bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

306
infrastructure/environments/prod/k8s-manifests/kustomization.yaml Normal file
View File

@@ -0,0 +1,306 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: bakery-ia-prod
# NOTE: Do NOT set a global namespace here.
# Each resource already has its namespace explicitly defined.
# A global namespace would incorrectly transform cluster-scoped resources
# like flux-system and cert-manager namespaces.
resources:
- ../../../environments/common/configs
- ../../../platform/infrastructure
- ../../../platform/cert-manager
- ../../../platform/networking/ingress/overlays/prod
- ../../../platform/storage
- ../../../platform/mail/mailu
- ../../../services/databases
- ../../../services/microservices
- ../../../cicd
- prod-certificate.yaml
# SigNoz is managed via Helm deployment (see infrastructure/helm/deploy-signoz.sh)
# Monitoring is handled by SigNoz (no separate monitoring components needed)
# SigNoz paths are now included in the main ingress (ingress-https.yaml)
labels:
- includeSelectors: true
pairs:
environment: production
tier: production
# Production configuration patches
patches:
# Override ConfigMap values for production
- target:
kind: ConfigMap
name: bakery-config
patch: |-
- op: replace
path: /data/ENVIRONMENT
value: "production"
- op: replace
path: /data/DEBUG
value: "false"
- op: replace
path: /data/LOG_LEVEL
value: "INFO"
- op: replace
path: /data/PROFILING_ENABLED
value: "false"
- op: replace
path: /data/MOCK_EXTERNAL_APIS
value: "false"
- op: add
path: /data/REQUEST_TIMEOUT
value: "30"
- op: add
path: /data/MAX_CONNECTIONS
value: "100"
- op: replace
path: /data/ENABLE_TRACING
value: "true"
- op: replace
path: /data/ENABLE_METRICS
value: "true"
- op: replace
path: /data/ENABLE_LOGS
value: "true"
- op: add
path: /data/OTEL_EXPORTER_OTLP_ENDPOINT
value: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
- op: add
path: /data/OTEL_EXPORTER_OTLP_PROTOCOL
value: "grpc"
- op: add
path: /data/OTEL_SERVICE_NAME
value: "bakery-ia"
- op: add
path: /data/OTEL_RESOURCE_ATTRIBUTES
value: "deployment.environment=production,cluster.name=bakery-ia-prod"
- op: add
path: /data/SIGNOZ_ENDPOINT
value: "http://signoz.signoz.svc.cluster.local:8080"
- op: add
path: /data/SIGNOZ_FRONTEND_URL
value: "https://monitoring.bakewise.ai"
- op: add
path: /data/SIGNOZ_ROOT_URL
value: "https://monitoring.bakewise.ai"
- op: add
path: /data/RATE_LIMIT_ENABLED
value: "true"
- op: add
path: /data/RATE_LIMIT_PER_MINUTE
value: "60"
- op: add
path: /data/CORS_ORIGINS
value: "https://bakewise.ai"
- op: add
path: /data/CORS_ALLOW_CREDENTIALS
value: "true"
- op: add
path: /data/VITE_API_URL
value: "/api"
- op: add
path: /data/VITE_ENVIRONMENT
value: "production"
# SigNoz resource patches for production
# SigNoz ClickHouse production configuration
- target:
group: apps
version: v1
kind: StatefulSet
name: signoz-clickhouse
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "2Gi"
cpu: "500m"
limits:
memory: "4Gi"
cpu: "1000m"
# SigNoz Main Service production configuration (v0.106.0+ unified service)
- target:
group: apps
version: v1
kind: StatefulSet
name: signoz
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
# SigNoz AlertManager production configuration
- target:
group: apps
version: v1
kind: Deployment
name: signoz-alertmanager
namespace: bakery-ia
patch: |-
- op: replace
path: /spec/replicas
value: 2
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
# Mailu TLS: Use Let's Encrypt production certificate
- target:
kind: Deployment
name: mailu-front
patch: |-
- op: replace
path: /spec/template/spec/volumes/1/secret/secretName
value: "bakery-ia-prod-tls-cert"
images:
# Application services
- name: bakery/auth-service
newTag: latest
- name: bakery/tenant-service
newTag: latest
- name: bakery/training-service
newTag: latest
- name: bakery/forecasting-service
newTag: latest
- name: bakery/sales-service
newTag: latest
- name: bakery/external-service
newTag: latest
- name: bakery/notification-service
newTag: latest
- name: bakery/inventory-service
newTag: latest
- name: bakery/recipes-service
newTag: latest
- name: bakery/suppliers-service
newTag: latest
- name: bakery/pos-service
newTag: latest
- name: bakery/orders-service
newTag: latest
- name: bakery/production-service
newTag: latest
- name: bakery/alert-processor
newTag: latest
- name: bakery/gateway
newTag: latest
- name: bakery/dashboard
newTag: latest
# =============================================================================
# Production Base Images - mapped to production registry
# TODO: Update PROD_REGISTRY_URL to your production registry (e.g., ghcr.io/your-org)
# =============================================================================
# Database images (using canonical Docker Hub - no rate limits in prod with auth)
- name: postgres
newTag: 17-alpine
- name: redis
newTag: 7.4-alpine
- name: rabbitmq
newTag: 4.1-management-alpine
# Utility images
- name: busybox
newTag: "1.36"
- name: curlimages/curl
newTag: latest
- name: bitnami/kubectl
newTag: latest
# Alpine variants
- name: alpine
newTag: "3.19"
- name: alpine/git
newTag: 2.43.0
# CI/CD images (GCR/registry.k8s.io - no rate limits)
- name: gcr.io/kaniko-project/executor
newTag: v1.23.0
- name: gcr.io/go-containerregistry/crane
newTag: latest
- name: registry.k8s.io/kustomize/kustomize
newTag: v5.3.0
# Storage images
- name: minio/minio
newTag: RELEASE.2024-11-07T00-52-20Z
- name: minio/mc
newTag: RELEASE.2024-11-17T19-35-25Z
# Geocoding
- name: mediagis/nominatim
newTag: "4.4"
# Python base image
- name: python
newTag: 3.11-slim
# Mail server (Mailu) - using canonical GHCR names
- name: ghcr.io/mailu/nginx
newTag: "2024.06"
- name: ghcr.io/mailu/admin
newTag: "2024.06"
- name: ghcr.io/mailu/postfix
newTag: "2024.06"
- name: ghcr.io/mailu/dovecot
newTag: "2024.06"
- name: ghcr.io/mailu/rspamd
newTag: "2024.06"
replicas:
- name: auth-service
count: 3
- name: tenant-service
count: 2
- name: training-service
count: 3 # Safe with MinIO storage - no PVC conflicts
- name: forecasting-service
count: 3
- name: sales-service
count: 2
- name: external-service
count: 2
- name: notification-service
count: 3
- name: inventory-service
count: 2
- name: recipes-service
count: 2
- name: suppliers-service
count: 2
- name: pos-service
count: 2
- name: orders-service
count: 3
- name: production-service
count: 2
- name: alert-processor
count: 3
- name: procurement-service
count: 2
- name: orchestrator-service
count: 2
- name: ai-insights-service
count: 2
- name: gateway
count: 3
- name: frontend
count: 2

48
infrastructure/environments/prod/k8s-manifests/prod-certificate.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bakery-ia-prod-tls-cert
namespace: bakery-ia
spec:
# Let's Encrypt certificate for production
secretName: bakery-ia-prod-tls-cert
# Certificate duration and renewal
duration: 2160h # 90 days (Let's Encrypt default)
renewBefore: 360h # 15 days before expiry
# Subject configuration
subject:
organizations:
- Bakery IA
# Common name
commonName: bakewise.ai
# DNS names this certificate is valid for
dnsNames:
- bakewise.ai
- www.bakewise.ai
- mail.bakewise.ai
- monitoring.bakewise.ai
- gitea.bakewise.ai
- api.bakewise.ai
# Use Let's Encrypt production issuer
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
group: cert-manager.io
# Private key configuration
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
# Usages
usages:
- server auth
- client auth
- digital signature
- key encipherment

47
infrastructure/environments/prod/k8s-manifests/prod-configmap.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: bakery-config
namespace: bakery-ia
data:
# Environment
ENVIRONMENT: "production"
DEBUG: "false"
LOG_LEVEL: "INFO"
# Profiling and Development Features (disabled in production)
PROFILING_ENABLED: "false"
MOCK_EXTERNAL_APIS: "false"
# Performance and Security
REQUEST_TIMEOUT: "30"
MAX_CONNECTIONS: "100"
# Monitoring - SigNoz (Unified Observability)
ENABLE_TRACING: "true"
ENABLE_METRICS: "true"
ENABLE_LOGS: "true"
# OpenTelemetry Configuration - Direct to SigNoz
# IMPORTANT: gRPC endpoints should NOT include http:// prefix
OTEL_EXPORTER_OTLP_ENDPOINT: "signoz-otel-collector.bakery-ia.svc.cluster.local:4317"
OTEL_EXPORTER_OTLP_PROTOCOL: "grpc"
OTEL_SERVICE_NAME: "bakery-ia"
OTEL_RESOURCE_ATTRIBUTES: "deployment.environment=production,cluster.name=bakery-ia-prod"
# SigNoz Endpoints (v0.106.0+ unified service)
SIGNOZ_ENDPOINT: "http://signoz.bakery-ia.svc.cluster.local:8080"
SIGNOZ_FRONTEND_URL: "https://monitoring.bakewise.ai"
SIGNOZ_ROOT_URL: "https://monitoring.bakewise.ai"
# Rate Limiting (stricter in production)
RATE_LIMIT_ENABLED: "true"
RATE_LIMIT_PER_MINUTE: "60"
# CORS Configuration for Production
CORS_ORIGINS: "https://bakewise.ai"
CORS_ALLOW_CREDENTIALS: "true"
# Frontend Configuration
VITE_API_URL: "/api"
VITE_ENVIRONMENT: "production"