Add signoz

infrastructure/kubernetes/overlays/prod/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
 
 patchesStrategicMerge:
   - storage-patch.yaml
+  - monitoring-ingress-patch.yaml
 
 labels:
   - includeSelectors: true
@@ -21,6 +22,89 @@ labels:
       environment: production
       tier: production
 
+# SigNoz resource patches for production
+patches:
+  # SigNoz ClickHouse production configuration
+  - target:
+      group: apps
+      version: v1
+      kind: StatefulSet
+      name: signoz-clickhouse
+      namespace: signoz
+    patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 2
+      - op: replace
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            memory: "2Gi"
+            cpu: "500m"
+          limits:
+            memory: "4Gi"
+            cpu: "1000m"
+  # SigNoz Query Service production configuration
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: signoz-query-service
+      namespace: signoz
+    patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 2
+      - op: replace
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            memory: "1Gi"
+            cpu: "500m"
+          limits:
+            memory: "2Gi"
+            cpu: "1000m"
+  # SigNoz AlertManager production configuration
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: signoz-alertmanager
+      namespace: signoz
+    patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 2
+      - op: replace
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+  # SigNoz Frontend production configuration
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: signoz-frontend
+      namespace: signoz
+    patch: |-
+      - op: replace
+        path: /spec/replicas
+        value: 2
+      - op: replace
+        path: /spec/template/spec/containers/0/resources
+        value:
+          requests:
+            memory: "512Mi"
+            cpu: "250m"
+          limits:
+            memory: "1Gi"
+            cpu: "500m"
+
 images:
   - name: bakery/auth-service
     newTag: latest

infrastructure/kubernetes/overlays/prod/prod-configmap.yaml

@@ -17,14 +17,30 @@ data:
   REQUEST_TIMEOUT: "30"
   MAX_CONNECTIONS: "100"
 
-  # Monitoring
-  PROMETHEUS_ENABLED: "true"
+  # Monitoring - SigNoz (Unified Observability)
   ENABLE_TRACING: "true"
   ENABLE_METRICS: "true"
-  JAEGER_ENABLED: "true"
-  JAEGER_AGENT_HOST: "jaeger-agent.monitoring.svc.cluster.local"
-  JAEGER_AGENT_PORT: "6831"
+  ENABLE_LOGS: "true"
+
+  # OpenTelemetry Configuration - Direct to SigNoz
+  OTEL_EXPORTER_OTLP_ENDPOINT: "http://signoz-otel-collector.signoz.svc.cluster.local:4317"
+  OTEL_EXPORTER_OTLP_PROTOCOL: "grpc"
+  OTEL_SERVICE_NAME: "bakery-ia"
+  OTEL_RESOURCE_ATTRIBUTES: "deployment.environment=production,cluster.name=bakery-ia-prod"
+
+  # SigNoz Endpoints
+  SIGNOZ_ENDPOINT: "http://signoz-query-service.signoz.svc.cluster.local:8080"
+  SIGNOZ_FRONTEND_URL: "https://monitoring.bakewise.ai/signoz"
+  SIGNOZ_ROOT_URL: "https://monitoring.bakewise.ai/signoz"
 
   # Rate Limiting (stricter in production)
   RATE_LIMIT_ENABLED: "true"
   RATE_LIMIT_PER_MINUTE: "60"
+
+  # CORS Configuration for Production
+  CORS_ORIGINS: "https://bakewise.ai"
+  CORS_ALLOW_CREDENTIALS: "true"
+
+  # Frontend Configuration
+  VITE_API_URL: "/api"
+  VITE_ENVIRONMENT: "production"

infrastructure/kubernetes/overlays/prod/prod-ingress.yaml

@@ -16,7 +16,7 @@ metadata:
 
     # CORS configuration for production
     nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakery.yourdomain.com,https://api.yourdomain.com"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakewise.ai"
     nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
     nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin"
     nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
@@ -40,12 +40,10 @@ spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - bakery.yourdomain.com
-    - api.yourdomain.com
-    - monitoring.yourdomain.com
+    - bakewise.ai
     secretName: bakery-ia-prod-tls-cert
   rules:
-  - host: bakery.yourdomain.com
+  - host: bakewise.ai
     http:
       paths:
       - path: /
@@ -55,7 +53,7 @@ spec:
             name: frontend-service
             port:
               number: 3000
-      - path: /api
+      - path: /api/v1
         pathType: Prefix
         backend:
           service:
@@ -63,31 +61,4 @@ spec:
             port:
               number: 8000
 
-  - host: api.yourdomain.com
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: gateway-service
-            port:
-              number: 8000
-
-  - host: monitoring.yourdomain.com
-    http:
-      paths:
-      - path: /grafana
-        pathType: Prefix
-        backend:
-          service:
-            name: grafana-service
-            port:
-              number: 3000
-      - path: /prometheus
-        pathType: Prefix
-        backend:
-          service:
-            name: prometheus-service
-            port:
-              number: 9090
+  # Monitoring (monitoring.bakewise.ai) is now handled by signoz-ingress.yaml in the signoz namespace

infrastructure/kubernetes/overlays/prod/signoz-ingress.yaml

@@ -0,0 +1,78 @@
+---
+# SigNoz Ingress for Production
+# SigNoz is deployed via Helm in the 'signoz' namespace
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: signoz-ingress-prod
+  namespace: signoz
+  labels:
+    app.kubernetes.io/name: signoz
+    app.kubernetes.io/component: ingress
+  annotations:
+    # Nginx ingress controller annotations
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: "true"
+
+    # CORS configuration
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakewise.ai,https://monitoring.bakewise.ai"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+
+    # Security headers
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Frame-Options: SAMEORIGIN";
+      more_set_headers "X-Content-Type-Options: nosniff";
+      more_set_headers "X-XSS-Protection: 1; mode=block";
+      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
+
+    # Rate limiting
+    nginx.ingress.kubernetes.io/limit-rps: "100"
+    nginx.ingress.kubernetes.io/limit-connections: "50"
+
+    # Cert-manager annotations for automatic certificate issuance
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
+    cert-manager.io/acme-challenge-type: http01
+
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - monitoring.bakewise.ai
+    secretName: signoz-prod-tls-cert
+  rules:
+  - host: monitoring.bakewise.ai
+    http:
+      paths:
+      # SigNoz Frontend UI
+      - path: /signoz(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: signoz-frontend
+            port:
+              number: 3301
+      # SigNoz Query Service API
+      - path: /signoz-api(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: signoz-query-service
+            port:
+              number: 8080
+      # SigNoz AlertManager
+      - path: /signoz-alerts(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: signoz-alertmanager
+            port:
+              number: 9093