bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

491
infrastructure/environments/common/configs/configmap.yaml Normal file
View File

@@ -0,0 +1,491 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bakery-config
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: config
data:
# ENVIRONMENT & BUILD SETTINGS
# ================================================================
ENVIRONMENT: "development"
DEBUG: "false"
LOG_LEVEL: "INFO"
# Observability Settings - SigNoz enabled
# Note: Detailed OTEL configuration is in the OBSERVABILITY section below
ENABLE_TRACING: "true"
ENABLE_METRICS: "true"
ENABLE_LOGS: "true"
ENABLE_OTEL_METRICS: "true"
ENABLE_SYSTEM_METRICS: "true"
OTEL_LOGS_EXPORTER: "otlp"
# Database initialization settings
# IMPORTANT: Services NEVER run migrations - they only verify DB is ready
# Migrations are handled by dedicated migration jobs
# DB_FORCE_RECREATE only affects migration jobs, not services
DB_FORCE_RECREATE: "false"
BUILD_DATE: "2024-01-20T10:00:00Z"
VCS_REF: "latest"
IMAGE_TAG: "latest"
DOMAIN: "bakewise.ai"
AUTO_RELOAD: "false"
PROFILING_ENABLED: "false"
MOCK_EXTERNAL_APIS: "false"
TESTING: "false"
# ================================================================
# SERVICE DISCOVERY (KUBERNETES INTERNAL)
# ================================================================
REDIS_HOST: "redis-service"
REDIS_PORT: "6379"
RABBITMQ_HOST: "rabbitmq-service"
RABBITMQ_PORT: "5672"
RABBITMQ_MANAGEMENT_PORT: "15672"
RABBITMQ_VHOST: "/"
# Database Hosts (Kubernetes Services)
AUTH_DB_HOST: "auth-db-service"
TENANT_DB_HOST: "tenant-db-service"
TRAINING_DB_HOST: "training-db-service"
FORECASTING_DB_HOST: "forecasting-db-service"
SALES_DB_HOST: "sales-db-service"
EXTERNAL_DB_HOST: "external-db-service"
NOTIFICATION_DB_HOST: "notification-db-service"
INVENTORY_DB_HOST: "inventory-db-service"
RECIPES_DB_HOST: "recipes-db-service"
SUPPLIERS_DB_HOST: "suppliers-db-service"
POS_DB_HOST: "pos-db-service"
ORDERS_DB_HOST: "orders-db-service"
PRODUCTION_DB_HOST: "production-db-service"
PROCUREMENT_DB_HOST: "procurement-db-service"
ORCHESTRATOR_DB_HOST: "orchestrator-db-service"
ALERT_PROCESSOR_DB_HOST: "alert-processor-db-service"
AI_INSIGHTS_DB_HOST: "ai-insights-db-service"
DISTRIBUTION_DB_HOST: "distribution-db-service"
DEMO_SESSION_DB_HOST: "demo-session-db-service"
# MinIO Configuration
MINIO_ENDPOINT: "minio.bakery-ia.svc.cluster.local:9000"
MINIO_USE_SSL: "true"
MINIO_MODEL_BUCKET: "training-models"
MINIO_CONSOLE_PORT: "9001"
MINIO_API_PORT: "9000"
MINIO_REGION: "us-east-1"
MINIO_MODEL_LIFECYCLE_DAYS: "90"
MINIO_CACHE_TTL_SECONDS: "3600"
# Database Configuration
DB_PORT: "5432"
AUTH_DB_NAME: "auth_db"
TENANT_DB_NAME: "tenant_db"
TRAINING_DB_NAME: "training_db"
FORECASTING_DB_NAME: "forecasting_db"
SALES_DB_NAME: "sales_db"
EXTERNAL_DB_NAME: "external_db"
NOTIFICATION_DB_NAME: "notification_db"
INVENTORY_DB_NAME: "inventory_db"
RECIPES_DB_NAME: "recipes_db"
SUPPLIERS_DB_NAME: "suppliers_db"
POS_DB_NAME: "pos_db"
ORDERS_DB_NAME: "orders_db"
PRODUCTION_DB_NAME: "production_db"
PROCUREMENT_DB_NAME: "procurement_db"
ORCHESTRATOR_DB_NAME: "orchestrator_db"
ALERT_PROCESSOR_DB_NAME: "alert_processor_db"
AI_INSIGHTS_DB_NAME: "ai_insights_db"
DISTRIBUTION_DB_NAME: "distribution_db"
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
# ================================================================
# SERVICE URLS (KUBERNETES INTERNAL)
# ================================================================
GATEWAY_URL: "http://gateway-service:8000"
AUTH_SERVICE_URL: "http://auth-service:8000"
TENANT_SERVICE_URL: "http://tenant-service:8000"
TRAINING_SERVICE_URL: "http://training-service:8000"
FORECASTING_SERVICE_URL: "http://forecasting-service:8000"
SALES_SERVICE_URL: "http://sales-service:8000"
EXTERNAL_SERVICE_URL: "http://external-service:8000"
NOTIFICATION_SERVICE_URL: "http://notification-service:8000"
INVENTORY_SERVICE_URL: "http://inventory-service:8000"
RECIPES_SERVICE_URL: "http://recipes-service:8000"
SUPPLIERS_SERVICE_URL: "http://suppliers-service:8000"
POS_SERVICE_URL: "http://pos-service:8000"
ORDERS_SERVICE_URL: "http://orders-service:8000"
PRODUCTION_SERVICE_URL: "http://production-service:8000"
ALERT_PROCESSOR_SERVICE_URL: "http://alert-processor:8000"
ORCHESTRATOR_SERVICE_URL: "http://orchestrator-service:8000"
AI_INSIGHTS_SERVICE_URL: "http://ai-insights-service:8000"
DISTRIBUTION_SERVICE_URL: "http://distribution-service:8000"
# ================================================================
# AUTHENTICATION & SECURITY SETTINGS
# ================================================================
JWT_ALGORITHM: "HS256"
JWT_ACCESS_TOKEN_EXPIRE_MINUTES: "240"
JWT_REFRESH_TOKEN_EXPIRE_DAYS: "7"
ENABLE_SERVICE_AUTH: "false"
PASSWORD_MIN_LENGTH: "8"
PASSWORD_REQUIRE_UPPERCASE: "true"
PASSWORD_REQUIRE_LOWERCASE: "true"
PASSWORD_REQUIRE_NUMBERS: "true"
PASSWORD_REQUIRE_SYMBOLS: "false"
BCRYPT_ROUNDS: "12"
MAX_LOGIN_ATTEMPTS: "5"
LOCKOUT_DURATION_MINUTES: "30"
# ================================================================
# CORS & API CONFIGURATION
# ================================================================
CORS_ORIGINS: "https://bakery.yourdomain.com,http://frontend-service:3000"
CORS_ALLOW_CREDENTIALS: "true"
RATE_LIMIT_ENABLED: "true"
RATE_LIMIT_REQUESTS: "100"
RATE_LIMIT_WINDOW: "60"
RATE_LIMIT_BURST: "10"
API_DOCS_ENABLED: "true"
# ================================================================
# HTTP CLIENT SETTINGS
# ================================================================
HTTP_TIMEOUT: "30000"
HTTP_RETRIES: "3"
HTTP_RETRY_DELAY: "1.0"
# ================================================================
# EXTERNAL API CONFIGURATION
# ================================================================
AEMET_BASE_URL: "https://opendata.aemet.es/opendata"
AEMET_TIMEOUT: "90"
AEMET_RETRY_ATTEMPTS: "5"
MADRID_OPENDATA_BASE_URL: "https://datos.madrid.es"
MADRID_OPENDATA_TIMEOUT: "30"
# ================================================================
# PAYMENT CONFIGURATION
# ================================================================
STRIPE_PUBLISHABLE_KEY: "pk_live_your_stripe_publishable_key_here"
SQUARE_APPLICATION_ID: "your-square-application-id"
SQUARE_ENVIRONMENT: "production"
TOAST_ENVIRONMENT: "production"
LIGHTSPEED_ENVIRONMENT: "production"
# ================================================================
# EMAIL CONFIGURATION
# ================================================================
SMTP_HOST: "email-smtp.bakery-ia.svc.cluster.local"
SMTP_PORT: "587"
SMTP_TLS: "true"
SMTP_SSL: "false"
DEFAULT_FROM_EMAIL: "noreply@bakewise.ai"
DEFAULT_FROM_NAME: "Bakery-Forecast"
EMAIL_FROM_ADDRESS: "alerts@bakewise.ai"
EMAIL_FROM_NAME: "Bakery Alert System"
# ================================================================
# WHATSAPP CONFIGURATION
# ================================================================
WHATSAPP_BASE_URL: "https://api.twilio.com"
WHATSAPP_FROM_NUMBER: "whatsapp:+14155238886"
# ================================================================
# ALERT SYSTEM CONFIGURATION
# ================================================================
ALERT_PROCESSOR_INSTANCES: "2"
ALERT_PROCESSOR_MAX_MEMORY: "512M"
ALERT_BATCH_SIZE: "10"
ALERT_PROCESSING_TIMEOUT: "30"
EMAIL_ENABLED: "true"
WHATSAPP_ENABLED: "true"
SSE_ENABLED: "true"
PUSH_NOTIFICATIONS_ENABLED: "false"
ALERT_DEDUPLICATION_WINDOW_MINUTES: "15"
RECOMMENDATION_DEDUPLICATION_WINDOW_MINUTES: "60"
# Alert Enrichment Configuration (Unified Alert Service)
# Priority scoring weights (must sum to 1.0)
BUSINESS_IMPACT_WEIGHT: "0.4"
URGENCY_WEIGHT: "0.3"
USER_AGENCY_WEIGHT: "0.2"
CONFIDENCE_WEIGHT: "0.1"
# Priority thresholds (0-100 scale)
CRITICAL_THRESHOLD: "90"
IMPORTANT_THRESHOLD: "70"
STANDARD_THRESHOLD: "50"
# Timing intelligence
BUSINESS_HOURS_START: "6"
BUSINESS_HOURS_END: "22"
PEAK_HOURS_START: "7"
PEAK_HOURS_END: "11"
PEAK_HOURS_EVENING_START: "17"
PEAK_HOURS_EVENING_END: "19"
# Alert grouping
GROUPING_TIME_WINDOW_MINUTES: "15"
MAX_ALERTS_PER_GROUP: "5"
# Email digest
DIGEST_SEND_TIME: "18:00"
# ================================================================
# CHECK FREQUENCIES (CRON EXPRESSIONS)
# ================================================================
STOCK_CHECK_FREQUENCY: "*/5"
EXPIRY_CHECK_FREQUENCY: "*/2"
TEMPERATURE_CHECK_FREQUENCY: "*/2"
PRODUCTION_DELAY_CHECK_FREQUENCY: "*/5"
CAPACITY_CHECK_FREQUENCY: "*/10"
INVENTORY_OPTIMIZATION_FREQUENCY: "*/30"
EFFICIENCY_RECOMMENDATIONS_FREQUENCY: "*/30"
ENERGY_RECOMMENDATIONS_FREQUENCY: "0"
WASTE_REDUCTION_FREQUENCY: "0"
# ================================================================
# MODEL STORAGE & TRAINING
# ================================================================
# Model storage is handled by MinIO (see MinIO Configuration section)
MODEL_STORAGE_BACKEND: "minio"
MODEL_BACKUP_ENABLED: "true"
MODEL_VERSIONING_ENABLED: "true"
MAX_TRAINING_TIME_MINUTES: "30"
MAX_CONCURRENT_TRAINING_JOBS: "3"
MIN_TRAINING_DATA_DAYS: "30"
TRAINING_BATCH_SIZE: "1000"
# ================================================================
# OPTIMIZATION SETTINGS
# ================================================================
ENABLE_HYPERPARAMETER_OPTIMIZATION: "true"
ENABLE_PRODUCT_SPECIFIC_PARAMS: "true"
ENABLE_DYNAMIC_PARAM_SELECTION: "true"
OPTUNA_N_TRIALS: "50"
OPTUNA_CV_FOLDS: "3"
OPTUNA_TIMEOUT_MINUTES: "10"
HIGH_VOLUME_THRESHOLD: "1.0"
INTERMITTENT_THRESHOLD: "0.6"
# ================================================================
# PROPHET PARAMETERS
# ================================================================
PROPHET_SEASONALITY_MODE: "additive"
PROPHET_CHANGEPOINT_PRIOR_SCALE: "0.05"
PROPHET_SEASONALITY_PRIOR_SCALE: "10.0"
PROPHET_HOLIDAYS_PRIOR_SCALE: "10.0"
PROPHET_DAILY_SEASONALITY: "true"
PROPHET_WEEKLY_SEASONALITY: "true"
PROPHET_YEARLY_SEASONALITY: "true"
# ================================================================
# BUSINESS CONFIGURATION
# ================================================================
SERVICE_VERSION: "1.0.0"
TIMEZONE: "Europe/Madrid"
LOCALE: "es_ES.UTF-8"
CURRENCY: "EUR"
BUSINESS_HOUR_START: "7"
BUSINESS_HOUR_END: "20"
ENABLE_SPANISH_HOLIDAYS: "true"
ENABLE_MADRID_HOLIDAYS: "true"
SCHOOL_CALENDAR_ENABLED: "true"
WEATHER_IMPACT_ENABLED: "true"
# ================================================================
# MONITORING & LOGGING
# ================================================================
LOG_FORMAT: "json"
LOG_FILE_ENABLED: "false"
LOG_FILE_PATH: "/app/logs"
LOG_ROTATION_SIZE: "100MB"
LOG_RETENTION_DAYS: "30"
HEALTH_CHECK_TIMEOUT: "30"
HEALTH_CHECK_INTERVAL: "30"
# Monitoring Configuration - SigNoz
SIGNOZ_ROOT_URL: "https://monitoring.bakery-ia.local"
# ================================================================
# DATA COLLECTION SETTINGS
# ================================================================
WEATHER_COLLECTION_INTERVAL_HOURS: "1"
TRAFFIC_COLLECTION_INTERVAL_HOURS: "1"
EVENTS_COLLECTION_INTERVAL_HOURS: "6"
DATA_VALIDATION_ENABLED: "true"
OUTLIER_DETECTION_ENABLED: "true"
DATA_COMPLETENESS_THRESHOLD: "0.8"
DEFAULT_LATITUDE: "40.4168"
DEFAULT_LONGITUDE: "-3.7038"
LOCATION_RADIUS_KM: "50.0"
# ================================================================
# NOTIFICATION SETTINGS
# ================================================================
ENABLE_EMAIL_NOTIFICATIONS: "true"
ENABLE_WHATSAPP_NOTIFICATIONS: "true"
ENABLE_PUSH_NOTIFICATIONS: "false"
MAX_RETRY_ATTEMPTS: "3"
RETRY_DELAY_SECONDS: "60"
NOTIFICATION_BATCH_SIZE: "100"
EMAIL_RATE_LIMIT_PER_HOUR: "1000"
WHATSAPP_RATE_LIMIT_PER_HOUR: "100"
DEFAULT_LANGUAGE: "es"
DATE_FORMAT: "%d/%m/%Y"
TIME_FORMAT: "%H:%M"
EMAIL_TEMPLATES_PATH: "/app/templates/email"
WHATSAPP_TEMPLATES_PATH: "/app/templates/whatsapp"
IMMEDIATE_DELIVERY: "true"
SCHEDULED_DELIVERY_ENABLED: "true"
DELIVERY_TRACKING_ENABLED: "true"
OPEN_TRACKING_ENABLED: "true"
CLICK_TRACKING_ENABLED: "true"
# ================================================================
# FORECASTING SETTINGS
# ================================================================
MAX_FORECAST_DAYS: "30"
MIN_HISTORICAL_DAYS: "60"
PREDICTION_CONFIDENCE_THRESHOLD: "0.8"
PREDICTION_CACHE_TTL_HOURS: "6"
FORECAST_BATCH_SIZE: "100"
# ================================================================
# BUSINESS RULES
# ================================================================
WEEKEND_ADJUSTMENT_FACTOR: "0.8"
HOLIDAY_ADJUSTMENT_FACTOR: "0.5"
TEMPERATURE_THRESHOLD_COLD: "10.0"
TEMPERATURE_THRESHOLD_HOT: "30.0"
RAIN_IMPACT_FACTOR: "0.7"
HIGH_DEMAND_THRESHOLD: "1.5"
LOW_DEMAND_THRESHOLD: "0.5"
STOCKOUT_RISK_THRESHOLD: "0.9"
# ================================================================
# CACHE SETTINGS
# ================================================================
REDIS_TLS_ENABLED: "true"
REDIS_MAX_MEMORY: "512mb"
REDIS_MAX_CONNECTIONS: "50"
REDIS_DB: "1"
WEATHER_CACHE_TTL_HOURS: "1"
TRAFFIC_CACHE_TTL_HOURS: "1"
# ================================================================
# FRONTEND CONFIGURATION
# ================================================================
VITE_APP_TITLE: "PanIA Dashboard"
VITE_APP_VERSION: "1.0.0"
VITE_API_URL: "/api"
VITE_ENVIRONMENT: "production"
# Pilot Program Configuration
VITE_PILOT_MODE_ENABLED: "true"
VITE_PILOT_COUPON_CODE: "PILOT2025"
VITE_PILOT_TRIAL_MONTHS: "3"
VITE_STRIPE_PUBLISHABLE_KEY: "pk_test_51QuxKyIzCdnBmAVTGM8fvXYkItrBUILz6lHYwhAva6ZAH1HRi0e8zDRgZ4X3faN0zEABp5RHjCVBmMJL3aKXbaC200fFrSNnPl"
# ================================================================
# LOCATION SETTINGS (Nominatim Geocoding)
# ================================================================
NOMINATIM_SERVICE_URL: "http://nominatim-service:8080"
NOMINATIM_PBF_URL: "http://download.geofabrik.de/europe/spain-latest.osm.pbf"
NOMINATIM_MEMORY_LIMIT: "8G"
NOMINATIM_CPU_LIMIT: "4"
# ================================================================
# OBSERVABILITY - SigNoz (Unified Monitoring)
# ================================================================
# OpenTelemetry Configuration - Direct to SigNoz OTel Collector
#
# ENDPOINT CONFIGURATION:
# - OTEL_EXPORTER_OTLP_ENDPOINT: Base gRPC endpoint (host:port format, NO http:// prefix)
# Used by traces and metrics (gRPC) by default
# Format: "host:4317" (gRPC port)
#
# PROTOCOL USAGE:
# - Traces: gRPC (port 4317) - High performance, low latency
# - Metrics: gRPC (port 4317) - Efficient batch export
# - Logs: HTTP (port 4318) - Required for OTLP log protocol
#
# The monitoring library automatically handles:
# - Converting gRPC endpoint (4317) to HTTP endpoint (4318) for logs
# - Adding proper paths (/v1/traces, /v1/metrics, /v1/logs)
# - Protocol prefixes (http:// for HTTP, none for gRPC)
#
# Base OTLP endpoint (gRPC format - used by traces and metrics)
OTEL_EXPORTER_OTLP_ENDPOINT: "signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
# Protocol configuration (gRPC is recommended for better performance)
OTEL_EXPORTER_OTLP_PROTOCOL: "grpc"
# Optional: Signal-specific endpoint overrides (if different from base)
# OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: "signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
# OTEL_EXPORTER_OTLP_METRICS_ENDPOINT: "signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
# OTEL_EXPORTER_OTLP_LOGS_ENDPOINT: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4318"
# Gateway telemetry proxy configuration
SIGNOZ_OTEL_COLLECTOR_URL: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4318"
# Optional: Protocol overrides per signal
# OTEL_EXPORTER_OTLP_TRACES_PROTOCOL: "grpc"
# OTEL_EXPORTER_OTLP_METRICS_PROTOCOL: "grpc"
# Note: Logs always use HTTP protocol regardless of this setting
# Resource attributes (added to all telemetry signals)
OTEL_SERVICE_NAME: "bakery-ia"
OTEL_RESOURCE_ATTRIBUTES: "deployment.environment=development"
# SigNoz service endpoints (for UI and API access)
SIGNOZ_ENDPOINT: "http://signoz.bakery-ia.svc.cluster.local:8080"
SIGNOZ_FRONTEND_URL: "https://monitoring.bakery-ia.local"
# ================================================================
# DISTRIBUTION & ROUTING OPTIMIZATION SETTINGS
# ================================================================
VRP_TIME_LIMIT_SECONDS: "30"
VRP_DEFAULT_VEHICLE_CAPACITY_KG: "1000"
VRP_AVERAGE_SPEED_KMH: "30"
# ================================================================
# REPLENISHMENT PLANNING SETTINGS
# ================================================================
REPLENISHMENT_PROJECTION_HORIZON_DAYS: "7"
REPLENISHMENT_SERVICE_LEVEL: "0.95"
REPLENISHMENT_BUFFER_DAYS: "1"
# Safety Stock
SAFETY_STOCK_SERVICE_LEVEL: "0.95"
SAFETY_STOCK_METHOD: "statistical"
# MOQ
MOQ_CONSOLIDATION_WINDOW_DAYS: "7"
MOQ_ALLOW_EARLY_ORDERING: "true"
# Supplier Selection
SUPPLIER_PRICE_WEIGHT: "0.40"
SUPPLIER_LEAD_TIME_WEIGHT: "0.20"
SUPPLIER_QUALITY_WEIGHT: "0.20"
SUPPLIER_RELIABILITY_WEIGHT: "0.20"
SUPPLIER_DIVERSIFICATION_THRESHOLD: "1000"
SUPPLIER_MAX_SINGLE_PERCENTAGE: "0.70"
# Circuit Breakers
CIRCUIT_BREAKER_FAILURE_THRESHOLD: "5"
CIRCUIT_BREAKER_TIMEOUT_DURATION: "60"
CIRCUIT_BREAKER_SUCCESS_THRESHOLD: "2"
# Saga
SAGA_TIMEOUT_SECONDS: "600"
SAGA_ENABLE_COMPENSATION: "true"
# ================================================================
# EXTERNAL DATA SERVICE V2 SETTINGS
# ================================================================
EXTERNAL_ENABLED_CITIES: "madrid"
EXTERNAL_RETENTION_MONTHS: "6" # Reduced from 24 to avoid memory issues during init
EXTERNAL_CACHE_TTL_DAYS: "7"
EXTERNAL_REDIS_URL: "rediss://redis-service:6379/0?ssl_cert_reqs=none"

6
infrastructure/environments/common/configs/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- configmap.yaml
- secrets.yaml

220
infrastructure/environments/common/configs/secrets.yaml Normal file
View File

@@ -0,0 +1,220 @@
apiVersion: v1
kind: Secret
metadata:
name: database-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: database
type: Opaque
data:
# Database Users (base64 encoded from .env)
AUTH_DB_USER: YXV0aF91c2Vy # auth_user
TENANT_DB_USER: dGVuYW50X3VzZXI= # tenant_user
TRAINING_DB_USER: dHJhaW5pbmdfdXNlcg== # training_user
FORECASTING_DB_USER: Zm9yZWNhc3RpbmdfdXNlcg== # forecasting_user
SALES_DB_USER: c2FsZXNfdXNlcg== # sales_user
EXTERNAL_DB_USER: ZXh0ZXJuYWxfdXNlcg== # external_user
NOTIFICATION_DB_USER: bm90aWZpY2F0aW9uX3VzZXI= # notification_user
INVENTORY_DB_USER: aW52ZW50b3J5X3VzZXI= # inventory_user
RECIPES_DB_USER: cmVjaXBlc191c2Vy # recipes_user
SUPPLIERS_DB_USER: c3VwcGxpZXJzX3VzZXI= # suppliers_user
POS_DB_USER: cG9zX3VzZXI= # pos_user
ORDERS_DB_USER: b3JkZXJzX3VzZXI= # orders_user
PRODUCTION_DB_USER: cHJvZHVjdGlvbl91c2Vy # production_user
ALERT_PROCESSOR_DB_USER: YWxlcnRfcHJvY2Vzc29yX3VzZXI= # alert_processor_user
DEMO_SESSION_DB_USER: ZGVtb19zZXNzaW9uX3VzZXI= # demo_session_user
ORCHESTRATOR_DB_USER: b3JjaGVzdHJhdG9yX3VzZXI= # orchestrator_user
PROCUREMENT_DB_USER: cHJvY3VyZW1lbnRfdXNlcg== # procurement_user
AI_INSIGHTS_DB_USER: YWlfaW5zaWdodHNfdXNlcg== # ai_insights_user
DISTRIBUTION_DB_USER: ZGlzdHJpYnV0aW9uX3VzZXI= # distribution_user
# Database Passwords (base64 encoded - URL-SAFE PRODUCTION PASSWORDS)
AUTH_DB_PASSWORD: RThLejQ3WW1WekRsSEdzMU05d0FiSnp4Y0tuR09OQ1Q= # E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT
TENANT_DB_PASSWORD: VW5tV0VBNlJkaWZncGdoV2N4Zkh2ME1veVVnbUY0ekg= # UnmWEA6RdifgpghWcxfHv0MoyUgmF4zH
TRAINING_DB_PASSWORD: WnZhMzNoaVBJc2ZtV3RxUlBWV29taTRYZ2xLTlZPcHY= # Zva33hiPIsfmWtqRPVWomi4XglKNVOpv
FORECASTING_DB_PASSWORD: QU9CN0Z1SkczVFFSWXptdFJXZHZja3JuQzdsSGtJSHQ= # AOB7FuJG3TQRYzmtRWdvckrnC7lHkIHt
SALES_DB_PASSWORD: NlN1R1lETFRiZjdjWGJZb1RETGlGU2ZSZDBmU2FpMXA= # 6SuGYDLTbf7cXbYoTDLiFSfRd0fSai1p
EXTERNAL_DB_PASSWORD: anlOZE1YRWVBdnhLZWxHOElqMVptRjk4c3l2R3JicTc= # jyNdMXEeAvxKelG8Ij1ZmF98syvGrbq7
NOTIFICATION_DB_PASSWORD: NWJ0YzVZWExjUnZBaGE3dzFaNExNNnNoSmRxU21oVGQ= # 5btc5YXLcRvAha7w1Z4LM6shJdqSmhTd
INVENTORY_DB_PASSWORD: NU5hc09uR1M1RTlXbkV0cDNDcFBvUEVpUWxGQXdlWEQ= # 5NasOnGS5E9WnEtp3CpPoPEiQlFAweXD
RECIPES_DB_PASSWORD: QlRvc2IzMDlpc05DeHFmV25WZFhQZ0xMTUI5VmM5RXQ= # BTosb309isNCxqfWnVdXPgLLMB9Vc9Et
SUPPLIERS_DB_PASSWORD: ZjVUQzd1ekVUblI0ZkowWWdPNFRoMDQ1QkN4Mk9CcWs= # f5TC7uzETnR4fJ0YgO4Th045BCx2OBqk
POS_DB_PASSWORD: Q1hIdE5nTTFEYmRiR2VGYTdRWE5lTkttbVAxVWRsc08= # CXHtNgM1DbdbGeFa7QXNeNKmmP1UdlsO
ORDERS_DB_PASSWORD: emU1aVJncVpVTm1DaHNRbjV3MGFDWFBqb3h1MXdNSDk= # ze5iRgqZUNmChsQn5w0aCXPjoxu1wMH9
PRODUCTION_DB_PASSWORD: SVpaUjZ5dzFqUmFPM29iVUtBQWJaODNLMEdmeTNqbWI= # IZZR6yw1jRaO3obUKAAbZ83K0Gfy3jmb
ALERT_PROCESSOR_DB_PASSWORD: WklyWjBNQnFsRHZsTXJtcndndnZ2UUwzNm5yWFFqdDU= # ZIrZ0MBqlDvlMrmrwgvvvQL36nrXQjt5
DEMO_SESSION_DB_PASSWORD: R291ZWlkcWFSNDhJejJFMDdmT0tyd3BSeXBtMjV1cW4= # GoueidqaR48Iz2E07fOKrwpRypm25uqn
ORCHESTRATOR_DB_PASSWORD: cndCZTdZck5GMVRCMkE3N3U5cUVVTGtWdEJlbU1xdm8= # rwBe7YrNF1TB2A77u9qEULkVtBemMqvo
PROCUREMENT_DB_PASSWORD: dUNhRHllZm5aMXhpd21TcDRNMnQ3QzQ1bkJieGltT1g= # uCaDyefnZ1xiwmSp4M2t7C45nBbximOX
AI_INSIGHTS_DB_PASSWORD: ZGp6M2M1T09KYkJOT28yd2VTY0l0dmlra0pyV2l5dUw= # djz3c5OOJbBNOo2weScItvikkJrWiyuL
DISTRIBUTION_DB_PASSWORD: ZGp6M2M1T09KYkJOT28yd2VTY0l0dmlra0pyV2l5dUw= # djz3c5OOJbBNOo2weScItvikkJrWiyuL
# Database URLs (base64 encoded - with strong passwords)
AUTH_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vYXV0aF91c2VyOkU4S3o0N1ltVnpEbEhHczFNOXdBYkp6eGNLbkdPTkNUQGF1dGgtZGItc2VydmljZTo1NDMyL2F1dGhfZGI=
TENANT_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vdGVuYW50X3VzZXI6VW5tV0VBNlJkaWZncGdoV2N4Zkh2ME1veVVnbUY0ekhAdGVuYW50LWRiLXNlcnZpY2U6NTQzMi90ZW5hbnRfZGI=
TRAINING_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vdHJhaW5pbmdfdXNlcjpadmEzM2hpUElzZm1XdHFSUFZXb21pNFhnbEtOVk9wdkB0cmFpbmluZy1kYi1zZXJ2aWNlOjU0MzIvdHJhaW5pbmdfZGI=
FORECASTING_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vZm9yZWNhc3RpbmdfdXNlcjpBT0I3RnVKRzNUUVJZem10UldkdmNrcm5DN2xIa0lIdEBmb3JlY2FzdGluZy1kYi1zZXJ2aWNlOjU0MzIvZm9yZWNhc3RpbmdfZGI=
SALES_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vc2FsZXNfdXNlcjo2U3VHWURMVGJmN2NYYllvVERMaUZTZlJkMGZTYWkxcEBzYWxlcy1kYi1zZXJ2aWNlOjU0MzIvc2FsZXNfZGI=
EXTERNAL_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vZXh0ZXJuYWxfdXNlcjpqeU5kTVhFZUF2eEtlbEc4SWoxWm1GOThzeXZHcmJxN0BleHRlcm5hbC1kYi1zZXJ2aWNlOjU0MzIvZXh0ZXJuYWxfZGI=
NOTIFICATION_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vbm90aWZpY2F0aW9uX3VzZXI6NWJ0YzVZWExjUnZBaGE3dzFaNExNNnNoSmRxU21oVGRAbm90aWZpY2F0aW9uLWRiLXNlcnZpY2U6NTQzMi9ub3RpZmljYXRpb25fZGI=
INVENTORY_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vaW52ZW50b3J5X3VzZXI6NU5hc09uR1M1RTlXbkV0cDNDcFBvUEVpUWxGQXdlWERAaW52ZW50b3J5LWRiLXNlcnZpY2U6NTQzMi9pbnZlbnRvcnlfZGI=
RECIPES_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vcmVjaXBlc191c2VyOkJUb3NiMzA5aXNOQ3hxZlduVmRYUGdMTE1COVZjOUV0QHJlY2lwZXMtZGItc2VydmljZTo1NDMyL3JlY2lwZXNfZGI=
SUPPLIERS_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vc3VwcGxpZXJzX3VzZXI6ZjVUQzd1ekVUblI0ZkowWWdPNFRoMDQ1QkN4Mk9CcWtAc3VwcGxpZXJzLWRiLXNlcnZpY2U6NTQzMi9zdXBwbGllcnNfZGI=
POS_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vcG9zX3VzZXI6Q1hIdE5nTTFEYmRiR2VGYTdRWE5lTkttbVAxVWRsc09AcG9zLWRiLXNlcnZpY2U6NTQzMi9wb3NfZGI=
ORDERS_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vb3JkZXJzX3VzZXI6emU1aVJncVpVTm1DaHNRbjV3MGFDWFBqb3h1MXdNSDlAb3JkZXJzLWRiLXNlcnZpY2U6NTQzMi9vcmRlcnNfZGI=
PRODUCTION_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vcHJvZHVjdGlvbl91c2VyOklaWlI2eXcxalJhTzNvYlVLQUFiWjgzSzBHZnkzam1iQHByb2R1Y3Rpb24tZGItc2VydmljZTo1NDMyL3Byb2R1Y3Rpb25fZGI=
ALERT_PROCESSOR_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vYWxlcnRfcHJvY2Vzc29yX3VzZXI6WklyWjBNQnFsRHZsTXJtcndndnZ2UUwzNm5yWFFqdDVAYWxlcnQtcHJvY2Vzc29yLWRiLXNlcnZpY2U6NTQzMi9hbGVydF9wcm9jZXNzb3JfZGI=
DEMO_SESSION_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vZGVtb19zZXNzaW9uX3VzZXI6R291ZWlkcWFSNDhJejJFMDdmT0tyd3BSeXBtMjV1cW5AZGVtby1zZXNzaW9uLWRiLXNlcnZpY2U6NTQzMi9kZW1vX3Nlc3Npb25fZGI=
ORCHESTRATOR_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vb3JjaGVzdHJhdG9yX3VzZXI6cndCZTdZck5GMVRCMkE3N3U5cUVVTGtWdEJlbU1xdm9Ab3JjaGVzdHJhdG9yLWRiLXNlcnZpY2U6NTQzMi9vcmNoZXN0cmF0b3JfZGI=
PROCUREMENT_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vcHJvY3VyZW1lbnRfdXNlcjp1Q2FEeWVmbloxeGl3bVNwNE0ydDdDNDVuQmJ4aW1PWEBwcm9jdXJlbWVudC1kYi1zZXJ2aWNlOjU0MzIvcHJvY3VyZW1lbnRfZGI=
AI_INSIGHTS_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vYWlfaW5zaWdodHNfdXNlcjpkanozYzVPT0piQk5PbzJ3ZVNjSXR2aWtrSnJXaXl1TEBhaS1pbnNpZ2h0cy1kYi1zZXJ2aWNlOjU0MzIvYWlfaW5zaWdodHNfZGI=
DISTRIBUTION_DATABASE_URL: cG9zdGdyZXNxbCthc3luY3BnOi8vZGlzdHJpYnV0aW9uX3VzZXI6ZGp6M2M1T09KYkJOT28yd2VTY0l0dmlra0pyV2l5dUxAZGlzdHJpYnV0aW9uLWRiLXNlcnZpY2U6NTQzMi9kaXN0cmlidXRpb25fZGI=
# PostgreSQL Monitoring User (for SigNoz metrics collection)
POSTGRES_MONITOR_USER: bW9uaXRvcmluZw== # monitoring
POSTGRES_MONITOR_PASSWORD: bW9uaXRvcmluZ18zNjlmOWMwMDFmMjQyYjA3ZWY5ZTI4MjZlMTcxNjljYQ== # monitoring_369f9c001f242b07ef9e2826e17169ca
# Redis URL (URL-safe password)
REDIS_URL: cmVkaXM6Ly86SjNsa2x4cHU5QzlPTElLdkJteFVIT2h0czFnc0lvM0FAcmVkaXMtc2VydmljZTo2Mzc5LzA= # redis://:J3lklxpu9C9OLIKvBmxUHOhts1gsIo3A@redis-service:6379/0
---
apiVersion: v1
kind: Secret
metadata:
name: redis-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: redis
type: Opaque
data:
REDIS_PASSWORD: SjNsa2x4cHU5QzlPTElLdkJteFVIT2h0czFnc0lvM0E= # J3lklxpu9C9OLIKvBmxUHOhts1gsIo3A
---
apiVersion: v1
kind: Secret
metadata:
name: rabbitmq-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: rabbitmq
type: Opaque
data:
RABBITMQ_USER: YmFrZXJ5 # bakery
RABBITMQ_PASSWORD: VzJYS2tSdUxpT25ZS2RCWVFTQXJvbjFpeWtFU1M1b2I= # W2XKkRuLiOnYKdBYQSAron1iykESS5ob
RABBITMQ_ERLANG_COOKIE: YzU4MzQ2NzBhYjU1OTA1MTUzZTM1Yjg3ZmVhOTZkNWMxNGM4ODExZjIwM2E3YWI3NmE5MWRjMGE5MWQ4ZDBiNA== # c5834670ab55905153e35b87fea96d5c14c8811f203a7ab76a91dc0a91d8d0b4
---
apiVersion: v1
kind: Secret
metadata:
name: jwt-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: auth
type: Opaque
data:
JWT_SECRET_KEY: dXNNSHc5a1FDUW95cmM3d1BtTWkzYkNscjBsVFk5d3Z6Wm1jVGJBRHZMMD0= # usMHw9kQCQoyrc7wPmMi3bClr0lTY9wvzZmcTbADvL0=
JWT_REFRESH_SECRET_KEY: b2ZPRUlUWHBEUXM0a0pGcERTVWt4bDUwSmkxWUJKUmd3T0V5bStGRWNIST0= # ofOEITXpDQs4kJFpDSUkxl50Ji1YBJRgwOEym+FEcHI=
SERVICE_API_KEY: Y2IyNjFiOTM0ZDQ3MDI5YTY0MTE3YzBlNDExMGM5M2Y2NmJiY2Y1ZWFhMTVjODRjNDI3MjdmYWQ3OGY3MTk2Yw== # cb261b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7196c
---
apiVersion: v1
kind: Secret
metadata:
name: external-api-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: external-apis
type: Opaque
data:
AEMET_API_KEY: ZXlKaGJHY2lPaUpJVXpJMU5pSjkuZXlKemRXSWlPaUoxWVd4bVlYSnZRR2R0WVdsc0xtTnZiU0lzSW1wMGFTSTZJakV3TjJObE9XVmlMVGxoTm1ZdE5EQmpZeTA1WWpoaUxUTTFOV05pWkRZNU5EazJOeUlzSW1semN5STZJa0ZGVFVWVUlpd2lhV0YwSWpveE56VTVPREkwT0RNekxDSjFjMlZ5U1dRaU9pSXhNRGRqWlRsbFlpMDVZVFptTFRRd1kyTXRPV0k0WWkwek5UVmpZbVEyT1RRNU5qY2lMQ0p5YjJ4bElqb2lJbjAuamtjX3hCc0pDc204ZmRVVnhESW1mb2x5UE5pazF4MTd6c1UxZEZKR09iWQ==
MADRID_OPENDATA_API_KEY: eW91ci1tYWRyaWQtb3BlbmRhdGEta2V5LWhlcmU= # your-madrid-opendata-key-here
---
apiVersion: v1
kind: Secret
metadata:
name: payment-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: payments
type: Opaque
data:
STRIPE_SECRET_KEY: c2tfdGVzdF81MVF1eEt5SXpDZG5CbUFWVG5QYzhVWThZTW1qdUJjaTk0RzRqc2lzMVQzMFU1anV5ZmxhQkJxYThGb2xEdTBFMlNnOUZFcVNUakFxenUwa0R6eTROUUN3ejAwOGtQUFF6WGM= # sk_test_51QuxKyIzCdnBmAVTnPc8UY8YMmjuBci94G4jsis1T30U5juyflaBBqa8FolDu0E2Sg9FEqSTjAqzu0kDzy4NQCwz008kPPQzXc
STRIPE_WEBHOOK_SECRET: d2hzZWNfOWI1NGM2ZDQ2ZjhlN2E4NWQzZWZmNmI5MWQyMzg3NGQ3N2Q5NjBlZGUyYWQzNTBkOWY3MWY5ZjBmYTlkM2VjNQ== # whsec_9b54c6d46f8e7a85d3eff6b91d23874d77d960ede2ad350d9f71f9f0fa9d3ec5
---
apiVersion: v1
kind: Secret
metadata:
name: email-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: notifications
type: Opaque
data:
# SMTP credentials for internal Mailu server
# These are used by notification-service to send emails via mailu-smtp
SMTP_USER: cG9zdG1hc3RlckBiYWtld2lzZS5haQ== # postmaster@bakewise.ai
SMTP_PASSWORD: VzJYS2tSdUxpT25ZS2RCWVFTQXJvbjFpeWtFU1M1b2I= # W2XKkRuLiOnYKdBYQSAron1iykESS5ob
# Dovecot admin password for IMAP management
DOVEADM_PASSWORD: WnZhMzNoaVBJc2ZtV3RxUlBWV29taTRYZ2xLTlZPcHY= # Zva33hiPIsfmWtqRPVWomi4XglKNVOpv
---
apiVersion: v1
kind: Secret
metadata:
name: monitoring-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: monitoring
type: Opaque
data:
GRAFANA_ADMIN_USER: YWRtaW4= # admin
GRAFANA_ADMIN_PASSWORD: YWRtaW4xMjM= # admin123
GRAFANA_SECRET_KEY: Z3JhZmFuYS1zZWNyZXQta2V5LWNoYW5nZS1pbi1wcm9kdWN0aW9u # grafana-secret-key-change-in-production
PGADMIN_EMAIL: YWRtaW5AYmFrZXJ5LmxvY2Fs # admin@bakery.local
PGADMIN_PASSWORD: YWRtaW4xMjM= # admin123
REDIS_COMMANDER_USER: YWRtaW4= # admin
REDIS_COMMANDER_PASSWORD: YWRtaW4xMjM= # admin123
---
apiVersion: v1
kind: Secret
metadata:
name: pos-integration-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: pos
type: Opaque
data:
SQUARE_ACCESS_TOKEN: eW91ci1zcXVhcmUtYWNjZXNzLXRva2Vu # your-square-access-token
SQUARE_WEBHOOK_SECRET: eW91ci1zcXVhcmUtd2ViaG9vay1zZWNyZXQ= # your-square-webhook-secret
TOAST_API_KEY: eW91ci10b2FzdC1hcGkta2V5 # your-toast-api-key
TOAST_API_SECRET: eW91ci10b2FzdC1hcGktc2VjcmV0 # your-toast-api-secret
TOAST_WEBHOOK_SECRET: eW91ci10b2FzdC13ZWJob29rLXNlY3JldA== # your-toast-webhook-secret
LIGHTSPEED_API_KEY: eW91ci1saWdodHNwZWVkLWFwaS1rZXk= # your-lightspeed-api-key
LIGHTSPEED_API_SECRET: eW91ci1saWdodHNwZWVkLWFwaS1zZWNyZXQ= # your-lightspeed-api-secret
LIGHTSPEED_WEBHOOK_SECRET: eW91ci1saWdodHNwZWVkLXdlYmhvb2stc2VjcmV0 # your-lightspeed-webhook-secret
---
apiVersion: v1
kind: Secret
metadata:
name: whatsapp-secrets
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: notifications
type: Opaque
data:
WHATSAPP_API_KEY: eW91ci13aGF0c2FwcC1hcGkta2V5LWhlcmU= # your-whatsapp-api-key-here

52
infrastructure/environments/dev/k8s-manifests/dev-certificate.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bakery-dev-tls-cert
namespace: bakery-ia
spec:
# Self-signed certificate for local development
secretName: bakery-dev-tls-cert
# Certificate duration
duration: 2160h # 90 days
renewBefore: 360h # 15 days
# Subject configuration
subject:
organizations:
- Bakery IA Development
# Common name
commonName: localhost
# DNS names this certificate is valid for
dnsNames:
- localhost
- bakery-ia.local
- api.bakery-ia.local
- monitoring.bakery-ia.local
- "*.bakery-ia.local"
# IP addresses (for localhost)
ipAddresses:
- 127.0.0.1
- ::1
# Use self-signed issuer for development
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
# Private key configuration
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
# Usages
usages:
- server auth
- client auth
- digital signature
- key encipherment

159
infrastructure/environments/dev/k8s-manifests/kustomization.yaml Normal file
View File

@@ -0,0 +1,159 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: bakery-ia-dev
# NOTE: Do NOT set a global namespace here.
# Each resource already has its namespace explicitly defined.
# A global namespace would incorrectly transform cluster-scoped resources
# like cert-manager namespaces.
resources:
- ../../../environments/common/configs
- ../../../platform/infrastructure
- ../../../platform/cert-manager
- ../../../platform/networking/ingress/overlays/dev
- ../../../platform/storage
- ../../../platform/mail/mailu
- ../../../services/databases
- ../../../services/microservices
# NOTE: cicd is NOT included here - it's deployed manually via Tilt triggers
# Run 'tilt trigger tekton-install' followed by 'tilt trigger tekton-pipelines-deploy'
# - ../../../cicd
- dev-certificate.yaml
# Dev-specific patches
patches:
- target:
kind: ConfigMap
name: bakery-config
patch: |-
- op: replace
path: /data/ENVIRONMENT
value: "development"
- op: replace
path: /data/DEBUG
value: "true"
# Suspend nominatim in dev to save resources
- target:
kind: StatefulSet
name: nominatim
patch: |-
- op: replace
path: /spec/replicas
value: 0
# Suspend nominatim-init job in dev (not needed when nominatim is scaled to 0)
- target:
kind: Job
name: nominatim-init
patch: |-
- op: replace
path: /spec/suspend
value: true
# Mailu TLS: Use self-signed dev certificate
- target:
kind: Deployment
name: mailu-front
patch: |-
- op: replace
path: /spec/template/spec/volumes/1/secret/secretName
value: "bakery-dev-tls-cert"
# Mailu Config: Update for dev environment
- target:
kind: ConfigMap
name: mailu-config
patch: |-
- op: replace
path: /data/DOMAIN
value: "bakery-ia.local"
- op: replace
path: /data/HOSTNAMES
value: "mail.bakery-ia.local"
- op: replace
path: /data/RELAY_LOGIN
value: "postmaster@bakery-ia.local"
- op: replace
path: /data/WEBMAIL_ADMIN
value: "admin@bakery-ia.local"
labels:
- includeSelectors: true
pairs:
environment: development
tier: local
# Dev image overrides - use local registry to avoid Docker Hub rate limits
# IMPORTANT: All image names must be lowercase (Docker requirement)
# The prepull-base-images.sh script converts names to lowercase when pushing to local registry
images:
# Database images
- name: postgres
newName: localhost:5000/postgres_17-alpine
newTag: latest
- name: redis
newName: localhost:5000/redis_7.4-alpine
newTag: latest
- name: rabbitmq
newName: localhost:5000/rabbitmq_4.1-management-alpine
newTag: latest
# Utility images
- name: busybox
newName: localhost:5000/busybox_1.36
newTag: latest
- name: curlimages/curl
newName: localhost:5000/curlimages_curl_latest
newTag: latest
- name: bitnami/kubectl
newName: localhost:5000/bitnami_kubectl_latest
newTag: latest
# Alpine variants
- name: alpine
newName: localhost:5000/alpine_3.19
newTag: latest
- name: alpine/git
newName: localhost:5000/alpine_git_2.43.0
newTag: latest
# CI/CD images (cached locally for consistency)
- name: gcr.io/kaniko-project/executor
newName: localhost:5000/gcr.io_kaniko-project_executor_v1.23.0
newTag: latest
- name: gcr.io/go-containerregistry/crane
newName: localhost:5000/gcr.io_go-containerregistry_crane_latest
newTag: latest
- name: registry.k8s.io/kustomize/kustomize
newName: localhost:5000/registry.k8s.io_kustomize_kustomize_v5.3.0
newTag: latest
# Storage images (lowercase - RELEASE becomes release)
- name: minio/minio
newName: localhost:5000/minio_minio_release.2024-11-07t00-52-20z
newTag: latest
- name: minio/mc
newName: localhost:5000/minio_mc_release.2024-11-17t19-35-25z
newTag: latest
# Geocoding
- name: mediagis/nominatim
newName: localhost:5000/mediagis_nominatim_4.4
newTag: latest
# Python base image
- name: python
newName: localhost:5000/python_3.11-slim
newTag: latest
# Mail server (Mailu)
- name: ghcr.io/mailu/nginx
newName: localhost:5000/ghcr.io_mailu_nginx_2024.06
newTag: latest
- name: ghcr.io/mailu/admin
newName: localhost:5000/ghcr.io_mailu_admin_2024.06
newTag: latest
- name: ghcr.io/mailu/postfix
newName: localhost:5000/ghcr.io_mailu_postfix_2024.06
newTag: latest
- name: ghcr.io/mailu/dovecot
newName: localhost:5000/ghcr.io_mailu_dovecot_2024.06
newTag: latest
- name: ghcr.io/mailu/rspamd
newName: localhost:5000/ghcr.io_mailu_rspamd_2024.06
newTag: latest

306
infrastructure/environments/prod/k8s-manifests/kustomization.yaml Normal file
View File

@@ -0,0 +1,306 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: bakery-ia-prod
# NOTE: Do NOT set a global namespace here.
# Each resource already has its namespace explicitly defined.
# A global namespace would incorrectly transform cluster-scoped resources
# like flux-system and cert-manager namespaces.
resources:
- ../../../environments/common/configs
- ../../../platform/infrastructure
- ../../../platform/cert-manager
- ../../../platform/networking/ingress/overlays/prod
- ../../../platform/storage
- ../../../platform/mail/mailu
- ../../../services/databases
- ../../../services/microservices
- ../../../cicd
- prod-certificate.yaml
# SigNoz is managed via Helm deployment (see infrastructure/helm/deploy-signoz.sh)
# Monitoring is handled by SigNoz (no separate monitoring components needed)
# SigNoz paths are now included in the main ingress (ingress-https.yaml)
labels:
- includeSelectors: true
pairs:
environment: production
tier: production
# Production configuration patches
patches:
# Override ConfigMap values for production
- target:
kind: ConfigMap
name: bakery-config
patch: |-
- op: replace
path: /data/ENVIRONMENT
value: "production"
- op: replace
path: /data/DEBUG
value: "false"
- op: replace
path: /data/LOG_LEVEL
value: "INFO"
- op: replace
path: /data/PROFILING_ENABLED
value: "false"
- op: replace
path: /data/MOCK_EXTERNAL_APIS
value: "false"
- op: add
path: /data/REQUEST_TIMEOUT
value: "30"
- op: add
path: /data/MAX_CONNECTIONS
value: "100"
- op: replace
path: /data/ENABLE_TRACING
value: "true"
- op: replace
path: /data/ENABLE_METRICS
value: "true"
- op: replace
path: /data/ENABLE_LOGS
value: "true"
- op: add
path: /data/OTEL_EXPORTER_OTLP_ENDPOINT
value: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
- op: add
path: /data/OTEL_EXPORTER_OTLP_PROTOCOL
value: "grpc"
- op: add
path: /data/OTEL_SERVICE_NAME
value: "bakery-ia"
- op: add
path: /data/OTEL_RESOURCE_ATTRIBUTES
value: "deployment.environment=production,cluster.name=bakery-ia-prod"
- op: add
path: /data/SIGNOZ_ENDPOINT
value: "http://signoz.signoz.svc.cluster.local:8080"
- op: add
path: /data/SIGNOZ_FRONTEND_URL
value: "https://monitoring.bakewise.ai"
- op: add
path: /data/SIGNOZ_ROOT_URL
value: "https://monitoring.bakewise.ai"
- op: add
path: /data/RATE_LIMIT_ENABLED
value: "true"
- op: add
path: /data/RATE_LIMIT_PER_MINUTE
value: "60"
- op: add
path: /data/CORS_ORIGINS
value: "https://bakewise.ai"
- op: add
path: /data/CORS_ALLOW_CREDENTIALS
value: "true"
- op: add
path: /data/VITE_API_URL
value: "/api"
- op: add
path: /data/VITE_ENVIRONMENT
value: "production"
# SigNoz resource patches for production
# SigNoz ClickHouse production configuration
- target:
group: apps
version: v1
kind: StatefulSet
name: signoz-clickhouse
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "2Gi"
cpu: "500m"
limits:
memory: "4Gi"
cpu: "1000m"
# SigNoz Main Service production configuration (v0.106.0+ unified service)
- target:
group: apps
version: v1
kind: StatefulSet
name: signoz
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
# SigNoz AlertManager production configuration
- target:
group: apps
version: v1
kind: Deployment
name: signoz-alertmanager
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
# Mailu TLS: Use Let's Encrypt production certificate
- target:
kind: Deployment
name: mailu-front
patch: |-
- op: replace
path: /spec/template/spec/volumes/1/secret/secretName
value: "bakery-ia-prod-tls-cert"
images:
# Application services
- name: bakery/auth-service
newTag: latest
- name: bakery/tenant-service
newTag: latest
- name: bakery/training-service
newTag: latest
- name: bakery/forecasting-service
newTag: latest
- name: bakery/sales-service
newTag: latest
- name: bakery/external-service
newTag: latest
- name: bakery/notification-service
newTag: latest
- name: bakery/inventory-service
newTag: latest
- name: bakery/recipes-service
newTag: latest
- name: bakery/suppliers-service
newTag: latest
- name: bakery/pos-service
newTag: latest
- name: bakery/orders-service
newTag: latest
- name: bakery/production-service
newTag: latest
- name: bakery/alert-processor
newTag: latest
- name: bakery/gateway
newTag: latest
- name: bakery/dashboard
newTag: latest
# =============================================================================
# Production Base Images - mapped to production registry
# TODO: Update PROD_REGISTRY_URL to your production registry (e.g., ghcr.io/your-org)
# =============================================================================
# Database images (using canonical Docker Hub - no rate limits in prod with auth)
- name: postgres
newTag: 17-alpine
- name: redis
newTag: 7.4-alpine
- name: rabbitmq
newTag: 4.1-management-alpine
# Utility images
- name: busybox
newTag: "1.36"
- name: curlimages/curl
newTag: latest
- name: bitnami/kubectl
newTag: latest
# Alpine variants
- name: alpine
newTag: "3.19"
- name: alpine/git
newTag: 2.43.0
# CI/CD images (GCR/registry.k8s.io - no rate limits)
- name: gcr.io/kaniko-project/executor
newTag: v1.23.0
- name: gcr.io/go-containerregistry/crane
newTag: latest
- name: registry.k8s.io/kustomize/kustomize
newTag: v5.3.0
# Storage images
- name: minio/minio
newTag: RELEASE.2024-11-07T00-52-20Z
- name: minio/mc
newTag: RELEASE.2024-11-17T19-35-25Z
# Geocoding
- name: mediagis/nominatim
newTag: "4.4"
# Python base image
- name: python
newTag: 3.11-slim
# Mail server (Mailu) - using canonical GHCR names
- name: ghcr.io/mailu/nginx
newTag: "2024.06"
- name: ghcr.io/mailu/admin
newTag: "2024.06"
- name: ghcr.io/mailu/postfix
newTag: "2024.06"
- name: ghcr.io/mailu/dovecot
newTag: "2024.06"
- name: ghcr.io/mailu/rspamd
newTag: "2024.06"
replicas:
- name: auth-service
count: 3
- name: tenant-service
count: 2
- name: training-service
count: 3 # Safe with MinIO storage - no PVC conflicts
- name: forecasting-service
count: 3
- name: sales-service
count: 2
- name: external-service
count: 2
- name: notification-service
count: 3
- name: inventory-service
count: 2
- name: recipes-service
count: 2
- name: suppliers-service
count: 2
- name: pos-service
count: 2
- name: orders-service
count: 3
- name: production-service
count: 2
- name: alert-processor
count: 3
- name: procurement-service
count: 2
- name: orchestrator-service
count: 2
- name: ai-insights-service
count: 2
- name: gateway
count: 3
- name: frontend
count: 2

48
infrastructure/environments/prod/k8s-manifests/prod-certificate.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bakery-ia-prod-tls-cert
namespace: bakery-ia
spec:
# Let's Encrypt certificate for production
secretName: bakery-ia-prod-tls-cert
# Certificate duration and renewal
duration: 2160h # 90 days (Let's Encrypt default)
renewBefore: 360h # 15 days before expiry
# Subject configuration
subject:
organizations:
- Bakery IA
# Common name
commonName: bakewise.ai
# DNS names this certificate is valid for
dnsNames:
- bakewise.ai
- www.bakewise.ai
- mail.bakewise.ai
- monitoring.bakewise.ai
- gitea.bakewise.ai
- api.bakewise.ai
# Use Let's Encrypt production issuer
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
group: cert-manager.io
# Private key configuration
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
# Usages
usages:
- server auth
- client auth
- digital signature
- key encipherment

47
infrastructure/environments/prod/k8s-manifests/prod-configmap.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bakery-config
namespace: bakery-ia
data:
# Environment
ENVIRONMENT: "production"
DEBUG: "false"
LOG_LEVEL: "INFO"
# Profiling and Development Features (disabled in production)
PROFILING_ENABLED: "false"
MOCK_EXTERNAL_APIS: "false"
# Performance and Security
REQUEST_TIMEOUT: "30"
MAX_CONNECTIONS: "100"
# Monitoring - SigNoz (Unified Observability)
ENABLE_TRACING: "true"
ENABLE_METRICS: "true"
ENABLE_LOGS: "true"
# OpenTelemetry Configuration - Direct to SigNoz
# IMPORTANT: gRPC endpoints should NOT include http:// prefix
OTEL_EXPORTER_OTLP_ENDPOINT: "signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
OTEL_EXPORTER_OTLP_PROTOCOL: "grpc"
OTEL_SERVICE_NAME: "bakery-ia"
OTEL_RESOURCE_ATTRIBUTES: "deployment.environment=production,cluster.name=bakery-ia-prod"
# SigNoz Endpoints (v0.106.0+ unified service)
SIGNOZ_ENDPOINT: "http://signoz.bakery-ia.svc.cluster.local:8080"
SIGNOZ_FRONTEND_URL: "https://monitoring.bakewise.ai"
SIGNOZ_ROOT_URL: "https://monitoring.bakewise.ai"
# Rate Limiting (stricter in production)
RATE_LIMIT_ENABLED: "true"
RATE_LIMIT_PER_MINUTE: "60"
# CORS Configuration for Production
CORS_ORIGINS: "https://bakewise.ai"
CORS_ALLOW_CREDENTIALS: "true"
# Frontend Configuration
VITE_API_URL: "/api"
VITE_ENVIRONMENT: "production"