfXSnqNS5W14AsabMqPYPxGr4P0BOhEcgdxtR
+F65HPz9v9rQd9LmObIY318CkM7mcfsG+6ckAwtQUgFvefgtS8n/0dtFmBkDTfAxp
+ASfD5i66L5cx6BnUO1gsgMPpLjksh5D1qZ+gyNWkwlQlDRLs6IuBEW4vEnIc1aSl
+/APOy2pM1eNPAoIBABEHxIoGifyljJS0lQHpbPkaEAWm8G1kKrL+A8TBd5/NWui3
+0xpB18NV9Uc2o20b14aEOZDcA5GzRIFXIS3vseP/2Lw6KJBuY0kLp03UoI8ax7DH
+hfE3prKDOVqLgDUervek2JPtMkirJOvJHeLkXK/CAI36nwQJceBGjk7+FCcs4YTW
+Uk4MxTgFj5emy1aeZkNdx7fm3jpmDpGpwxZ8Bal/+lkxLjauHe8ZP/TekNI9AQRd
+Gd1oAAFZpxPP641/k3pWKD7jqnJUylZ1H92awucspZXWrIqQtRYfjG+VdqSnPyfx
+zgHQvmphFRa+IieoFr2BU+nJ/arENv3EWEWAegMCggEAT1UYzwA6fE3YCvCTc7Vo
+sQl6Hj97G6pqf68PTHnmwMDrNGI7l5gGezKFX4OMRxEAy9fm3dJFOU69Y47ikEAC
+62v5VburoCkP5lba6hvJKVyY4VtNPa6f/jzoUJTTZbtCnhTkaPy6kVv7y5gDVtQ6
+oP8ALub6Pgtt7bwYD70mSbsdPTtsdMRzNILmo4wXqOszC3y4n9vkVxRX0CADhVyV
+IfyvbqGnx+9DqrpbLhoBn0a68VQ9N+BNsFRMvtlqdl6S0rumI55GynZpmOEYYV3R
+16H9DdVAucGx0hfZO7Or+pUmhQ/bPn7hT0gfif7MOTOtFfWfS3mi1iHlIkCfbcMX
+cQKCAQBcnl0TCUMIdXbMnIG10CoL9myHWl1JjHV+L7I9TQ/OkvuxuIoJPRbpPUDK
+dnBCW3NY86zsgL++I5b2LWhXzSjlAgZSD5rJIBzv5/8yzGh5EZK519wg/bCbJLDE
+LQlQ7+j/BKUllmrIKD4vokir9ronGJnTNJ9aSOdtD5d7u3VBfJdDimKRt3uUpwZm
+BnLrLYZKmRUnZ+I7HgrwCO5+815W6Xut9Phdz6pp9rT+fyoUhy1V+uiu2aT1PlrS
+HSuAotWAkIYKb5eiPwSAytomgfbp7GbAE4mcP6wIuxXLnBgyZHo0a3qBcwkFyWb6
+1+AGw20W2hvgcwJ44cLH2IE28dy4
+-----END PRIVATE KEY-----

infrastructure/tls/postgres/server.csr

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEzTCCArUCAQAwgYcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+MRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xETAPBgNVBAoMCEJha2VyeUlBMREwDwYD
+VQQLDAhEYXRhYmFzZTEmMCQGA1UEAwwdKi5iYWtlcnktaWEuc3ZjLmNsdXN0ZXIu
+bG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVv9VJ+788y9ii
+tsvb3lXZkAZFE1a6kcfcr3EMA+bjlO52A9YvGfID0dXPmOYqBYdApWtIjTjq4u4R
+gD5Ga2HsURUIu32LmJ+FpeYB9Ki4b3WcLY0KyGYSFe1kElfSiZo2GIMOi3HvySMp
+otEDbaZCgJw++TMSo4QKmJUVT1QcHcLm6ea0dILjxsH4BHKITbPtGtobVgQqSKWO
+KUWYlNLo3foGppsXoDGpKkhqegSAWBYLpohe0D5+jcTPWYkQXB/NAFZwq3843efH
+fENtE2yaivEemw+Kc4DiEdXDtNxTguqpRFh102hyZuQqJVclkQWAt6eAHWWb+UBh
+aplB09tPVRwJ9Au9K3qVWT5UHTp5nhkp+L+Sh+UU/R/7ZIHaFDpqP3sb9FuuQIZo
+gVcLHl3r0CipLC4TG1f9CbVQrQ7bGku/fkp1JzL5nUgU5xjNxerbx/Ga75MMM3JJ
+JwqWxuPB+7gQYoYuyS0a9MAYfUTIq8qSyrHQTH2z/y8CL/ZPj4ULUGXbkHl/MMQP
+kOkoe0lq3HCNaKIOVrKuTxaDTdHIVJ/mfgXtFunf6gWaxJKcQRn5EI6cKCoJljUy
+z2sVP1/PuECzb5c96m7S/AUoFTCXGJZ0PMfqwMhAJ5LfFLbje/KJq0S7orwLvHR5
+aWzn0gFCq/nHZNsW1PANeBv5InSTZQIDAQABoAAwDQYJKoZIhvcNAQELBQADggIB
+AE4N38FRrzeIodjCM3ymJAkGI7cnm1vB/1aHwbq5OlCUQ0EGFzzeGIEZi1ve2tsW
+1exPvGZRBUosl+12vwq2oJURlPPKAieKAkrvXo/vR1Fb1QnZY5hDEdJuG5Uwd0rE
+QacjuFaQ/yv1TVKkvnjKhYXCmZ7w/mB36mWEOk3nBqK12xdwydRwFfgZtsVK6mq9
+OiDRskecaSshMyuprFAsS3eWAbRtP6alz66g7ZdaKpReaNCc3ARWjT9Lv19dA2JS
+PV7CFF0M/Ta6mE/1wct4h+GDbykwfAkzIeT4CcbXDjA0O2GaWuusZBwZrcttRycY
+akxUTlXq8kQt/dK1/hcqL8EqwHrknwA0kYcFZZ4q/VhVcbZKKH974FH8hjeCo2P+
+2gpK0iumg0EpTZQnViJ1cn4me8k/4U72ek6ToVUfA9i8179gvef5V/45aBqjI2CN
+S0fDtWyqqJv20dRQ2omqXUsLOyCjBSuoWlmBkVe2clnixkbCPDojxm5ngHF0TI9/
+4h47V26LHS1wXiqmpHFXjtVKRCtE3YxVI5sAK+KWE966m3JGngeqpjJebfHCR6dB
+0FSi4kaq3t8/eRWPmY209xJzKvG0ppbKUsxOZvVnZEP8DFmDpTecS+7pehzpWvvk
+rD1ROkG4d53Rj4cGwTWF+k39fIrr7ohFlDdY3LKNdNsD
+-----END CERTIFICATE REQUEST-----

infrastructure/tls/redis/ca-cert.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFyzCCA7OgAwIBAgIUPgOqNY+ZoKByQ1MfO8lkiGhOmxIwDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcM
+DFNhbkZyYW5jaXNjbzERMA8GA1UECgwIQmFrZXJ5SUExETAPBgNVBAsMCFNlY3Vy
+aXR5MRQwEgYDVQQDDAtCYWtlcnlJQS1DQTAeFw0yNTEwMTgxNDIyMTRaFw0zNTEw
+MTYxNDIyMTRaMHUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUw
+EwYDVQQHDAxTYW5GcmFuY2lzY28xETAPBgNVBAoMCEJha2VyeUlBMREwDwYDVQQL
+DAhTZWN1cml0eTEUMBIGA1UEAwwLQmFrZXJ5SUEtQ0EwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQDRD5O2egkYg9HNRR5SU0bLnGHjpv/RagrM7dhusaWn
+rfDF5VpTZ4s9/9sOEJ0NyjuoKXamouTwR1nw19FdH8f1eomcQ4eKw2HkxoxqR34t
+RDaAGz3bWO+raTQ4SyMK7XFMovUUiLl+GO23l1BNPfhzkcDkZ97m434f1QVo99tb
+hV4bILaoFIqf09M0E1/faB+JCR8Ykl7LoXguz3VR/BUnd0vMsTMWueD/2nVuUZO0
+0pUmTUBQ2Qd7657k/HWd/1wcEAL9dXNRbxhDNfGgc3WtQhggcpYLQafLa81tlxyc
+wDgN6PdElUlxgX/OuoZ1ylMZE7xpsMtpn1AweodVbm3Qp5A1ydybE61u1urYz1Lt
+WNZ9eOfAqewiYQHVZWMC4a4Sa+2yM6q5PX/4g+TbITh8hZJwXPK5EDig7vF14JPl
+lERNpwia3n6a0P703HPN6rkQO5kVTdiUsfibMtcUJHLyWWQARBmyeVfkICaaeYEl
+ELkswa9NVESKvQaHKSiHZFhEI0aAvcpAjm1EOhEa+hSRhOoFyUOvG+cMOfcBSmL0
+UmlD/lfanTT0zk5aqspEkXGeBw31rmZ/0AZOjV2ppRxWWekzo9Bf7g6eLTY4UCC5
+MyPtzmx9TbXrNAnXhiF6Lg5h28R42GTe5Ad6THkF9S/Khq8u0dY5SA2GUF1EbQO8
+KwIDAQABo1MwUTAdBgNVHQ4EFgQUA+6q/kc8fTQU1EDqzGRfKQpq6m0wHwYDVR0j
+BBgwFoAUA+6q/kc8fTQU1EDqzGRfKQpq6m0wDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAQuvFh2+HQFy8VTcUgalEViayt1zQGv4rISmiq3G6IeXP
+XS4gwqHkFzTwZvmohTwmOCwW/xF4KgxmFbyWNrEJJEqcbedqUWV/0BCaFmJvUddI
++ex/iD3Febu8AFI+J8lBH/CenDiSLHhgyseY8uwRnXsshX5RnDirF1uKr1J635an
+GlyFINUrnQlguEvtr0enGUlzT5rWj4y0AWUdbXi8vRsjWoQ8Ja0BxTrYYh/kO/FI
+PtqX7wsxoJMDEQ71zhwa7WLQc2dfb2rAr1uBh3qNwiVBINB+t3JFv72xqsWgurIB
+If2soRTI2nMe5gTG1Dfd+V24jfa/yIgAsMjCzmGQK20vobX4sAVnmPVbZg9SLFZi
+Midkn9O9U68MEOe3Iascld7fp5Jk+HrbJU6/s16EER/AgD3Ooj3wRgjTCS+ADD+j
+xo2O8VX2kPo03AN+iYa3nJmlMFzCrzT+8ZxSnP5FqGg2ECEbqqA0B/5naVpmdYaV
+41oFLswcFm2iqGawbsLN9x3tvICuE93HYk1j72PzXaiSLtpvamH1dRYC+HUM1L0O
+49CNMYJeL/NlyQuZJm2X0qDNSXmRML8HU9sOwWX6pPPJOzuqtgdx/+lkGAd2wZJU
+IVbmL6Qvzdbta/cSVwsLtBzG48a1b4KBc7WLHTwbrdBRTg0TkLY4kvCZe5nNl4E=
+-----END CERTIFICATE-----

infrastructure/tls/redis/redis-cert.pem

@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGczCCBFugAwIBAgIUG+B0M2rxnqjGdtfo0BhevKCx0f8wDQYJKoZIhvcNAQEL
+BQAwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcM
+DFNhbkZyYW5jaXNjbzERMA8GA1UECgwIQmFrZXJ5SUExETAPBgNVBAsMCFNlY3Vy
+aXR5MRQwEgYDVQQDDAtCYWtlcnlJQS1DQTAeFw0yNTEwMTgxNDIyMTRaFw0yODEw
+MTcxNDIyMTRaMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEV
+MBMGA1UEBwwMU2FuRnJhbmNpc2NvMREwDwYDVQQKDAhCYWtlcnlJQTEOMAwGA1UE
+CwwFQ2FjaGUxMjAwBgNVBAMMKXJlZGlzLXNlcnZpY2UuYmFrZXJ5LWlhLnN2Yy5j
+bHVzdGVyLmxvY2FsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvsa2
+51GEGEnio54u1tkMxSBLd82oL/ulab1awqDBjqBdUAig2l1jRpQr5LG5XwS5h739
+Y+vyPlZVemzuTb6k3n8OrLMru/PPRG+iQg7qyTGZ+bawaf6aXEeCK8A1YnqK/N4K
+A1HRLWEsWG0JCeYjFOfqszjVLKrtRaH7zKiADFqDBBmxRqk/P2oJ6f+XWijp4NJu
+OiWhBchbjcF/fM6v0elBS/8k5pui8kEudMea1IQK5qSJYwN6Y5tMOpJrmHu1E7No
+BQegnjBo1bZRAd1h+/cq8p0Ykwja9u2gJNcs31qf81Am6+q6IW0LjLqT2yH5U5io
+KhSkAns3pqAO4VkIdn3ytckd+M0BcMq4JBnbbM/gVOWr5Ez+HDJ9k2rARo0VXPyq
+gORq2sWSctyQbWJOtLNQeUmCtuvxwDrUShAiXdha3zmz7X9bb4+VQp6zRZ3xvmpg
+qExmOsNs00LjOl0pljUfGFAGdfomIIzRZlgVCzMUlZD4pcPVsaHbnGZ/6/YmxMde
+9Lcn4kbik65fdAInxfTP2IMMdDwMFdbFis/Rl20ej7ABta3KuXodYn1y0n+XLR2L
+7abTqoqItgQmAciHNPUacgDC/lPQJOyrDZU9hCsLt2IUVJMCzSd3GrCC08wgRoe5
+6Q5Ht4E2XndWseYfqVtQ3g8ZKCiU+QMIBkxK7G8CAwEAAaOB3jCB2zALBgNVHQ8E
+BAMCBDAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMG0GA1UdEQRmMGSC
+KXJlZGlzLXNlcnZpY2UuYmFrZXJ5LWlhLnN2Yy5jbHVzdGVyLmxvY2FsghdyZWRp
+cy1zZXJ2aWNlLmJha2VyeS1pYYINcmVkaXMtc2VydmljZYIJbG9jYWxob3N0hwR/
+AAABMB0GA1UdDgQWBBSdIWUzCh/4ORfbKGbXMRvyxWLWrzAfBgNVHSMEGDAWgBQD
+7qr+Rzx9NBTUQOrMZF8pCmrqbTANBgkqhkiG9w0BAQsFAAOCAgEAhGvpPRJZjBFi
+pZ43UhUFLaHx+Q0vgs/zyyqW5jK+7efpcvtJOBmukEKLiu0Xakf+yT8VFZxGksfF
+qVr/Uoolwm5DjiG8OEOoOa2Be9joGSvb7sBsgn0a/itIFRzDQwZtbPfgi0agvBfM
+qs1B6oHzjA2GR6iLP1Wc88UtMXRpWW4VvRrVHjYsXun3fGtf1GRwfwAXQI7+9bWi
+SOChD9eI6MquCXBdBAX/Cqnxk8hubkwWcsHySFBDLqQhPs5uM8li3+MPgpLXCfaY
+X6/ZzH3NgJ3D+PIH59ZYphG3zvlFpGD4oG3Q2AolxqwMR3+P6c9If1DfMMoSgV3+
+mfvgRjN5tngB+/oBiumbM4+EF8aMRk1GOyWpf3eRfG55+OTJlLsDXOSBW+K1NCz4
+yNYTyshwxjVSPXqfateAZzC5SjFMRdrdHD10M0gl5/dXcp+x5hpQSY3M+gM2wWdI
+zo7JBOt9Q1FQDgT3jIVWQ5PtNhd9oT9Wdc0EdJizyNl3vi9m2/bJKVpHO2ymdnHY
+hPmvQYVtfsMlNvksvDLpXemG7s4vjHf12YEP8TT5DJgD46NVoe39Ka47IfaTWugN
+FWoV/PajRIx/IO/kOp4NBpeB69O+nuYUUNcCw0filA+mFgWQjqFGP+fqWNaJj+pP
+50rzPNsxp+qiw6FVoZ55ccxE27knveY=
+-----END CERTIFICATE-----

infrastructure/tls/redis/redis-key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC+xrbnUYQYSeKj
+ni7W2QzFIEt3zagv+6VpvVrCoMGOoF1QCKDaXWNGlCvksblfBLmHvf1j6/I+VlV6
+bO5NvqTefw6ssyu7889Eb6JCDurJMZn5trBp/ppcR4IrwDVieor83goDUdEtYSxY
+bQkJ5iMU5+qzONUsqu1FofvMqIAMWoMEGbFGqT8/agnp/5daKOng0m46JaEFyFuN
+wX98zq/R6UFL/yTmm6LyQS50x5rUhArmpIljA3pjm0w6kmuYe7UTs2gFB6CeMGjV
+tlEB3WH79yrynRiTCNr27aAk1yzfWp/zUCbr6rohbQuMupPbIflTmKgqFKQCezem
+oA7hWQh2ffK1yR34zQFwyrgkGdtsz+BU5avkTP4cMn2TasBGjRVc/KqA5GraxZJy
+3JBtYk60s1B5SYK26/HAOtRKECJd2FrfObPtf1tvj5VCnrNFnfG+amCoTGY6w2zT
+QuM6XSmWNR8YUAZ1+iYgjNFmWBULMxSVkPilw9WxoducZn/r9ibEx170tyfiRuKT
+rl90AifF9M/Ygwx0PAwV1sWKz9GXbR6PsAG1rcq5eh1ifXLSf5ctHYvtptOqioi2
+BCYByIc09RpyAML+U9Ak7KsNlT2EKwu3YhRUkwLNJ3casILTzCBGh7npDke3gTZe
+d1ax5h+pW1DeDxkoKJT5AwgGTErsbwIDAQABAoICAAFv4m19pLQWImSUdXUy2gYb
+cdYWMNUjsnbzG92UHmvM83Gojvr2HHWp+hFVRriGLZZDLRx1PjQ6rEF+0+YMBevo
+eHDT7K6+wxSYjq1WtW1h4poJ8UGVzw3bkAnKVIdIYFxP7ogLNBCBHIy8otvLOv/A
++3icI1GcfABmnEyfXE+Q2E8jQ72XhXLHLAnyM0P/mOYTpQw/v6XD1kS2whdrldF2
+o1ec4BHzTC1CURpEwqV6f9EwSMSmgGPYW0ukUgvVAA6E7xyn67glVIoqPxP3hJxu
+8TOLUWW8zwFwgCCm6knzFySwZDVUuvreJRR191UoPVuO2SgaqF2dwKk6/WxfIlGB
+hFwdncuCU0uUyAzwUHvliDZwVPQqiPLmqXXJwZ69F530FeTs8/hTSF5Q00iAjNhe
+XQo8IB04SSvT7LBz59X8cs42HyTo4afzmhK+Nu8K/CFq8DLOZ+E1mbxXDOC3VVTp
+h1EiwukFtzJqG5QHBcM9M5YS+q3iL8av67Nv3opNm/PnXZGXzqmV4s+Qp07mIHbU
+ljaBqes4cxE6YEKdKSNJrzcODTSEOhNaBW7dMHTfk/3mpi8224CAtEIreeg/TkeA
+2KYPfO2DwxXdvIwSoj0R3BCnGU9eQ+9v/g9YU7ItrKe1B9Ee0163T8/mnqeg/Pzq
+8SCHP7bMYoX1iIfn971xAoIBAQDea6bV9nT5uRG/mE+aKwJELwdO1BA7psdHruxP
+cInGr7jkx5KmJWx/Sw8EwQf4uu8Dr61p/PP6KI6hK5mBRa9JVyWUmHShQCoH9LhO
+Nf2Lm0ENjVUfGNobG38lnhKwO6BsJKrqO76Inksxk7HmhfzziAlUmL1ytXEoK6Bn
+3pGdsQg13b9gX+z5vUpiD8r9GE5Fnzp8MkPlMhjqk/VjwUsJpinH8LcPwhC2fS9g
+ZsgXvkz1TyGaYTu9/+Ak0Lg2j1Nd4V4Jb2GAosSCEKFBrkeSU15K+f+8KHtQm1UA
+0jhLVAjTNLuSwxzPuUJDhax+y/DZQFbODmdBkQYqAXZC/JJ5AoIBAQDblApLh7sT
+r8mn7EqLDSFrT9PJ+lBxj/mtmgtAQ428A5ua0Uslbx4cbwJsrKez5evHcXgf/V8s
+Ai1m6rKraA9iLhQWJMpFAh8FoFyH+JE7Yz7AwzV6YtakXteYk5R3JX4RdYCLRxzC
+JAcnY1FCIdkG8VpVOJFEVpgZCE0dPNWDts9q4riDw5shueGwdeuwhK+pzxP6iCRk
+4GDGxsOHgPDd7/oULsboDhBBOyNoEr/i/Z5P8zssZlGm+cagM2DLmh6LN5IUi53Z
+m4GGN/54CyfNi1AER+Vk9L93s9cd82nfyD2FwAsYvFQpAQ/g5zDNgslPvXyDz8j5
+sKBdsqwgTnwnAoIBAAy1uB3n7H1Mrw/0wy+7H3EIAvHlOlw+Ror5GvXbJ3RcHEOu
+h9nIr6+CeYQ7B5qWDAx44H76/nIgGS5qkGYLtl2JhlM8dwWz5fL4cAPAIBH3ODtv
+BRs2z1fXNWfP5Z9+eMdVPRMPgO7LpN5bY0IaC/9ambXk2IaSibnS7GKjHE0XjbGO
+T15RfPg0ceiyoFXgKrDdzXjFYo3ZVAUrmU0vAXu2rBKJ1dwnqc7Tzn5CwVJiBIHM
+GM56mfBci9Fuv+gWPpxRwY7md3rjUjlge+aF7/8TloLQUGXPJmTPy4a1fJQJZEu1
+araTQbU5D+lN3TKNsuCnRY6W0h20DNcfqENhrXkCggEAWH7Qq2I3vpZxcpEj9ejD
+2Eki9VtCApLhMNtNv4e6XtUhaIMDg0HGY/VFh+EJ8dIvdYFAxbvLGKSEAd+DRNu6
+n3ostEP9lVRmhlD8GfzPI507FFtYeUvOcA6dW6vXATIGHik6Nmfhqkj07SX1AO89
+VbP+ESysN1ujDyuuUKNM9jm+XLilXs19/1i4IfNUmx7O4WRJDAbEjDd2KYbAFSOd
+cAUgx/OWTL4mRPP9sBsmZOiMXnKMHbfbHq26JKSwVT53IuqxoEAozSQETsDQeTcd
+wpRsGl2TkV2msSq0/yg0OnGsgfRFRKHaVXBNIvpqS9lzIwUeYs1ilWdfKoQxJRAc
+rwKCAQBzgVxVqa5tOFnw8QmfUYMe7DHCU4r3RS1ONwmGoXI1RLzz3I8SRGIbNpV1
+yIs4gFWWwIuXn4zLo0+YdLpOjkFh5Kak0Erkh7B5/Zm59fdGMwujA2viQGYjRrzO
+kTSCXPgrGwK9BljYfelS9qWui9vDuRhAWQZOOCCyPtxEcOvr9qf9KhOc0xEENtUj
+z/MBH786rprBEAXnOAFFJbmftLXYy9RhAau2SMDX0g9udHDMQNOBoWO7dh/5A5va
+LLkpVgvoYkcSScDaJIKsodPLcLjqXXd51XNWpC9cOZBZQS8EuN1VfGrjODY9mR8b
+jComH1P0FzyPVmLSboWmjDbs0SFe
+-----END PRIVATE KEY-----

infrastructure/tls/redis/redis.csr

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE1jCCAr4CAQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+MRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xETAPBgNVBAoMCEJha2VyeUlBMQ4wDAYD
+VQQLDAVDYWNoZTEyMDAGA1UEAwwpcmVkaXMtc2VydmljZS5iYWtlcnktaWEuc3Zj
+LmNsdXN0ZXIubG9jYWwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+
+xrbnUYQYSeKjni7W2QzFIEt3zagv+6VpvVrCoMGOoF1QCKDaXWNGlCvksblfBLmH
+vf1j6/I+VlV6bO5NvqTefw6ssyu7889Eb6JCDurJMZn5trBp/ppcR4IrwDVieor8
+3goDUdEtYSxYbQkJ5iMU5+qzONUsqu1FofvMqIAMWoMEGbFGqT8/agnp/5daKOng
+0m46JaEFyFuNwX98zq/R6UFL/yTmm6LyQS50x5rUhArmpIljA3pjm0w6kmuYe7UT
+s2gFB6CeMGjVtlEB3WH79yrynRiTCNr27aAk1yzfWp/zUCbr6rohbQuMupPbIflT
+mKgqFKQCezemoA7hWQh2ffK1yR34zQFwyrgkGdtsz+BU5avkTP4cMn2TasBGjRVc
+/KqA5GraxZJy3JBtYk60s1B5SYK26/HAOtRKECJd2FrfObPtf1tvj5VCnrNFnfG+
+amCoTGY6w2zTQuM6XSmWNR8YUAZ1+iYgjNFmWBULMxSVkPilw9WxoducZn/r9ibE
+x170tyfiRuKTrl90AifF9M/Ygwx0PAwV1sWKz9GXbR6PsAG1rcq5eh1ifXLSf5ct
+HYvtptOqioi2BCYByIc09RpyAML+U9Ak7KsNlT2EKwu3YhRUkwLNJ3casILTzCBG
+h7npDke3gTZed1ax5h+pW1DeDxkoKJT5AwgGTErsbwIDAQABoAAwDQYJKoZIhvcN
+AQELBQADggIBABkUVJDRfMxYDqzkZGNjytWblvZXFQK8aZDN4aR9YqYQfBwliH3d
+ZcEFqI5HVjbypeLMfF6hs/5njOJ31hhH1gK4f3qNsKH2cjf0xSzRDeSCDGF/Fx5E
+uuwdMTAm8NnsXv15AA5ceqJmQ//E8Whu9R+ar3qfOdzw75US5IMamoRRJMlFjyHZ
+BwZHzOwctYhXq+A26HGLhQoWUs7ogdlxBqJq1Bpkls9o2RwJwQ6o1Pe5ytuK99U9
+vbQ75oBinJ+vX2hUR1dn9ym0CS+7HUhZ8jcF5VKMEZXcBw/RDvAsAG9GLjTnjdDf
+LMK1Eqi91rCeWK7RYd7ABolxr5Av9iGCYCSYC6EpwcbGKJc8laJouKEnG9jkzr27
+NB3c+yHagGJplBcxXuednVibBzNSHQNYoVJlDOv7LtFQy8yYCPptXqUaz/U9oB2i
+fdGMkwPNOQV58c1SzRis2kpHVZvD6fxxFWX9BLA1rD6Pk/a7gaU64WOPdlWZqYeV
+l5JZ1Dpd+W0hYfueGIWyyq5dF85XDW/gtyz8Tb8qktxhiNNdoTJaIC17cjB3qAd2
+w6X1RhUKIEO2hpQNhpYtWUvtxeOMzSYd2JykxuvWbcdZYPL1dlhIyWa5yyDph0cH
+/99xxUWKZ5vP5vkxzsyLbtddBuFGURmgE3JasGbq3ic6X00lSmrglnMy
+-----END CERTIFICATE REQUEST-----

infrastructure/tls/redis/san.cnf

@@ -0,0 +1,24 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Cache
+CN = redis-service.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = redis-service.bakery-ia.svc.cluster.local
+DNS.2 = redis-service.bakery-ia
+DNS.3 = redis-service
+DNS.4 = localhost
+IP.1 = 127.0.0.1