bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add base kubernetes support final

Browse Source
This commit is contained in:
Urtzi Alfaro
2025-09-28 13:54:28 +02:00
parent b95ecf1c53
commit 3816383760
25 changed files with 2271 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

569
infrastructure/kubernetes/README.md
View File

@@ -1,38 +1,125 @@
# Bakery IA Kubernetes Configuration
This directory contains Kubernetes manifests for deploying the Bakery IA forecasting platform in a local development environment.
This directory contains Kubernetes manifests for deploying the Bakery IA forecasting platform in a local development environment with **permanent localhost access** and **FREE HTTPS support** using cert-manager and NGINX ingress.
## Prerequisites
1. **Kubernetes Cluster**: Ensure you have a local Kubernetes cluster running (minikube, kind, Docker Desktop, etc.)
2. **kubectl**: Install and configure kubectl to communicate with your cluster
3. **Kustomize**: Built into kubectl v1.14+, or install separately
4. **NGINX Ingress Controller**: Required for ingress functionality
### Install NGINX Ingress Controller
## ⚡ Quick Start (5 Commands)
```bash
# For minikube
minikube addons enable ingress
# 1. Start Colima
colima start --cpu 4 --memory 8 --disk 50 --runtime docker --profile k8s-local
# For kind
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
# 2. Create Kind cluster with permanent localhost access
kind create cluster --config kind-config.yaml
# For Docker Desktop
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
# 3. Install NGINX Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml && kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=300s
# 4. Configure permanent localhost access
kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"name":"http","port":80,"targetPort":"http","nodePort":30080},{"name":"https","port":443,"targetPort":"https","nodePort":30443}]}}'
# 5. Deploy your application
skaffold dev --profile=dev
# 🎉 Done! Access at: http://localhost
```
## Prerequisites (macOS Local Development)
1. **Colima**: Docker runtime for macOS
2. **Kind**: Kubernetes in Docker for local clusters
3. **kubectl**: Kubernetes command-line tool
4. **Skaffold**: For building and deploying applications
5. **NGINX Ingress Controller**: For routing traffic (installed automatically)
6. **cert-manager**: For automatic TLS certificate management (installed automatically)
### Install Prerequisites (macOS)
```bash
# Install Homebrew (if not already installed)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# Install required tools
brew install colima kind kubectl skaffold
# Verify installations
colima version
kind version
kubectl version --client
skaffold version
```
## 🔒 HTTPS Setup Options
### Option 1: Automated HTTPS Setup (Recommended)
```bash
# Run the automated HTTPS setup script
./setup-https.sh
```
### Option 2: HTTP Only (Basic Setup)
```bash
# Deploy without HTTPS
kubectl apply -k infrastructure/kubernetes/overlays/dev/
```
## Kind Configuration for Permanent Localhost Access
The `kind-config.yaml` file in the root directory provides permanent localhost access without port forwarding:
```yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: bakery-ia-local
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
# HTTP ingress
- containerPort: 30080
hostPort: 80
protocol: TCP
# HTTPS ingress
- containerPort: 30443
hostPort: 443
protocol: TCP
# Direct frontend access (backup)
- containerPort: 30300
hostPort: 3000
protocol: TCP
# Direct gateway access (backup)
- containerPort: 30800
hostPort: 8000
protocol: TCP
```
This configuration maps:
- Port 80 → localhost:80 (HTTP)
- Port 443 → localhost:443 (HTTPS)
- Port 3000 → localhost:3000 (Direct frontend)
- Port 8000 → localhost:8000 (Direct gateway)
## Directory Structure
```
infrastructure/kubernetes/
├── kind-config.yaml # Kind cluster configuration with port mapping
├── base/ # Base Kubernetes resources
│ ├── namespace.yaml # Namespace definition
│ ├── configmap.yaml # Shared configuration
│ ├── secrets.yaml # Secrets (base64 encoded)
│ ├── ingress.yaml # Ingress rules
│ ├── ingress.yaml # HTTP ingress rules
│ ├── ingress-https.yaml # HTTPS ingress rules
│ └── kustomization.yaml # Base kustomization
├── components/ # Individual component manifests
│ ├── cert-manager/ # Certificate management
│ │ ├── cluster-issuer-staging.yaml # Let's Encrypt staging
│ │ ├── cluster-issuer-production.yaml # Let's Encrypt production
│ │ └── local-ca-issuer.yaml # Local CA for development
│ ├── auth/ # Auth service
│ ├── tenant/ # Tenant service
│ ├── training/ # Training service
@@ -53,34 +140,56 @@ infrastructure/kubernetes/
└── overlays/
└── dev/ # Development environment overlay
├── kustomization.yaml # Dev-specific kustomization
── dev-patches.yaml # Development patches
── https-kustomization.yaml # HTTPS-specific kustomization
├── dev-patches.yaml # Development patches
└── ingress-https-patch.yaml # HTTPS ingress patch
```
## Quick Start
## 🚀 Quick Start (macOS with Kind + Colima)
### 1. Build and Deploy Images (if needed)
First, ensure your Docker images are built and available to your Kubernetes cluster:
### 1. Start Colima and Create Kind Cluster with Permanent Localhost Access
```bash
# Build all services
docker-compose build
# Start Colima with proper resources for development
colima start --cpu 4 --memory 8 --disk 100 --runtime docker --profile k8s-local
# For minikube, use minikube's Docker daemon
eval $(minikube docker-env)
docker-compose build
# Create Kind cluster with permanent port mapping for localhost access
kind create cluster --config kind-config.yaml
# For kind, load images into the cluster
kind load docker-image bakery/auth-service:latest
kind load docker-image bakery/tenant-service:latest
# ... repeat for all services
# Verify cluster is running and port mappings
kubectl cluster-info
docker port bakery-ia-local-control-plane
```
### 2. Deploy to Kubernetes
The `kind-config.yaml` configuration provides permanent localhost access on ports 80 and 443 without requiring port forwarding!
### 2. Install NGINX Ingress Controller for Kind
```bash
# Deploy the development environment
kubectl apply -k infrastructure/kubernetes/overlays/dev/
# Install NGINX Ingress Controller (Kind-specific with permanent localhost access)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
# Wait for ingress controller to be ready
kubectl wait --namespace ingress-nginx \
--for=condition=ready pod \
--selector=app.kubernetes.io/component=controller \
--timeout=300s
# Configure ingress controller for permanent localhost access
kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"name":"http","port":80,"targetPort":"http","nodePort":30080},{"name":"https","port":443,"targetPort":"https","nodePort":30443}]}}'
```
### 3. Deploy with Skaffold (No Port Forwarding Required!)
```bash
# Option A: Development mode with auto-rebuild (Recommended)
skaffold dev --profile=dev
# Option B: One-time deployment
skaffold run --profile=dev
# Option C: Debug mode (still includes port forwarding for individual services)
skaffold debug --profile=debug
# Check deployment status
kubectl get pods -n bakery-ia
@@ -88,26 +197,142 @@ kubectl get services -n bakery-ia
kubectl get ingress -n bakery-ia
```
### 3. Access the Application
**Note**: With the new configuration, skaffold no longer needs port forwarding for frontend access since localhost:80 and localhost:443 are permanently mapped!
Add the following to your `/etc/hosts` file (or Windows equivalent):
### 4. Access the Application - Permanent Localhost Access! 🎉
```
127.0.0.1 bakery-ia.local
127.0.0.1 api.bakery-ia.local
127.0.0.1 monitoring.bakery-ia.local
```
**No /etc/hosts modification needed!** The application is now accessible directly via standard localhost URLs:
For minikube, get the ingress IP:
**Primary Access (Recommended):**
- **Frontend**: http://localhost or https://localhost
- **API Gateway**: http://localhost/api or https://localhost/api
**Named Host Access (Optional):**
If you prefer named hosts, add to your `/etc/hosts` file:
```bash
minikube ip
# Use this IP instead of 127.0.0.1 in your hosts file
echo "127.0.0.1 bakery-ia.local" | sudo tee -a /etc/hosts
echo "127.0.0.1 api.bakery-ia.local" | sudo tee -a /etc/hosts
echo "127.0.0.1 monitoring.bakery-ia.local" | sudo tee -a /etc/hosts
```
Access the application:
- Frontend: http://bakery-ia.local or http://localhost:3000
- API Gateway: http://api.bakery-ia.local or http://localhost:8000/api
- Individual services: Check service NodePorts or use port-forwarding
Then access via:
- Frontend: http://bakery-ia.local or https://bakery-ia.local
- API Gateway: http://api.bakery-ia.local or https://api.bakery-ia.local
- Monitoring: http://monitoring.bakery-ia.local or https://monitoring.bakery-ia.local
## 🔒 HTTPS Configuration (FREE with Let's Encrypt)
### Automated HTTPS Setup
The quickest way to enable HTTPS is using the automated setup script:
```bash
# Run the automated HTTPS setup script
./setup-https.sh
```
This script will:
- ✅ Install cert-manager (FREE Let's Encrypt client)
- ✅ Install NGINX Ingress Controller
- ✅ Set up cluster issuers (staging, production, and local CA)
- ✅ Deploy your application with HTTPS support
- ✅ Generate and configure TLS certificates
- ✅ Export CA certificate for browser trust
### Manual HTTPS Setup
If you prefer manual setup:
#### 1. Install cert-manager
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
kubectl wait --for=condition=ready pod -l app.kubernetes.io/instance=cert-manager -n cert-manager --timeout=300s
```
#### 2. Install NGINX Ingress Controller for Kind
```bash
kubectl apply -f https://kind.sigs.k8s.io/examples/ingress/deploy-ingress-nginx.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=300s
```
#### 3. Apply Certificate Issuers
```bash
kubectl apply -f infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-staging.yaml
kubectl apply -f infrastructure/kubernetes/base/components/cert-manager/local-ca-issuer.yaml
kubectl apply -f infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-production.yaml
```
#### 4. Deploy with HTTPS
```bash
kubectl apply -k infrastructure/kubernetes/overlays/dev/
kubectl patch ingress bakery-ingress -n bakery-ia --patch-file infrastructure/kubernetes/overlays/dev/ingress-https-patch.yaml
```
#### 5. Export CA Certificate for Browser Trust
```bash
kubectl get secret local-ca-key-pair -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 -d > bakery-ia-ca.crt
```
### Access HTTPS Application
After HTTPS setup:
- **🔐 Frontend:** https://bakery-ia.local
- **🔐 API Gateway:** https://api.bakery-ia.local
- **🔐 Monitoring:** https://monitoring.bakery-ia.local
### Trust the CA Certificate
**For macOS:**
```bash
open bakery-ia-ca.crt
# In Keychain Access, find "bakery-ia-local-ca" and set to "Always Trust"
```
**For Linux:**
```bash
sudo cp bakery-ia-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
```
### Certificate Management Commands
```bash
# Check certificate status
kubectl get certificates -n bakery-ia
# Check certificate details
kubectl describe certificate bakery-ia-tls-cert -n bakery-ia
# Check cluster issuers
kubectl get clusterissuers
# Check TLS secret
kubectl get secret bakery-ia-tls-cert -n bakery-ia
```
### Switching to Production Let's Encrypt
To use real Let's Encrypt certificates (requires public domain):
1. Update the cluster issuer in `ingress-https-patch.yaml`:
```yaml
cert-manager.io/cluster-issuer: "letsencrypt-production" # Change from local-ca-issuer
```
2. Update email in cluster issuers to your real email
3. Ensure your domain points to your cluster's external IP
### Cleanup HTTPS Setup
```bash
# Run cleanup script
./cleanup-https.sh
# Or manually clean up
kubectl delete -k infrastructure/kubernetes/overlays/dev/
kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
rm -f bakery-ia-ca.crt
```
## Port Forwarding for Direct Access
@@ -171,16 +396,26 @@ kubectl scale -n bakery-ia deployment/auth-service --replicas=3
# Or edit the kustomization.yaml replicas section and reapply
```
### Clean Up
### Clean Up (macOS + Kind + Colima + Skaffold)
```bash
# Delete everything
kubectl delete -k infrastructure/kubernetes/overlays/dev/
# Option 1: Quick cleanup (development session)
skaffold delete --profile=dev
# Or delete just the namespace (removes everything in it)
# Option 2: Clean up HTTPS setup
./cleanup-https.sh
# Option 3: Complete cleanup (everything)
./complete-cleanup.sh
# Option 4: Manual cleanup steps
kubectl delete namespace bakery-ia
kind delete cluster --name bakery-ia-local
colima stop --profile k8s-local
```
**📖 For detailed cleanup options, see [CLEANUP-GUIDE.md](../../CLEANUP-GUIDE.md)**
## Configuration
### Secrets
@@ -219,7 +454,29 @@ Modify the `overlays/dev/` files to customize the development environment:
1. **Images not found**: Ensure images are built and available to the cluster
2. **Pending pods**: Check resource requests and cluster capacity
3. **CrashLoopBackOff**: Check logs and environment variables
4. **Service not accessible**: Verify ingress controller is running and hosts file is configured
4. **Service not accessible**: Verify ingress controller is running and localhost ports are mapped
5. **Database corruption**: If PostgreSQL databases show "could not locate a valid checkpoint record", delete the PVC and restart the pod to get fresh storage
6. **Port conflicts**: If localhost:80 or localhost:443 are already in use, stop other services or change the Kind configuration
7. **HTTPS certificate not issued**: Check cert-manager logs and cluster issuer status
8. **Browser security warnings**: Import and trust the CA certificate (`bakery-ia-ca.crt`)
9. **Certificate pending**: Wait for cert-manager to issue the certificate (usually takes 30-60 seconds)
10. **Kustomize deprecation warnings**: Fixed - using modern `patches` syntax instead of deprecated `patchesStrategicMerge` and `patchesJson6902`
### Database Recovery Commands
If you encounter database corruption (common after improper cluster shutdown):
```bash
# Check which databases are failing
kubectl get pods -n bakery-ia | grep -E "(db|CrashLoopBackOff)"
# For each corrupted database (example with inventory-db):
kubectl delete pod -n bakery-ia -l app.kubernetes.io/name=inventory-db
kubectl delete pvc -n bakery-ia inventory-db-pvc
# The deployment will automatically recreate with fresh storage
# Repeat for pos-db-pvc and training-db-pvc if needed
```
### Debugging Commands
@@ -238,6 +495,13 @@ kubectl exec -n bakery-ia -it <pod-name> -- env
# Check resource usage
kubectl top pods -n bakery-ia
kubectl top nodes
# HTTPS/Certificate debugging
kubectl logs -n cert-manager deployment/cert-manager
kubectl describe clusterissuer letsencrypt-staging
kubectl describe certificate bakery-ia-tls-cert -n bakery-ia
kubectl get challenges -n bakery-ia
kubectl get certificaterequests -n bakery-ia
```
## Production Considerations
@@ -251,7 +515,8 @@ For production deployment, consider:
5. **Backup**: Implement database backup strategies
6. **High Availability**: Use multiple replicas and anti-affinity rules
7. **Security**: Network policies, RBAC, pod security policies
8. **CI/CD**: Integrate with your deployment pipeline
8. **TLS/HTTPS**: Use production Let's Encrypt certificates for public domains
9. **CI/CD**: Integrate with your deployment pipeline
## Next Steps
@@ -259,4 +524,200 @@ For production deployment, consider:
2. Implement proper logging with ELK stack or similar
3. Add health checks and metrics endpoints
4. Implement automated testing
5. Set up CI/CD pipelines for automated deployments
5. Set up CI/CD pipelines for automated deployments
## 🚀 Complete Setup Guide (macOS + Kind + Colima) - New Permanent Solution!
### Method 1: Permanent Localhost Access (Recommended - No Port Forwarding!)
```bash
# 1. Start Colima
colima start --cpu 4 --memory 8 --disk 50 --runtime docker --profile k8s-local
# 2. Create Kind cluster with permanent port mapping
kind create cluster --config kind-config.yaml
# 3. Install NGINX Ingress Controller with NodePort configuration
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=300s
# 4. Configure ingress for permanent localhost access
kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"name":"http","port":80,"targetPort":"http","nodePort":30080},{"name":"https","port":443,"targetPort":"https","nodePort":30443}]}}'
# 5. Deploy with Skaffold
skaffold dev --profile=dev
# 6. Access your application - NO /etc/hosts needed!
# Frontend: http://localhost
# API: http://localhost/api
# HTTPS: https://localhost (with browser security warnings)
```
### Method 2: Legacy Setup with HTTPS and Named Hosts
```bash
# 1. Start Colima
colima start --cpu 4 --memory 8 --disk 50 --runtime docker --profile k8s-local
# 2. Create standard Kind cluster
kind create cluster --name bakery-ia-local
# 3. Run automated HTTPS setup (includes cert-manager and ingress)
./setup-https.sh
# 4. Deploy with Skaffold
skaffold dev --profile=dev
# 5. Add hosts entries for named hosts
sudo tee -a /etc/hosts << EOF
127.0.0.1 bakery-ia.local
127.0.0.1 api.bakery-ia.local
127.0.0.1 monitoring.bakery-ia.local
EOF
# 6. Trust CA certificate (for HTTPS)
open bakery-ia-ca.crt
# In Keychain Access, set "bakery-ia-local-ca" to "Always Trust"
```
## 🚀 Skaffold Development Workflow
### Development Mode (Recommended)
```bash
# Start continuous development mode
skaffold dev --profile=dev
```
This will:
-**Build all Docker images** automatically
-**Deploy to your Kind cluster**
-**Watch for file changes** in real-time
-**Automatically rebuild and redeploy** when you save files
-**Stream logs** from all services in one terminal
### Other Skaffold Commands
```bash
# One-time deployment (no file watching)
skaffold run --profile=dev
# Debug mode with port forwarding
skaffold debug --profile=debug
# Force rebuild and deploy
skaffold build --file-output=build.json
skaffold deploy --build-artifacts=build.json
# Clean up deployed resources
skaffold delete
```
### Stopping Skaffold
```bash
# Stop Skaffold (press Ctrl+C in the terminal running skaffold dev)
# Or run:
skaffold delete
# Complete cleanup
kind delete cluster --name bakery-ia-local
colima stop --profile k8s-local
```
### 🎯 Key Skaffold Benefits
1. **🔄 Automated builds**: No manual Docker image building
2. **👀 File watching**: Instant rebuilds on code changes
3. **📊 Log streaming**: All service logs in one place
4. **🔗 Port forwarding**: Easy access to services during development
5. **⚡ One command deployment**: `skaffold dev` does everything
### 💡 Pro Tips
- Use `skaffold dev --profile=dev` for daily development
- Code changes trigger automatic rebuilds and deployments
- Logs are automatically streamed to your terminal
- Press `Ctrl+C` to stop and clean up everything
## 🎉 Summary: What You Get
### 🚀 NEW: Permanent Localhost Access (No Port Forwarding!)
-**Direct localhost access** at http://localhost and https://localhost
-**Standard web ports** 80 and 443 work directly
-**No /etc/hosts modifications** required for basic access
-**No port forwarding commands** needed during development
-**Bookmark-friendly URLs** like any standard web application
-**Kind cluster configuration** with permanent port mapping
### Development Environment
-**One-command deployment** with `skaffold dev --profile=dev`
-**Hot-reload development** with automatic rebuilds
-**Complete observability** with streaming logs and metrics
-**Easy cleanup** with `skaffold delete` or cleanup scripts
-**Database corruption protection** with proper PVC management
### FREE HTTPS with Let's Encrypt (Optional)
-**Automated certificate management** with cert-manager
-**Local development certificates** for offline work
-**Production-ready** Let's Encrypt integration
-**Auto-renewal** of certificates before expiration
-**Browser-trusted certificates** with CA import
### Security Features
-**TLS 1.3 encryption** for all traffic (when HTTPS is configured)
-**HTTPS redirects** from HTTP (configurable)
-**Secure headers** via NGINX Ingress
-**Certificate transparency** compliance
### Access URLs - Choose Your Style!
**🌟 Primary Access (New Permanent Solution):**
- **Frontend:** http://localhost or https://localhost
- **API Gateway:** http://localhost/api or https://localhost/api
**🏷️ Named Host Access (Optional with /etc/hosts):**
- **Frontend:** http://bakery-ia.local or https://bakery-ia.local
- **API:** http://api.bakery-ia.local or https://api.bakery-ia.local
- **Monitoring:** http://monitoring.bakery-ia.local or https://monitoring.bakery-ia.local
**🔧 Direct Service Access (Backup):**
- **Frontend Direct:** http://localhost:3000
- **Gateway Direct:** http://localhost:8000
This setup provides production-like development experience with the convenience of standard localhost URLs! 🚀
Pre-Restart Shutdown Sequence:
1. Stop Skaffold:
# If running interactively: Ctrl+C
# If running in background:
pkill -f skaffold
2. Delete Kind cluster:
kind delete cluster --name bakery-ia-local
3. Stop Colima:
colima stop
Post-Restart Startup Sequence:
1. Start Colima:
colima start
2. Create Kind cluster:
kind create cluster --config kind-config.yaml --name bakery-ia-local
3. Start Skaffold with dev profile:
skaffold dev -p dev
What Skaffold Will Do:
- Check existing Docker images (tagged as :dev)
- Skip rebuilds if source code unchanged
- Load images to new Kind cluster
- Deploy using infrastructure/kubernetes/overlays/dev
- Watch for changes and hot-reload
The -p dev profile ensures consistent tagging and deployment configuration
as defined in your skaffold.yaml profiles section.

23
infrastructure/kubernetes/base/components/alert-processor/alert-processor-service.yaml
View File

@@ -20,6 +20,29 @@ spec:
app.kubernetes.io/component: worker
spec:
initContainers:
- name: wait-for-database
image: busybox:1.36
command:
- sh
- -c
- |
echo "Waiting for alert processor database to be ready..."
until nc -z $ALERT_PROCESSOR_DB_HOST $ALERT_PROCESSOR_DB_PORT; do
echo "Database not ready yet, waiting..."
sleep 2
done
echo "Database is ready!"
env:
- name: ALERT_PROCESSOR_DB_HOST
valueFrom:
configMapKeyRef:
name: bakery-config
key: ALERT_PROCESSOR_DB_HOST
- name: ALERT_PROCESSOR_DB_PORT
valueFrom:
configMapKeyRef:
name: bakery-config
key: DB_PORT
- name: wait-for-rabbitmq
image: busybox:1.36
command:

14
infrastructure/kubernetes/base/components/cert-manager/cert-manager.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager-webhook
namespace: cert-manager
---
# Cert-manager installation using Helm repository
# This will be installed via kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
# The actual installation will be done via command line, this file documents the resources

23
infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-production.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
namespace: cert-manager
spec:
acme:
# The ACME server URL (Let's Encrypt production)
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: admin@bakery-ia.local # Change this to your email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-production
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux

29
infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-staging.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# The ACME server URL (Let's Encrypt staging)
server: https://acme-staging-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: admin@bakery-ia.local # Change this to your email
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-staging
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: nginx
podTemplate:
spec:
nodeSelector:
"kubernetes.io/os": linux

34
infrastructure/kubernetes/base/components/cert-manager/local-ca-issuer.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: local-ca-issuer
spec:
ca:
secretName: local-ca-key-pair
---
# Create a root CA certificate for local development
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: local-ca-cert
namespace: cert-manager
spec:
isCA: true
commonName: bakery-ia-local-ca
subject:
organizationalUnits:
- "Bakery IA Local CA"
organizations:
- "Bakery IA"
countries:
- "US"
secretName: local-ca-key-pair
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io
duration: 8760h # 1 year
renewBefore: 720h # 30 days

5
infrastructure/kubernetes/base/components/sales/sales-service.yaml
View File

@@ -106,6 +106,11 @@ spec:
configMapKeyRef:
name: bakery-config
key: AUTH_SERVICE_URL
- name: GATEWAY_URL
valueFrom:
configMapKeyRef:
name: bakery-config
key: GATEWAY_URL
resources:
requests:
memory: "256Mi"

7
infrastructure/kubernetes/base/components/training/training-service.yaml
View File

@@ -21,7 +21,7 @@ spec:
spec:
containers:
- name: training-service
image: bakery/training-service:latest
image: bakery/training-service:79c869aaa529b2aaf2bbe77d2a2506e3ebdaf2abac3c83505ddfad29f3dbf99e
ports:
- containerPort: 8000
name: http
@@ -106,6 +106,11 @@ spec:
configMapKeyRef:
name: bakery-config
key: AUTH_SERVICE_URL
- name: GATEWAY_URL
valueFrom:
configMapKeyRef:
name: bakery-config
key: GATEWAY_URL
resources:
requests:
memory: "256Mi"

85
infrastructure/kubernetes/base/ingress-https.yaml Normal file
View File

@@ -0,0 +1,85 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bakery-ingress-https
namespace: bakery-ia
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: ingress
annotations:
# Nginx ingress controller annotations
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
# CORS configuration for HTTPS
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakery-ia.local,https://api.bakery-ia.local,https://monitoring.bakery-ia.local"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
# Cert-manager annotations for automatic certificate issuance
cert-manager.io/cluster-issuer: "letsencrypt-staging" # Change to letsencrypt-production for production
cert-manager.io/acme-challenge-type: http01
spec:
ingressClassName: nginx
tls:
- hosts:
- bakery-ia.local
- api.bakery-ia.local
- monitoring.bakery-ia.local
secretName: bakery-ia-tls-cert
rules:
- host: bakery-ia.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: frontend-service
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: gateway-service
port:
number: 8000
- path: /auth
pathType: Prefix
backend:
service:
name: auth-service
port:
number: 8000
- host: api.bakery-ia.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gateway-service
port:
number: 8000
- host: monitoring.bakery-ia.local
http:
paths:
- path: /grafana
pathType: Prefix
backend:
service:
name: grafana-service
port:
number: 3000
- path: /prometheus
pathType: Prefix
backend:
service:
name: prometheus-service
port:
number: 9090

5
infrastructure/kubernetes/overlays/dev/dev-patches.yaml
View File

@@ -27,15 +27,18 @@ metadata:
name: bakery-ingress
namespace: bakery-ia
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/enable-cors: "true"
# Development specific annotations
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
spec:
ingressClassName: nginx
rules:

62
infrastructure/kubernetes/overlays/dev/https-kustomization.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
metadata:
name: bakery-ia-https-dev
# Base configuration
resources:
- ../../base
- ../../base/components/cert-manager/cluster-issuer-staging.yaml
- ../../base/components/cert-manager/cluster-issuer-production.yaml
- ../../base/components/cert-manager/local-ca-issuer.yaml
# Patches
patches:
- path: dev-patches.yaml
- target:
kind: Ingress
name: bakery-ingress
path: ingress-https-patch.yaml
labels:
- includeSelectors: true
pairs:
app.kubernetes.io/part-of: bakery-ia
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/environment: dev-https
# Set image tags for development
images:
- name: bakery/auth-service
newTag: latest
- name: bakery/tenant-service
newTag: latest
- name: bakery/training-service
newTag: latest
- name: bakery/forecasting-service
newTag: latest
- name: bakery/sales-service
newTag: latest
- name: bakery/external-service
newTag: latest
- name: bakery/notification-service
newTag: latest
- name: bakery/inventory-service
newTag: latest
- name: bakery/recipes-service
newTag: latest
- name: bakery/suppliers-service
newTag: latest
- name: bakery/pos-service
newTag: latest
- name: bakery/orders-service
newTag: latest
- name: bakery/production-service
newTag: latest
- name: bakery/alert-processor
newTag: latest
- name: bakery/gateway
newTag: latest
- name: bakery/dashboard
newTag: latest

20
infrastructure/kubernetes/overlays/dev/ingress-https-patch.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bakery-ingress
namespace: bakery-ia
annotations:
# Enable HTTPS redirect
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# Update CORS for HTTPS
nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakery-ia.local,https://api.bakery-ia.local,https://monitoring.bakery-ia.local"
# Cert-manager annotations - using local CA for development
cert-manager.io/cluster-issuer: "local-ca-issuer"
spec:
tls:
- hosts:
- bakery-ia.local
- api.bakery-ia.local
- monitoring.bakery-ia.local
secretName: bakery-ia-tls-cert

459
infrastructure/kubernetes/overlays/dev/kustomization.yaml
View File

@@ -9,10 +9,8 @@ namespace: bakery-ia
resources:
- ../../base
patchesStrategicMerge:
- dev-patches.yaml
patchesJson6902:
patches:
- path: dev-patches.yaml
- target:
group: apps
version: v1
@@ -24,9 +22,9 @@ patchesJson6902:
value:
requests:
memory: "64Mi"
cpu: "50m"
cpu: "25m"
limits:
memory: "128Mi"
memory: "256Mi"
cpu: "200m"
- target:
group: apps
@@ -39,9 +37,9 @@ patchesJson6902:
value:
requests:
memory: "64Mi"
cpu: "50m"
cpu: "25m"
limits:
memory: "128Mi"
memory: "256Mi"
cpu: "200m"
- target:
group: apps
@@ -119,11 +117,452 @@ patchesJson6902:
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "128Mi"
cpu: "50m"
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
# Database patches
- target:
group: apps
version: v1
kind: Deployment
name: external-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: forecasting-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: inventory-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: notification-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: orders-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: pos-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: production-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: recipes-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: sales-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: suppliers-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: tenant-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: training-db
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
# Service patches
- target:
group: apps
version: v1
kind: Deployment
name: external-service
patch: |-
- op: add
path: /spec/template/spec/initContainers
value:
- name: wait-for-external-db
image: postgres:13-alpine
command:
- sh
- -c
- |
until pg_isready -h $EXTERNAL_DB_HOST -p $EXTERNAL_DB_PORT -U $EXTERNAL_DB_USER; do
echo "Waiting for external database..."
sleep 2
done
echo "External database is ready!"
env:
- name: EXTERNAL_DB_HOST
valueFrom:
configMapKeyRef:
name: bakery-config
key: EXTERNAL_DB_HOST
- name: EXTERNAL_DB_PORT
valueFrom:
configMapKeyRef:
name: bakery-config
key: DB_PORT
- name: EXTERNAL_DB_USER
valueFrom:
secretKeyRef:
name: database-secrets
key: EXTERNAL_DB_USER
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: database-secrets
key: EXTERNAL_DB_PASSWORD
- name: wait-for-rabbitmq
image: busybox:1.35
command:
- sh
- -c
- |
until nc -z $RABBITMQ_HOST $RABBITMQ_PORT; do
echo "Waiting for RabbitMQ..."
sleep 2
done
echo "RabbitMQ is ready!"
env:
- name: RABBITMQ_HOST
valueFrom:
configMapKeyRef:
name: bakery-config
key: RABBITMQ_HOST
- name: RABBITMQ_PORT
valueFrom:
configMapKeyRef:
name: bakery-config
key: RABBITMQ_PORT
- name: wait-for-redis
image: redis:7-alpine
command:
- sh
- -c
- |
until redis-cli -h $REDIS_HOST -p $REDIS_PORT ping; do
echo "Waiting for Redis..."
sleep 2
done
echo "Redis is ready!"
env:
- name: REDIS_HOST
valueFrom:
configMapKeyRef:
name: bakery-config
key: REDIS_HOST
- name: REDIS_PORT
valueFrom:
configMapKeyRef:
name: bakery-config
key: REDIS_PORT
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: forecasting-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: inventory-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: notification-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: orders-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: pos-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: production-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: recipes-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: sales-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: suppliers-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: tenant-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "256Mi"
cpu: "200m"
- target:
group: apps
version: v1
kind: Deployment
name: training-service
patch: |-
- op: replace
path: /spec/template/spec/containers/0/resources
value:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "500m"
configMapGenerator:
- name: bakery-dev-config

2
infrastructure/monitoring/prometheus/prometheus.yml
View File

@@ -21,7 +21,7 @@ scrape_configs:
# Service discovery for microservices
- job_name: 'gateway'
static_configs:
- targets: ['gateway:8000']
- targets: ['gateway-service:8000']
metrics_path: '/metrics'
scrape_interval: 30s
scrape_timeout: 10s