Add base kubernetes support final

infrastructure/kubernetes/base/components/alert-processor/alert-processor-service.yaml

@@ -20,6 +20,29 @@ spec:
         app.kubernetes.io/component: worker
     spec:
       initContainers:
+      - name: wait-for-database
+        image: busybox:1.36
+        command:
+        - sh
+        - -c
+        - |
+          echo "Waiting for alert processor database to be ready..."
+          until nc -z $ALERT_PROCESSOR_DB_HOST $ALERT_PROCESSOR_DB_PORT; do
+            echo "Database not ready yet, waiting..."
+            sleep 2
+          done
+          echo "Database is ready!"
+        env:
+        - name: ALERT_PROCESSOR_DB_HOST
+          valueFrom:
+            configMapKeyRef:
+              name: bakery-config
+              key: ALERT_PROCESSOR_DB_HOST
+        - name: ALERT_PROCESSOR_DB_PORT
+          valueFrom:
+            configMapKeyRef:
+              name: bakery-config
+              key: DB_PORT
       - name: wait-for-rabbitmq
         image: busybox:1.36
         command:

infrastructure/kubernetes/base/components/cert-manager/cert-manager.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-webhook
+  namespace: cert-manager
+---
+# Cert-manager installation using Helm repository
+# This will be installed via kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+# The actual installation will be done via command line, this file documents the resources

infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-production.yaml

@@ -0,0 +1,23 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL (Let's Encrypt production)
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: admin@bakery-ia.local  # Change this to your email
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-production
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+          podTemplate:
+            spec:
+              nodeSelector:
+                "kubernetes.io/os": linux

infrastructure/kubernetes/base/components/cert-manager/cluster-issuer-staging.yaml

@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL (Let's Encrypt staging)
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: admin@bakery-ia.local  # Change this to your email
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+          podTemplate:
+            spec:
+              nodeSelector:
+                "kubernetes.io/os": linux

infrastructure/kubernetes/base/components/cert-manager/local-ca-issuer.yaml

@@ -0,0 +1,34 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: local-ca-issuer
+spec:
+  ca:
+    secretName: local-ca-key-pair
+---
+# Create a root CA certificate for local development
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-ca-cert
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: bakery-ia-local-ca
+  subject:
+    organizationalUnits:
+      - "Bakery IA Local CA"
+    organizations:
+      - "Bakery IA"
+    countries:
+      - "US"
+  secretName: local-ca-key-pair
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days

infrastructure/kubernetes/base/components/sales/sales-service.yaml

@@ -106,6 +106,11 @@ spec:
             configMapKeyRef:
               name: bakery-config
               key: AUTH_SERVICE_URL
+        - name: GATEWAY_URL
+          valueFrom:
+            configMapKeyRef:
+              name: bakery-config
+              key: GATEWAY_URL
         resources:
           requests:
             memory: "256Mi"

infrastructure/kubernetes/base/components/training/training-service.yaml

@@ -21,7 +21,7 @@ spec:
     spec:
       containers:
       - name: training-service
-        image: bakery/training-service:latest
+        image: bakery/training-service:79c869aaa529b2aaf2bbe77d2a2506e3ebdaf2abac3c83505ddfad29f3dbf99e
         ports:
         - containerPort: 8000
           name: http
@@ -106,6 +106,11 @@ spec:
             configMapKeyRef:
               name: bakery-config
               key: AUTH_SERVICE_URL
+        - name: GATEWAY_URL
+          valueFrom:
+            configMapKeyRef:
+              name: bakery-config
+              key: GATEWAY_URL
         resources:
           requests:
             memory: "256Mi"

infrastructure/kubernetes/base/ingress-https.yaml

@@ -0,0 +1,85 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bakery-ingress-https
+  namespace: bakery-ia
+  labels:
+    app.kubernetes.io/name: bakery-ia
+    app.kubernetes.io/component: ingress
+  annotations:
+    # Nginx ingress controller annotations
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    # CORS configuration for HTTPS
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakery-ia.local,https://api.bakery-ia.local,https://monitoring.bakery-ia.local"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    # Cert-manager annotations for automatic certificate issuance
+    cert-manager.io/cluster-issuer: "letsencrypt-staging"  # Change to letsencrypt-production for production
+    cert-manager.io/acme-challenge-type: http01
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - bakery-ia.local
+    - api.bakery-ia.local
+    - monitoring.bakery-ia.local
+    secretName: bakery-ia-tls-cert
+  rules:
+  - host: bakery-ia.local
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: frontend-service
+            port:
+              number: 3000
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: gateway-service
+            port:
+              number: 8000
+      - path: /auth
+        pathType: Prefix
+        backend:
+          service:
+            name: auth-service
+            port:
+              number: 8000
+  - host: api.bakery-ia.local
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gateway-service
+            port:
+              number: 8000
+  - host: monitoring.bakery-ia.local
+    http:
+      paths:
+      - path: /grafana
+        pathType: Prefix
+        backend:
+          service:
+            name: grafana-service
+            port:
+              number: 3000
+      - path: /prometheus
+        pathType: Prefix
+        backend:
+          service:
+            name: prometheus-service
+            port:
+              number: 9090