apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization metadata: name: bakery-ia-prod # NOTE: Do NOT set a global namespace here. # Each resource already has its namespace explicitly defined. # A global namespace would incorrectly transform cluster-scoped resources # like flux-system and cert-manager namespaces. resources: - ../../../environments/common/configs - ../../../platform/cert-manager - ../../../platform/networking/ingress/overlays/prod - ../../../platform/gateway - ../../../platform/storage - ../../../services/databases - ../../../services/microservices # NOTE: CI/CD (gitea, tekton, flux) deployed via Helm, not kustomize - prod-certificate.yaml # SigNoz is managed via Helm deployment (see infrastructure/helm/deploy-signoz.sh) # Monitoring is handled by SigNoz (no separate monitoring components needed) # SigNoz paths are now included in the main ingress (ingress-https.yaml) labels: - includeSelectors: false pairs: environment: production tier: production # Production configuration patches patches: # Override ConfigMap values for production - target: kind: ConfigMap name: bakery-config patch: |- - op: replace path: /data/ENVIRONMENT value: "production" - op: replace path: /data/DEBUG value: "false" - op: replace path: /data/LOG_LEVEL value: "INFO" - op: replace path: /data/PROFILING_ENABLED value: "false" - op: replace path: /data/MOCK_EXTERNAL_APIS value: "false" - op: add path: /data/REQUEST_TIMEOUT value: "30" - op: add path: /data/MAX_CONNECTIONS value: "100" - op: replace path: /data/ENABLE_TRACING value: "true" - op: replace path: /data/ENABLE_METRICS value: "true" - op: replace path: /data/ENABLE_LOGS value: "true" - op: add path: /data/OTEL_EXPORTER_OTLP_ENDPOINT value: "http://signoz-otel-collector.bakery-ia.svc.cluster.local:4317" - op: add path: /data/OTEL_EXPORTER_OTLP_PROTOCOL value: "grpc" - op: add path: /data/OTEL_SERVICE_NAME value: "bakery-ia" - op: add path: /data/OTEL_RESOURCE_ATTRIBUTES value: "deployment.environment=production,cluster.name=bakery-ia-prod" - op: add path: /data/SIGNOZ_ENDPOINT value: "http://signoz.signoz.svc.cluster.local:8080" - op: add path: /data/SIGNOZ_FRONTEND_URL value: "https://monitoring.bakewise.ai" - op: add path: /data/SIGNOZ_ROOT_URL value: "https://monitoring.bakewise.ai" - op: add path: /data/RATE_LIMIT_ENABLED value: "true" - op: add path: /data/RATE_LIMIT_PER_MINUTE value: "60" - op: add path: /data/CORS_ORIGINS value: "https://bakewise.ai" - op: add path: /data/CORS_ALLOW_CREDENTIALS value: "true" - op: add path: /data/VITE_API_URL value: "/api" - op: add path: /data/VITE_ENVIRONMENT value: "production" # Add imagePullSecrets to all Deployments for gitea registry authentication - target: kind: Deployment patch: |- - op: add path: /spec/template/spec/imagePullSecrets value: - name: gitea-registry-secret # Add imagePullSecrets to all StatefulSets for gitea registry authentication - target: kind: StatefulSet patch: |- - op: add path: /spec/template/spec/imagePullSecrets value: - name: gitea-registry-secret # Add imagePullSecrets to all Jobs for gitea registry authentication - target: kind: Job patch: |- - op: add path: /spec/template/spec/imagePullSecrets value: - name: gitea-registry-secret # Add imagePullSecrets to all CronJobs for gitea registry authentication - target: kind: CronJob patch: |- - op: add path: /spec/jobTemplate/spec/template/spec/imagePullSecrets value: - name: gitea-registry-secret # SigNoz resource patches for production # SigNoz ClickHouse production configuration - target: group: apps version: v1 kind: StatefulSet name: signoz-clickhouse namespace: bakery-ia patch: |- - op: replace path: /spec/replicas value: 2 - op: replace path: /spec/template/spec/containers/0/resources value: requests: memory: "2Gi" cpu: "500m" limits: memory: "4Gi" cpu: "1000m" # SigNoz Main Service production configuration (v0.106.0+ unified service) - target: group: apps version: v1 kind: StatefulSet name: signoz namespace: bakery-ia patch: |- - op: replace path: /spec/replicas value: 2 - op: replace path: /spec/template/spec/containers/0/resources value: requests: memory: "2Gi" cpu: "1000m" limits: memory: "4Gi" cpu: "2000m" # SigNoz AlertManager production configuration - target: group: apps version: v1 kind: Deployment name: signoz-alertmanager namespace: bakery-ia patch: |- - op: replace path: /spec/replicas value: 2 - op: replace path: /spec/template/spec/containers/0/resources value: requests: memory: "512Mi" cpu: "250m" limits: memory: "1Gi" cpu: "500m" images: # Application services - name: bakery/auth-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/auth-service newTag: latest - name: bakery/tenant-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/tenant-service newTag: latest - name: bakery/training-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/training-service newTag: latest - name: bakery/forecasting-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/forecasting-service newTag: latest - name: bakery/sales-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/sales-service newTag: latest - name: bakery/external-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/external-service newTag: latest - name: bakery/notification-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/notification-service newTag: latest - name: bakery/inventory-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/inventory-service newTag: latest - name: bakery/recipes-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/recipes-service newTag: latest - name: bakery/suppliers-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/suppliers-service newTag: latest - name: bakery/pos-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/pos-service newTag: latest - name: bakery/orders-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/orders-service newTag: latest - name: bakery/production-service newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/production-service newTag: latest - name: bakery/alert-processor newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alert-processor newTag: latest - name: bakery/gateway newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gateway newTag: latest - name: bakery/dashboard newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/dashboard newTag: latest # ============================================================================= # Database images (cached in gitea registry for consistency) - name: postgres newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/postgres newTag: "17-alpine" - name: redis newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/redis newTag: "7.4-alpine" - name: rabbitmq newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/rabbitmq newTag: "4.1-management-alpine" # Utility images - name: busybox newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/busybox newTag: "1.36" - name: curlimages/curl newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/curlimages-curl newTag: latest - name: bitnami/kubectl newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bitnami-kubectl newTag: latest # Alpine variants - name: alpine newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine newTag: "3.19" - name: alpine/git newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine-git newTag: 2.43.0 # CI/CD images (cached in gitea registry for consistency) - name: gcr.io/kaniko-project/executor newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-kaniko-project-executor newTag: v1.23.0 - name: gcr.io/go-containerregistry/crane newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-go-containerregistry-crane newTag: latest - name: registry.k8s.io/kustomize/kustomize newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/registry.k8s.io-kustomize-kustomize newTag: v5.3.0 # Storage images - name: minio/minio newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-minio newTag: RELEASE.2024-11-07T00-52-20Z - name: minio/mc newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-mc newTag: RELEASE.2024-11-17T19-35-25Z # NOTE: nominatim image override removed - nominatim is now deployed via Helm # Python base image - name: python newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python newTag: 3.11-slim replicas: - name: auth-service count: 3 - name: tenant-service count: 2 - name: training-service count: 3 # Safe with MinIO storage - no PVC conflicts - name: forecasting-service count: 3 - name: sales-service count: 2 - name: external-service count: 2 - name: notification-service count: 3 - name: inventory-service count: 2 - name: recipes-service count: 2 - name: suppliers-service count: 2 - name: pos-service count: 2 - name: orders-service count: 3 - name: production-service count: 2 - name: alert-processor count: 3 - name: procurement-service count: 2 - name: orchestrator-service count: 2 - name: ai-insights-service count: 2 - name: gateway count: 3 - name: frontend count: 2