bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix some issues

Browse Source
This commit is contained in:
Bakery Admin
2026-01-25 20:07:37 +01:00
parent e0be1b22f9
commit 6c6a9fc58c
32 changed files with 1719 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
PRODUCTION_DEPLOYMENT_GUIDE.md
View File

@@ -1388,50 +1388,40 @@ kubectl get pods -n bakery-ia -l app.kubernetes.io/instance=signoz
### Step 7.5: Deploy Kubernetes Infrastructure Monitoring (Required for SigNoz Infrastructure View)
> **Purpose:** Deploy kube-state-metrics and node-exporter to enable Kubernetes infrastructure metrics in SigNoz. Without these components, the SigNoz Infrastructure section will be empty.
> **Purpose:** Deploy the official SigNoz k8s-infra chart to enable comprehensive Kubernetes infrastructure metrics in SigNoz. This replaces the need for separate kube-state-metrics and node-exporter deployments. ❌ Removed legacy components: kube-state-metrics and node-exporter.
**Components Deployed:**
| Component | Purpose | Metrics |
|-----------|---------|---------|
| **kube-state-metrics** | Kubernetes object metrics | Pods, Deployments, Nodes, PVCs, etc. |
| **node-exporter** | Host-level metrics | CPU, Memory, Disk, Network |
| **SigNoz k8s-infra** | Unified Kubernetes infrastructure monitoring | Host metrics (CPU, Memory, Disk, Network), Kubelet metrics (Pod/container usage), Cluster metrics (Deployments, Pods, Nodes), Kubernetes events |
**Deploy using the automated script:**
**Deploy using the official SigNoz k8s-infra chart:**
```bash
# Navigate to the k8s-infra monitoring directory
cd /root/bakery-ia
# Add SigNoz Helm repository (if not already added)
helm repo add signoz https://charts.signoz.io
helm repo update
# Make the script executable (if not already)
chmod +x infrastructure/monitoring/k8s-infra/deploy-k8s-infra-monitoring.sh
# Deploy kube-state-metrics and node-exporter
./infrastructure/monitoring/k8s-infra/deploy-k8s-infra-monitoring.sh --microk8s install
```
**Upgrade SigNoz to scrape the new metrics:**
```bash
# The signoz-values-prod.yaml already includes the Prometheus receiver configuration
# Upgrade SigNoz to apply the scraping configuration
microk8s helm3 upgrade signoz signoz/signoz \
# Install the k8s-infra chart
helm upgrade --install k8s-infra signoz/k8s-infra \
-n bakery-ia \
-f infrastructure/monitoring/signoz/signoz-values-prod.yaml
-f infrastructure/monitoring/signoz/k8s-infra-values-prod.yaml \
--timeout 10m
# Wait for the DaemonSet to be ready
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=signoz-agent -n bakery-ia --timeout=300s
```
**Verify deployment:**
**Verify k8s-infra deployment:**
```bash
# Check pods are running
microk8s kubectl get pods -n bakery-ia | grep -E "(kube-state|node-exporter)"
# Check if the k8s-infra agent is running (should see one pod per node)
kubectl get pods -n bakery-ia -l app.kubernetes.io/name=signoz-agent
# Expected output:
# kube-state-metrics-xxxxxxxxxx-xxxxx 1/1 Running 0 1m
# node-exporter-prometheus-node-exporter-xxxxx 1/1 Running 0 1m
# Check status
./infrastructure/monitoring/k8s-infra/deploy-k8s-infra-monitoring.sh --microk8s status
# Expected output (one pod per cluster node):
# signoz-agent-xxxxx 1/1 Running 0 1m
# signoz-agent-yyyyy 1/1 Running 0 1m
```
**Verify metrics in SigNoz:**
@@ -1440,22 +1430,34 @@ After a few minutes, you should see:
- **Infrastructure → Kubernetes**: Pod status, deployments, nodes, PVCs
- **Infrastructure → Hosts**: CPU, memory, disk, network usage
**Important Notes:**
1. **Legacy Components Removal:** If you previously had kube-state-metrics or node-exporter deployed, you should remove them to avoid duplicate metrics:
```bash
# Remove legacy components if they exist
helm uninstall kube-state-metrics -n bakery-ia 2>/dev/null || true
helm uninstall node-exporter-prometheus-node-exporter -n bakery-ia 2>/dev/null || true
```
2. **Configuration:** The k8s-infra chart is configured via `k8s-infra-values-prod.yaml` which specifies:
- Connection to your SigNoz OTel collector endpoint
- Collection intervals and presets for different metric types
- Resource limits for the monitoring agents
**Troubleshooting:**
```bash
# Check if metrics are being scraped
microk8s kubectl port-forward svc/kube-state-metrics 8080:8080 -n bakery-ia &
curl localhost:8080/metrics | head -20
# Check k8s-infra agent logs
kubectl logs -l app.kubernetes.io/name=signoz-agent -n bakery-ia --tail=50
# Check OTel Collector logs for scraping errors
microk8s kubectl logs -l app.kubernetes.io/name=signoz-otel-collector -n bakery-ia --tail=50
# Verify the agent can connect to SigNoz collector
kubectl logs -l app.kubernetes.io/name=signoz-agent -n bakery-ia | grep -i error
```
> **Files Location:**
> - Helm values: `infrastructure/monitoring/k8s-infra/kube-state-metrics-values.yaml`
> - Helm values: `infrastructure/monitoring/k8s-infra/node-exporter-values.yaml`
> - Deploy script: `infrastructure/monitoring/k8s-infra/deploy-k8s-infra-monitoring.sh`
> - Documentation: `infrastructure/monitoring/k8s-infra/README.md`
> - Helm values: `infrastructure/monitoring/signoz/k8s-infra-values-prod.yaml`
> - Helm values: `infrastructure/monitoring/signoz/k8s-infra-values-dev.yaml`
> - Documentation: `infrastructure/monitoring/signoz/README.md`
---
@@ -1528,30 +1530,119 @@ kubectl exec -n bakery-ia deployment/redis -- redis-cli ping
### Configure Stripe Keys (Required Before Going Live)
Before accepting payments, configure your Stripe credentials:
**IMPORTANT**: Before going live, you MUST replace test keys with live Stripe keys.
#### Step 1: Get Your Live Stripe Keys
1. Go to [Stripe Dashboard](https://dashboard.stripe.com/apikeys)
2. Make sure you're in **Live mode** (toggle in top right)
3. Copy your **Publishable key** (starts with `pk_live_`)
4. Copy your **Secret key** (starts with `sk_live_`)
5. Get your **Webhook signing secret** from Stripe webhook settings
#### Step 2: Update Configuration Files
```bash
# Edit ConfigMap for publishable key
# 1. Update the common configmap with your live publishable key
nano infrastructure/environments/common/configs/configmap.yaml
# Add: VITE_STRIPE_PUBLISHABLE_KEY: "pk_live_XXXXXXXXXXXX"
# Encode your secret keys
echo -n "sk_live_XXXXXXXXXX" | base64 # Your secret key
echo -n "whsec_XXXXXXXXXX" | base64 # Your webhook secret
# Find and replace these lines:
VITE_STRIPE_PUBLISHABLE_KEY: "pk_test_51QuxKyIzCdnBmAVTGM8fvXYkItrBUILz6lHYwhAva6ZAH1HRi0e8zDRgZ4X3faN0zEABp5RHjCVBmMJL3aKXbaC200fFrSNnPl"
VITE_STRIPE_ACCOUNT_ID: "acct_1QuxKsIucMC6K1cg"
# Edit Secrets
# Replace with your live key and account ID:
VITE_STRIPE_PUBLISHABLE_KEY: "pk_live_your_publishable_key_here"
VITE_STRIPE_ACCOUNT_ID: "acct_1QuxKsIucMC6K1cg" # Keep your account ID, just remove "test_" prefix if needed
# 2. Encode your live secret keys (required for Kubernetes secrets)
echo -n "sk_live_your_secret_key_here" | base64
# Example output: c2tfbGl2ZV95b3VyX3NlY3JldF9rZXlfaGVyZQ==
echo -n "whsec_your_webhook_secret_here" | base64
# Example output: d2hzZWNfeW91cl93ZWJob29rX3NlY3JldF9oZXJl
# 3. Update the secrets file
nano infrastructure/environments/common/configs/secrets.yaml
# Add to payment-secrets section:
# STRIPE_SECRET_KEY: <base64-encoded>
# STRIPE_WEBHOOK_SECRET: <base64-encoded>
# Apply the updated configuration
kubectl apply -k infrastructure/environments/prod/k8s-manifests
# Find the payment-secrets section and update:
STRIPE_SECRET_KEY: c2tfbGl2ZV95b3VyX3NlY3JldF9rZXlfaGVyZQ== # Replace with your encoded live secret key
STRIPE_WEBHOOK_SECRET: d2hzZWNfeW91cl93ZWJob29rX3NlY3JldF9oZXJl # Replace with your encoded webhook secret
# Restart services that use Stripe
kubectl rollout restart deployment/payment-service -n bakery-ia
# 4. Update production kustomization
nano infrastructure/environments/prod/k8s-manifests/kustomization.yaml
# Find and update the Stripe configuration patch:
- op: replace
path: /data/VITE_STRIPE_PUBLISHABLE_KEY
value: "pk_live_your_publishable_key_here"
- op: add
path: /data/VITE_STRIPE_ACCOUNT_ID
value: "acct_1QuxKsIucMC6K1cg"
```
#### Step 3: Apply Configuration and Restart Services
```bash
# Apply the updated configuration
kubectl apply -k infrastructure/environments/prod/k8s-manifests/
# Restart services that use Stripe (order matters)
kubectl rollout restart deployment/tenant-service -n bakery-ia
kubectl rollout restart deployment/gateway -n bakery-ia
kubectl rollout restart deployment/frontend -n bakery-ia
# Monitor the restart process
kubectl get pods -n bakery-ia -w
```
#### Step 4: Verify Stripe Configuration
```bash
# Check that the configmap was updated correctly
kubectl get configmap bakery-config -n bakery-ia -o yaml | grep STRIPE
# Check that secrets are properly encoded
kubectl get secret payment-secrets -n bakery-ia -o yaml | grep STRIPE
# Test a small payment (€1.00) with a real card
# Use Stripe test cards first: 4242 4242 4242 4242
```
#### Step 5: Update Stripe Webhooks (Critical)
```bash
# 1. Update your Stripe webhook endpoint to use the live URL:
# https://bakewise.ai/api/webhooks/stripe
# 2. Update the webhook signing secret in Stripe dashboard
# to match what you configured in secrets.yaml
# 3. Test webhooks:
stripe trigger payment_intent.succeeded
stripe trigger invoice.paid
```
#### Step 6: PCI Compliance Checklist
Before going live, ensure:
- [ ] All payment pages use HTTPS (check your ingress TLS configuration)
- [ ] No card data is logged or stored in your databases
- [ ] Your server meets PCI DSS requirements
- [ ] You have a vulnerability management process
- [ ] Regular security audits are scheduled
#### Step 7: Go Live Checklist
- [ ] Stripe live keys configured in all services
- [ ] Webhooks tested and working
- [ ] PCI compliance verified
- [ ] Test payments successful in live mode
- [ ] Refund process tested
- [ ] Customer support ready for payment issues
- [ ] Monitoring set up for payment failures
**WARNING**: Once you switch to live keys, real money will be processed. Start with small test transactions and monitor closely.
### Backup Strategy
```bash
@@ -1730,3 +1821,79 @@ This guide provides a complete, step-by-step process for deploying Bakery-IA to
4. **Scalable:** Designed for 10-100+ tenants with clear scaling path
For questions or issues, refer to the troubleshooting guide or consult the support resources listed above.
### Email System Configuration
#### Setting Up email-secrets Properly
**Important:** The `email-secrets` must be configured to use the Mailu admin account credentials for proper email functionality.
**Recommended Approach:**
1. **Use Mailu Admin Account** (instead of creating separate postmaster account):
```bash
# Get the admin password from mailu-admin-credentials
ADMIN_PASSWORD=$(kubectl get secret mailu-admin-credentials -n bakery-ia -o jsonpath='{.data.password}' | base64 -d)
# Update email-secrets to use admin account
kubectl edit secret email-secrets -n bakery-ia
# Change the values to:
# SMTP_USER: admin@bakewise.ai
# SMTP_PASSWORD: [the admin password you retrieved]
```
2. **Alternative: Create Postmaster Account** (if you prefer separate accounts):
```bash
# Log in to Mailu admin panel
# URL: https://mail.bakewise.ai/admin
# Username: admin@bakewise.ai
# Password: [from mailu-admin-credentials]
# Navigate to Users -> Create New User
# Email: postmaster@bakewise.ai
# Password: [generate secure password]
# Role: Admin (or create custom role with email sending permissions)
# Update email-secrets with the postmaster credentials
kubectl edit secret email-secrets -n bakery-ia
```
**Verifying Email Configuration:**
```bash
# Test email sending via notification service
kubectl exec -n bakery-ia deployment/notification-service -it -- bash
# Inside the container:
python -c "
from app.services.email_service import EmailService
from app.core.config import settings
es = EmailService()
print('Testing email service...')
result = await es.health_check()
print(f'Email service healthy: {result}')
"
```
**Troubleshooting Email Issues:**
```bash
# Check Mailu logs
kubectl logs -n bakery-ia deployment/mailu-postfix | tail -50
# Check notification service logs
kubectl logs -n bakery-ia deployment/notification-service | grep -i email | tail -20
# Test SMTP connection manually
kubectl run -it --rm smtp-test --image=alpine --
apk add openssl &&
openssl s_client -connect mailu-postfix:587 -starttls smtp
```
**DOVEADM_PASSWORD Note:**
- This is for IMAP administration (rarely used)
- Only needed if you require advanced mailbox management
- Can be safely removed if not using IMAP admin features