Fix resources isues 8

PRODUCTION_DEPLOYMENT_GUIDE.md

@@ -49,7 +49,7 @@ A complete multi-tenant SaaS platform consisting of:
 | **Cache** | Redis with TLS |
 | **Message Broker** | RabbitMQ |
 | **Object Storage** | MinIO (S3-compatible) |
-| **Email** | Mailu (self-hosted) with Mailgun relay |
+| **Email** | Mailu (self-hosted) with MailerSend relay |
 | **Monitoring** | SigNoz (unified observability) |
 | **CI/CD** | Gitea + Tekton + Flux CD |
 | **Security** | TLS everywhere, RBAC, Network Policies |
@@ -113,7 +113,7 @@ Phase 8: Verification & Validation
 |---------|----------|-------------|
 | VPS (20GB RAM, 8 vCPU, 200GB SSD) | clouding.io | €40-80 |
 | Domain | Namecheap/Cloudflare | ~€1.25 (€15/year) |
-| Email Relay | Mailgun (free tier) | €0 |
+| Email Relay | MailerSend (free tier: 3K emails/month) | €0 |
 | SSL Certificates | Let's Encrypt | €0 |
 | DNS | Cloudflare | €0 |
 | **Total** | | **€41-81/month** |
@@ -137,7 +137,7 @@ Phase 8: Verification & Validation
 - [ ] **VPS Provider** (clouding.io, Hetzner, DigitalOcean, etc.)
 - [ ] **Domain Registrar** (Namecheap, Cloudflare, etc.)
 - [ ] **Cloudflare Account** (recommended for DNS)
-- [ ] **Mailgun Account** (for email relay, optional)
+- [ ] **MailerSend Account** (for email relay - https://mailersend.com, optional)
 - [ ] **Stripe Account** (for payments)
 
 ### Local Machine Requirements
@@ -379,7 +379,7 @@ Add these DNS records pointing to your VPS IP (`200.234.233.87`):
 | A | registry | 200.234.233.87 | Auto |
 | A | api | 200.234.233.87 | Auto |
 | MX | @ | mail.bakewise.ai | 10 |
-| TXT | @ | v=spf1 mx a -all | Auto |
+| TXT | @ | v=spf1 include:mailersend.net mx a ~all | Auto |
 | TXT | _dmarc | v=DMARC1; p=reject; rua=mailto:admin@bakewise.ai | Auto |
 
 ### Step 2.2: Verify DNS Propagation
@@ -1187,7 +1187,7 @@ kubectl logs -n bakery-ia deployment/mailu-front --tail=10
 >   - Username: `admin@bakewise.ai`
 >   - Password: (from secret above)
 >
-> 6. **Mailgun Relay:** Configure credentials in `mailu-mailgun-credentials-secret.yaml` before deployment.
+> 6. **MailerSend Relay:** Configure credentials in `mailersend-credentials-secret.yaml` before deployment.
 
 ### Step 7.3.1: Mailu Configuration Notes
 
@@ -1201,19 +1201,33 @@ kubectl logs -n bakery-ia deployment/mailu-front --tail=10
 > - **Internal:** Uses self-signed certificates for inter-service communication
 > - **No replacement needed:** This dual-certificate architecture is intentional and secure
 
-**Configure Mailgun Relay (for outbound email):**
+**Configure MailerSend Relay (for outbound email):**
 
 ```bash
-# Edit the Mailgun credentials secret
-nano infrastructure/platform/mail/mailu-helm/configs/mailu-mailgun-credentials-secret.yaml
+# 1. Sign up at https://accounts.mailersend.com/signup
+# 2. Add your domain (bakewise.ai) and verify DNS records
+# 3. Generate SMTP credentials: Email -> Domains -> SMTP -> Generate new user
+
+# Edit the MailerSend credentials secret
+nano infrastructure/platform/mail/mailu-helm/configs/mailersend-credentials-secret.yaml
 
 # Apply the secret
-kubectl apply -f infrastructure/platform/mail/mailu-helm/configs/mailu-mailgun-credentials-secret.yaml -n bakery-ia
+kubectl apply -f infrastructure/platform/mail/mailu-helm/configs/mailersend-credentials-secret.yaml -n bakery-ia
 
 # Restart Mailu to pick up the new relay configuration
 kubectl rollout restart deployment -n bakery-ia -l app.kubernetes.io/instance=mailu
 ```
 
+**MailerSend DNS Records (add to Cloudflare):**
+
+| Type | Name | Value |
+|------|------|-------|
+| TXT (SPF) | @ | v=spf1 include:mailersend.net mx a ~all |
+| TXT (DKIM) | mlsend._domainkey | (from MailerSend dashboard) |
+| TXT (DKIM) | mlsend2._domainkey | (from MailerSend dashboard) |
+
+> **Note:** MailerSend free tier includes 3,000 emails/month (12,000 with verified domain).
+
 ### Step 7.4: Deploy SigNoz Monitoring
 
 ```bash

infrastructure/environments/prod/k8s-manifests/kustomization.yaml

@@ -21,9 +21,9 @@ resources:
   - prod-certificate.yaml
 
 
-  # SigNoz is managed via Helm deployment (see infrastructure/helm/deploy-signoz.sh)
-  # Monitoring is handled by SigNoz (no separate monitoring components needed)
-  # SigNoz paths are now included in the main ingress (ingress-https.yaml)
+  # SigNoz is managed via Helm deployment (see infrastructure/monitoring/signoz/deploy-signoz.sh)
+  # Monitoring is handled by SigNoz with its own dedicated ingress
+  # SigNoz creates its own ingress resource for monitoring.bakewise.ai
 
 labels:
   - includeSelectors: false

infrastructure/monitoring/signoz/signoz-values-dev.yaml

@@ -1,6 +1,6 @@
 # SigNoz Helm Chart Values - Development Environment
 # Optimized for local development with minimal resource usage
-# DEPLOYED IN bakery-ia NAMESPACE - Ingress managed by bakery-ingress
+# DEPLOYED IN bakery-ia NAMESPACE - Ingress managed by SigNoz Helm chart
 #
 # Official Chart: https://github.com/SigNoz/charts
 # Install Command: helm install signoz signoz/signoz -n bakery-ia -f signoz-values-dev.yaml
@@ -10,3 +10,60 @@ global:
   clusterName: "bakery-ia-dev"
   domain: "monitoring.bakery-ia.local"
   # Docker Hub credentials - applied to all sub-charts (including Zookeeper, ClickHouse, etc)
+
+# Ingress configuration for SigNoz development
+frontend:
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-redirect: "false"  # Disable for local development
+      nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    hosts:
+      - host: monitoring.bakery-ia.local
+        paths:
+          - path: /
+            pathType: Prefix
+    tls: []  # No TLS for local development
+
+# Resource configuration for development
+# Minimal resources for local testing
+clickhouse:
+  persistence:
+    size: 5Gi
+  resources:
+    requests:
+      memory: "512Mi"
+      cpu: "250m"
+    limits:
+      memory: "1Gi"
+      cpu: "500m"
+
+otelCollector:
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "100m"
+    limits:
+      memory: "512Mi"
+      cpu: "250m"
+
+queryService:
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "100m"
+    limits:
+      memory: "512Mi"
+      cpu: "250m"
+
+alertmanager:
+  resources:
+    requests:
+      memory: "128Mi"
+      cpu: "50m"
+    limits:
+      memory: "256Mi"
+      cpu: "100m"

infrastructure/monitoring/signoz/signoz-values-prod.yaml

@@ -1,6 +1,6 @@
 # SigNoz Helm Chart Values - Production Environment
 # High-availability configuration with resource optimization
-# DEPLOYED IN bakery-ia NAMESPACE - Ingress managed by bakery-ingress-prod
+# DEPLOYED IN bakery-ia NAMESPACE - Ingress managed by SigNoz Helm chart
 #
 # Official Chart: https://github.com/SigNoz/charts
 # Install Command: helm install signoz signoz/signoz -n bakery-ia -f signoz-values-prod.yaml
@@ -10,3 +10,69 @@ global:
   clusterName: "bakery-ia-prod"
   domain: "monitoring.bakewise.ai"
   # Docker Hub credentials - applied to all sub-charts (including Zookeeper, ClickHouse, etc)
+
+# Ingress configuration for SigNoz
+# Configured to use HTTPS with TLS termination at ingress controller
+# Similar to gitea and mailu configurations
+frontend:
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+      cert-manager.io/cluster-issuer: "letsencrypt-production"
+      nginx.ingress.kubernetes.io/limit-rps: "50"
+      nginx.ingress.kubernetes.io/limit-connections: "25"
+    hosts:
+      - host: monitoring.bakewise.ai
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - hosts:
+          - monitoring.bakewise.ai
+        secretName: bakery-ia-prod-tls-cert
+
+# Resource configuration for production
+# Optimized for 8 CPU core VPS deployment
+clickhouse:
+  persistence:
+    size: 20Gi
+  resources:
+    requests:
+      memory: "2Gi"
+      cpu: "500m"
+    limits:
+      memory: "4Gi"
+      cpu: "1000m"
+
+otelCollector:
+  resources:
+    requests:
+      memory: "1Gi"
+      cpu: "500m"
+    limits:
+      memory: "2Gi"
+      cpu: "1000m"
+
+queryService:
+  resources:
+    requests:
+      memory: "1Gi"
+      cpu: "500m"
+    limits:
+      memory: "2Gi"
+      cpu: "1000m"
+
+alertmanager:
+  resources:
+    requests:
+      memory: "512Mi"
+      cpu: "250m"
+    limits:
+      memory: "1Gi"
+      cpu: "500m"

infrastructure/platform/mail/mailu-helm/README.md

@@ -23,7 +23,7 @@ mailu-helm/
 The following critical configurations from the original Kustomize setup have been preserved:
 
 - **Domain settings**: Domain and hostnames for both dev and prod
-- **External relay**: Mailgun SMTP relay configuration
+- **External relay**: MailerSend SMTP relay configuration
 - **Redis integration**: Connection to shared Redis cluster (database 15)
 - **Database settings**: PostgreSQL connection details
 - **Resource limits**: CPU and memory requests/limits matching original setup
@@ -39,7 +39,7 @@ The following critical configurations from the original Kustomize setup have bee
 2. Kubernetes cluster with storage provisioner
 3. Ingress controller (NGINX) - already deployed in your cluster
 4. Cert-manager for TLS certificates (optional, depends on your ingress setup)
-5. External SMTP relay account (Mailgun)
+5. External SMTP relay account (MailerSend - https://mailersend.com)
 
 ### Deployment Commands
 

infrastructure/platform/mail/mailu-helm/configs/mailersend-credentials-secret.yaml

@@ -0,0 +1,104 @@
+# MailerSend SMTP Credentials Secret for Mailu
+#
+# This secret stores MailerSend credentials for outbound email relay.
+# Mailu uses MailerSend as an external SMTP relay to send all outbound emails.
+#
+# ============================================================================
+# HOW TO CONFIGURE:
+# ============================================================================
+#
+# 1. Go to https://accounts.mailersend.com/signup and create an account
+#
+# 2. Add and verify your domain:
+#    - For dev: bakery-ia.dev
+#    - For prod: bakewise.ai
+#    - Go to Email -> Domains -> Add domain
+#    - Follow the DNS verification steps (add TXT records)
+#
+# 3. Generate SMTP credentials:
+#    - Go to Email -> Domains -> Click on your domain
+#    - Go to SMTP section
+#    - Click "Generate new user"
+#    - Save the generated username and password
+#
+# 4. Note your SMTP credentials:
+#    - SMTP hostname: smtp.mailersend.net
+#    - Port: 587 (TLS/STARTTLS)
+#    - Username: generated by MailerSend (e.g., MS_xxxxxx@trial-xxxxx.mlsender.net)
+#    - Password: generated SMTP password
+#
+# 5. Replace the placeholder values below with your credentials
+#
+# 6. Apply this secret:
+#    kubectl apply -f mailersend-credentials-secret.yaml -n bakery-ia
+#
+# ============================================================================
+# IMPORTANT NOTES:
+# ============================================================================
+#
+# - MailerSend requires TLS 1.2 or higher (supported by default)
+# - SMTP credentials are account-wide (work for any verified domain)
+# - Free tier: 3,000 emails/month (12,000 with verified domain)
+# - Rate limit: 120 requests/minute
+#
+# ============================================================================
+# DNS RECORDS REQUIRED FOR MAILERSEND:
+# ============================================================================
+#
+# Add these DNS records to your domain (Cloudflare) for proper email delivery:
+#
+# 1. SPF Record (TXT):
+#    Name: @
+#    Value: v=spf1 include:mailersend.net ~all
+#
+# 2. DKIM Records (TXT):
+#    MailerSend will provide DKIM keys after domain verification
+#    Typically: mlsend._domainkey and mlsend2._domainkey
+#    (check your MailerSend domain settings for exact values)
+#
+# 3. DMARC Record (TXT):
+#    Name: _dmarc
+#    Value: v=DMARC1; p=quarantine; rua=mailto:admin@bakewise.ai
+#
+# 4. MX Records (for receiving mail via Mailu):
+#    Priority 10: mail.bakewise.ai
+#
+# 5. A Record:
+#    Name: mail
+#    Value: <your-server-public-IP>
+#
+# ============================================================================
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mailu-mailersend-credentials
+  namespace: bakery-ia
+  labels:
+    app: mailu
+    component: external-relay
+  annotations:
+    description: "MailerSend SMTP credentials for Mailu external relay"
+type: Opaque
+stringData:
+  # ============================================================================
+  # REPLACE THESE VALUES WITH YOUR MAILERSEND CREDENTIALS
+  # ============================================================================
+  #
+  # Option 1: Use stringData (plain text - Kubernetes will encode automatically)
+  # This is easier for initial setup but shows credentials in the file
+  #
+  RELAY_USERNAME: "MS_d34ZtW@bakewise.ai"
+  RELAY_PASSWORD: "mssp.Z6GRHQ8.zr6ke4nvq6egon12.IDyvEi7"
+  #
+  # ============================================================================
+  # ALTERNATIVE: Use pre-encoded values (more secure for version control)
+  # ============================================================================
+  # Comment out stringData above and uncomment data below:
+  #
+  # data:
+  #   # Base64 encoded values
+  #   # echo -n 'your-mailersend-username' | base64
+  #   RELAY_USERNAME: WU9VUl9NQUlMRVJTRU5EX1NNVFBfVVNFUk5BTUU=
+  #   # echo -n 'your-mailersend-password' | base64
+  #   RELAY_PASSWORD: WU9VUl9NQUlMRVJTRU5EX1NNVFBfUEFTU1dPUkQ=

infrastructure/platform/mail/mailu-helm/configs/mailgun-credentials-secret.yaml

@@ -1,94 +0,0 @@
-# Mailgun SMTP Credentials Secret for Mailu
-#
-# This secret stores Mailgun credentials for outbound email relay.
-# Mailu uses Mailgun as an external SMTP relay to send all outbound emails.
-#
-# ============================================================================
-# HOW TO CONFIGURE:
-# ============================================================================
-#
-# 1. Go to https://www.mailgun.com and create an account
-#
-# 2. Add and verify your domain:
-#    - For dev: bakery-ia.dev
-#    - For prod: bakewise.ai
-#
-# 3. Go to Domain Settings > SMTP credentials in Mailgun dashboard
-#
-# 4. Note your SMTP credentials:
-#    - SMTP hostname: smtp.mailgun.org
-#    - Port: 587 (TLS/STARTTLS)
-#    - Username: typically postmaster@yourdomain.com
-#    - Password: your Mailgun SMTP password (NOT the API key)
-#
-# 5. Base64 encode your credentials:
-#    echo -n 'postmaster@bakewise.ai' | base64
-#    echo -n 'your-mailgun-smtp-password' | base64
-#
-# 6. Replace the placeholder values below with your encoded credentials
-#
-# 7. Apply this secret:
-#    kubectl apply -f mailgun-credentials-secret.yaml -n bakery-ia
-#
-# ============================================================================
-# IMPORTANT NOTES:
-# ============================================================================
-#
-# - Use the SMTP password from Mailgun, NOT the API key
-# - The username format is: postmaster@yourdomain.com
-# - For sandbox domains, Mailgun requires adding authorized recipients
-# - Production domains need DNS verification (SPF, DKIM records)
-#
-# ============================================================================
-# DNS RECORDS REQUIRED FOR MAILGUN:
-# ============================================================================
-#
-# Add these DNS records to your domain for proper email delivery:
-#
-# 1. SPF Record (TXT):
-#    Name: @
-#    Value: v=spf1 include:mailgun.org ~all
-#
-# 2. DKIM Records (TXT):
-#    Mailgun will provide two DKIM keys to add as TXT records
-#    (check your Mailgun domain settings for exact values)
-#
-# 3. MX Records (optional, only if receiving via Mailgun):
-#    Priority 10: mxa.mailgun.org
-#    Priority 10: mxb.mailgun.org
-#
-# ============================================================================
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: mailu-mailgun-credentials
-  namespace: bakery-ia
-  labels:
-    app: mailu
-    component: external-relay
-  annotations:
-    description: "Mailgun SMTP credentials for Mailu external relay"
-type: Opaque
-stringData:
-  # ============================================================================
-  # REPLACE THESE VALUES WITH YOUR MAILGUN CREDENTIALS
-  # ============================================================================
-  #
-  # Option 1: Use stringData (plain text - Kubernetes will encode automatically)
-  # This is easier for initial setup but shows credentials in the file
-  #
-  RELAY_USERNAME: "postmaster@sandboxc1bff891532b4f0c83056a68ae080b4c.mailgun.org"
-  RELAY_PASSWORD: "2e47104abadad8eb820d00042ea6d5eb-77c6c375-89c7ea55"
-  #
-  # ============================================================================
-  # ALTERNATIVE: Use pre-encoded values (more secure for version control)
-  # ============================================================================
-  # Comment out stringData above and uncomment data below:
-  #
-  # data:
-  #   # Base64 encoded values
-  #   # echo -n 'postmaster@bakewise.ai' | base64
-  #   RELAY_USERNAME: cG9zdG1hc3RlckBiYWtld2lzZS5haQ==
-  #   # echo -n 'your-password' | base64
-  #   RELAY_PASSWORD: WU9VUl9NQUlMR1VOX1NNVFBfUEFTU1dPUkQ=

infrastructure/platform/mail/mailu-helm/scripts/deploy-mailu-prod.sh

@@ -274,9 +274,22 @@ echo "  CoreDNS is configured with DNS-over-TLS (Cloudflare) for DNSSEC validati
 echo "  CoreDNS IP: $COREDNS_IP"
 echo ""
 echo "Next Steps:"
-echo "  1. Configure DNS records (A, MX, SPF, DMARC)"
-echo "  2. Get DKIM key: kubectl exec -n $NAMESPACE deployment/mailu-admin -- cat /dkim/$DOMAIN.dkim.pub"
-echo "  3. Add DKIM TXT record to DNS"
+echo "  1. Configure MailerSend:"
+echo "     - Sign up at https://accounts.mailersend.com/signup"
+echo "     - Add domain '$DOMAIN' and verify DNS records"
+echo "     - Generate SMTP credentials (Email -> Domains -> SMTP)"
+echo "     - Update secret: kubectl edit secret mailu-mailersend-credentials -n $NAMESPACE"
+echo ""
+echo "  2. Configure DNS records in Cloudflare for '$DOMAIN':"
+echo "     - A record: mail -> <your-server-IP>"
+echo "     - MX record: @ -> mail.$DOMAIN (priority 10)"
+echo "     - TXT (SPF): @ -> v=spf1 include:mailersend.net ~all"
+echo "     - TXT (DKIM): mlsend._domainkey -> <from MailerSend dashboard>"
+echo "     - TXT (DMARC): _dmarc -> v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN"
+echo ""
+echo "  3. Get Mailu DKIM key (for direct sending):"
+echo "     kubectl exec -n $NAMESPACE deployment/mailu-admin -- cat /dkim/$DOMAIN.dkim.pub"
+echo ""
 echo "  4. Configure Ingress for mail.$DOMAIN"
 echo ""
 echo "To check pod status:"

infrastructure/platform/mail/mailu-helm/values.yaml

@@ -50,13 +50,14 @@ limits:
   messageRatelimit:
     value: "200/day"
 
-# External relay configuration (Mailgun)
-# Mailu will relay all outbound emails through Mailgun SMTP
+# External relay configuration (MailerSend)
+# Mailu will relay all outbound emails through MailerSend SMTP
 # Credentials are loaded from Kubernetes secret for security
+# MailerSend requires TLS 1.2+ (supported by default on port 587)
 externalRelay:
-  host: "[smtp.mailgun.org]:587"
+  host: "[smtp.mailersend.net]:587"
   # Use existing secret for credentials (recommended for security)
-  secretName: "mailu-mailgun-credentials"
+  secretName: "mailu-mailersend-credentials"
   usernameKey: "RELAY_USERNAME"
   passwordKey: "RELAY_PASSWORD"
 

infrastructure/platform/networking/ingress/base/ingress.yaml

@@ -56,3 +56,5 @@ spec:
   # See infrastructure/cicd/gitea/values.yaml for ingress configuration
   # NOTE: Mail ingress is deployed separately via mailu-helm resource
   # to avoid 503 errors when Mailu is not running
+  # NOTE: Monitoring ingress is deployed separately via SigNoz Helm chart
+  # See infrastructure/monitoring/signoz/signoz-values-prod.yaml for monitoring configuration

infrastructure/platform/networking/ingress/overlays/dev/kustomization.yaml

@@ -25,3 +25,5 @@ patches:
         value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,https://registry.bakery-ia.local,https://gitea.bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"
 # NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart (infrastructure/cicd/gitea/values.yaml)
 # NOTE: Mail ingress (mail.bakery-ia.dev) is deployed separately via mailu-helm Tilt resource
+# NOTE: Monitoring ingress (monitoring.bakery-ia.local) is deployed separately via SigNoz Helm chart
+# See infrastructure/monitoring/signoz/signoz-values-dev.yaml for monitoring configuration

infrastructure/platform/networking/ingress/overlays/prod/kustomization.yaml

@@ -37,4 +37,6 @@ patches:
         value: "http01"
 # NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart
 # See infrastructure/cicd/gitea/values-prod.yaml for production ingress configuration
-# NOTE: mail.bakewise.ai is handled by separate mailu ingress
+# NOTE: mail.bakewise.ai is handled by separate mailu ingress
+# NOTE: monitoring.bakewise.ai is handled by separate SigNoz ingress
+# See infrastructure/monitoring/signoz/signoz-values-prod.yaml for monitoring ingress configuration