# Tiltfile for Bakery IA - Secure Local Development # Includes TLS encryption, strong passwords, PVCs, and audit logging # ============================================================================= # SECURITY SETUP # ============================================================================= print(""" ====================================== 🔐 Bakery IA Secure Development Mode ====================================== Security Features: ✅ TLS encryption for PostgreSQL and Redis ✅ Strong 32-character passwords ✅ PersistentVolumeClaims (no data loss) ✅ pgcrypto extension for encryption ✅ PostgreSQL audit logging Applying security configurations... """) # Apply security configurations before loading main manifests local_resource('security-setup', cmd=''' echo "📦 Applying security secrets and configurations..." kubectl apply -f infrastructure/kubernetes/base/secrets.yaml kubectl apply -f infrastructure/kubernetes/base/secrets/postgres-tls-secret.yaml kubectl apply -f infrastructure/kubernetes/base/secrets/redis-tls-secret.yaml kubectl apply -f infrastructure/kubernetes/base/configs/postgres-init-config.yaml kubectl apply -f infrastructure/kubernetes/base/configmaps/postgres-logging-config.yaml echo "✅ Security configurations applied" ''', labels=['security'], auto_init=True) # ============================================================================= # LOAD KUBERNETES MANIFESTS # ============================================================================= # Load Kubernetes manifests using Kustomize k8s_yaml(kustomize('infrastructure/kubernetes/overlays/dev')) # No registry needed for local development - images are built locally # Common live update configuration for Python FastAPI services def python_live_update(service_name, service_path): return sync(service_path, '/app') # ============================================================================= # FRONTEND (React + Vite) # ============================================================================= docker_build( 'bakery/dashboard', context='./frontend', dockerfile='./frontend/Dockerfile.kubernetes', live_update=[ sync('./frontend/src', '/app/src'), sync('./frontend/public', '/app/public'), ], # Ignore test artifacts and reports ignore=[ 'playwright-report/**', 'test-results/**', 'node_modules/**', '.DS_Store' ] ) # ============================================================================= # GATEWAY # ============================================================================= docker_build( 'bakery/gateway', context='.', dockerfile='./gateway/Dockerfile', live_update=[ # Fall back to full rebuild if Dockerfile or requirements change fall_back_on(['./gateway/Dockerfile', './gateway/requirements.txt']), # Sync Python code changes sync('./gateway', '/app'), sync('./shared', '/app/shared'), # Restart on Python file changes run('kill -HUP 1', trigger=['./gateway/**/*.py', './shared/**/*.py']), ], # Ignore common patterns that don't require rebuilds ignore=[ '.git', '**/__pycache__', '**/*.pyc', '**/.pytest_cache', '**/node_modules', '**/.DS_Store' ] ) # ============================================================================= # MICROSERVICES - Python FastAPI Services # ============================================================================= # Helper function to create docker build with live updates for Python services def build_python_service(service_name, service_path): docker_build( 'bakery/' + service_name, context='.', dockerfile='./services/' + service_path + '/Dockerfile', live_update=[ # Fall back to full image build if Dockerfile or requirements change fall_back_on(['./services/' + service_path + '/Dockerfile', './services/' + service_path + '/requirements.txt']), # Sync service code sync('./services/' + service_path, '/app'), # Sync shared libraries (includes updated TLS connection code) sync('./shared', '/app/shared'), # Sync scripts sync('./scripts', '/app/scripts'), # Install new dependencies if requirements.txt changes run('pip install --no-cache-dir -r requirements.txt', trigger=['./services/' + service_path + '/requirements.txt']), # Restart uvicorn on Python file changes (HUP signal triggers graceful reload) run('kill -HUP 1', trigger=[ './services/' + service_path + '/**/*.py', './shared/**/*.py' ]), ], # Ignore common patterns that don't require rebuilds ignore=[ '.git', '**/__pycache__', '**/*.pyc', '**/.pytest_cache', '**/node_modules', '**/.DS_Store' ] ) # Build all microservices build_python_service('auth-service', 'auth') build_python_service('tenant-service', 'tenant') build_python_service('training-service', 'training') build_python_service('forecasting-service', 'forecasting') build_python_service('sales-service', 'sales') build_python_service('external-service', 'external') build_python_service('notification-service', 'notification') build_python_service('inventory-service', 'inventory') build_python_service('recipes-service', 'recipes') build_python_service('suppliers-service', 'suppliers') build_python_service('pos-service', 'pos') build_python_service('orders-service', 'orders') build_python_service('production-service', 'production') build_python_service('procurement-service', 'procurement') # NEW: Sprint 3 build_python_service('orchestrator-service', 'orchestrator') # NEW: Sprint 2 build_python_service('ai-insights-service', 'ai_insights') # NEW: AI Insights Platform build_python_service('alert-processor', 'alert_processor') build_python_service('demo-session-service', 'demo_session') # ============================================================================= # RESOURCE DEPENDENCIES & ORDERING # ============================================================================= # Security setup must complete before databases start k8s_resource('auth-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('tenant-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('training-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('forecasting-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('sales-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('external-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('notification-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('inventory-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('recipes-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('suppliers-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('pos-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('orders-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('production-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('procurement-db', resource_deps=['security-setup'], labels=['databases']) # NEW: Sprint 3 k8s_resource('orchestrator-db', resource_deps=['security-setup'], labels=['databases']) # NEW: Sprint 2 k8s_resource('ai-insights-db', resource_deps=['security-setup'], labels=['databases']) # NEW: AI Insights Platform k8s_resource('alert-processor-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('demo-session-db', resource_deps=['security-setup'], labels=['databases']) k8s_resource('redis', resource_deps=['security-setup'], labels=['infrastructure']) k8s_resource('rabbitmq', labels=['infrastructure']) # Verify TLS certificates are mounted correctly local_resource('verify-tls', cmd=''' echo "🔍 Verifying TLS configuration..." sleep 5 # Wait for pods to be ready # Check if auth-db pod exists and has TLS certs AUTH_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=auth-db -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [ -n "$AUTH_POD" ]; then echo " Checking PostgreSQL TLS certificates..." kubectl exec -n bakery-ia "$AUTH_POD" -- ls -la /tls/ 2>/dev/null && \ echo " ✅ PostgreSQL TLS certificates mounted" || \ echo " ⚠️ PostgreSQL TLS certificates not found (pods may still be starting)" fi # Check if redis pod exists and has TLS certs REDIS_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=redis -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "") if [ -n "$REDIS_POD" ]; then echo " Checking Redis TLS certificates..." kubectl exec -n bakery-ia "$REDIS_POD" -- ls -la /tls/ 2>/dev/null && \ echo " ✅ Redis TLS certificates mounted" || \ echo " ⚠️ Redis TLS certificates not found (pods may still be starting)" fi echo "✅ TLS verification complete" ''', resource_deps=['auth-db', 'redis'], auto_init=True, trigger_mode=TRIGGER_MODE_MANUAL, labels=['security']) # Verify PVCs are bound local_resource('verify-pvcs', cmd=''' echo "🔍 Verifying PersistentVolumeClaims..." kubectl get pvc -n bakery-ia | grep -E "NAME|db-pvc" || echo " ⚠️ PVCs not yet bound" PVC_COUNT=$(kubectl get pvc -n bakery-ia -o json | jq '.items | length') echo " Found $PVC_COUNT PVCs" echo "✅ PVC verification complete" ''', resource_deps=['auth-db'], auto_init=True, trigger_mode=TRIGGER_MODE_MANUAL, labels=['security']) # Nominatim geocoding service (excluded in dev via kustomize patches) # Uncomment these if you want to test nominatim locally # k8s_resource('nominatim', # resource_deps=['nominatim-init'], # labels=['infrastructure']) # k8s_resource('nominatim-init', # labels=['data-init']) # Monitoring stack #k8s_resource('prometheus', # labels=['monitoring']) #k8s_resource('grafana', # resource_deps=['prometheus'], # labels=['monitoring']) #k8s_resource('jaeger', # labels=['monitoring']) # Migration jobs depend on databases k8s_resource('auth-migration', resource_deps=['auth-db'], labels=['migrations']) k8s_resource('tenant-migration', resource_deps=['tenant-db'], labels=['migrations']) k8s_resource('training-migration', resource_deps=['training-db'], labels=['migrations']) k8s_resource('forecasting-migration', resource_deps=['forecasting-db'], labels=['migrations']) k8s_resource('sales-migration', resource_deps=['sales-db'], labels=['migrations']) k8s_resource('external-migration', resource_deps=['external-db'], labels=['migrations']) k8s_resource('notification-migration', resource_deps=['notification-db'], labels=['migrations']) k8s_resource('inventory-migration', resource_deps=['inventory-db'], labels=['migrations']) k8s_resource('recipes-migration', resource_deps=['recipes-db'], labels=['migrations']) k8s_resource('suppliers-migration', resource_deps=['suppliers-db'], labels=['migrations']) k8s_resource('pos-migration', resource_deps=['pos-db'], labels=['migrations']) k8s_resource('orders-migration', resource_deps=['orders-db'], labels=['migrations']) k8s_resource('production-migration', resource_deps=['production-db'], labels=['migrations']) k8s_resource('procurement-migration', resource_deps=['procurement-db'], labels=['migrations']) # NEW: Sprint 3 k8s_resource('orchestrator-migration', resource_deps=['orchestrator-db'], labels=['migrations']) # NEW: Sprint 2 k8s_resource('ai-insights-migration', resource_deps=['ai-insights-db'], labels=['migrations']) # NEW: AI Insights Platform k8s_resource('alert-processor-migration', resource_deps=['alert-processor-db'], labels=['migrations']) k8s_resource('demo-session-migration', resource_deps=['demo-session-db'], labels=['migrations']) # ============================================================================= # DEMO INITIALIZATION JOBS # ============================================================================= # Demo seed jobs run in strict order to ensure data consistency across services # Weight 5: Seed users (auth service) - includes staff users k8s_resource('demo-seed-users', resource_deps=['auth-migration'], labels=['demo-init']) # Weight 10: Seed tenants (tenant service) k8s_resource('demo-seed-tenants', resource_deps=['tenant-migration', 'demo-seed-users'], labels=['demo-init']) # Weight 15: Seed tenant members (links staff users to tenants) k8s_resource('demo-seed-tenant-members', resource_deps=['tenant-migration', 'demo-seed-tenants', 'demo-seed-users'], labels=['demo-init']) # Weight 10: Seed subscriptions (creates enterprise subscriptions for demo tenants) k8s_resource('demo-seed-subscriptions', resource_deps=['tenant-migration', 'demo-seed-tenants'], labels=['demo-init']) # Seed pilot coupon (runs after tenant migration) k8s_resource('tenant-seed-pilot-coupon', resource_deps=['tenant-migration'], labels=['demo-init']) # Weight 15: Seed inventory - CRITICAL: All other seeds depend on this k8s_resource('demo-seed-inventory', resource_deps=['inventory-migration', 'demo-seed-tenants'], labels=['demo-init']) # Weight 15: Seed recipes (uses ingredient IDs from inventory) k8s_resource('demo-seed-recipes', resource_deps=['recipes-migration', 'demo-seed-inventory'], labels=['demo-init']) # Weight 15: Seed suppliers (uses ingredient IDs for price lists) k8s_resource('demo-seed-suppliers', resource_deps=['suppliers-migration', 'demo-seed-inventory'], labels=['demo-init']) # Weight 15: Seed sales (uses finished product IDs from inventory) k8s_resource('demo-seed-sales', resource_deps=['sales-migration', 'demo-seed-inventory'], labels=['demo-init']) # Weight 15: Seed AI models (creates training/forecasting model records) k8s_resource('demo-seed-ai-models', resource_deps=['training-migration', 'demo-seed-inventory'], labels=['demo-init']) # Weight 20: Seed stock batches (inventory service) k8s_resource('demo-seed-stock', resource_deps=['inventory-migration', 'demo-seed-inventory'], labels=['demo-init']) # Weight 22: Seed quality check templates (production service) k8s_resource('demo-seed-quality-templates', resource_deps=['production-migration', 'demo-seed-tenants'], labels=['demo-init']) # Weight 25: Seed customers (orders service) k8s_resource('demo-seed-customers', resource_deps=['orders-migration', 'demo-seed-tenants'], labels=['demo-init']) # Weight 25: Seed equipment (production service) k8s_resource('demo-seed-equipment', resource_deps=['production-migration', 'demo-seed-tenants', 'demo-seed-quality-templates'], labels=['demo-init']) # Weight 30: Seed production batches (production service) k8s_resource('demo-seed-production-batches', resource_deps=['production-migration', 'demo-seed-recipes', 'demo-seed-equipment'], labels=['demo-init']) # Weight 30: Seed orders with line items (orders service) k8s_resource('demo-seed-orders', resource_deps=['orders-migration', 'demo-seed-customers'], labels=['demo-init']) # Weight 35: Seed procurement plans (procurement service) k8s_resource('demo-seed-procurement-plans', resource_deps=['procurement-migration', 'demo-seed-tenants'], labels=['demo-init']) # Weight 40: Seed demand forecasts (forecasting service) k8s_resource('demo-seed-forecasts', resource_deps=['forecasting-migration', 'demo-seed-tenants'], labels=['demo-init']) # Weight 45: Seed orchestration runs (orchestrator service) k8s_resource('demo-seed-orchestration-runs', resource_deps=['orchestrator-migration', 'demo-seed-tenants'], labels=['demo-init']) k8s_resource('demo-seed-pos-configs', resource_deps=['demo-seed-tenants'], labels=['demo-init']) k8s_resource('demo-seed-purchase-orders', resource_deps=['procurement-migration', 'demo-seed-tenants'], labels=['demo-init']) # ============================================================================= # SERVICES # ============================================================================= # Services depend on their databases AND migrations k8s_resource('auth-service', resource_deps=['auth-migration', 'redis'], labels=['services']) k8s_resource('tenant-service', resource_deps=['tenant-migration', 'redis'], labels=['services']) k8s_resource('training-service', resource_deps=['training-migration', 'redis'], labels=['services']) k8s_resource('forecasting-service', resource_deps=['forecasting-migration', 'redis'], labels=['services']) k8s_resource('sales-service', resource_deps=['sales-migration', 'redis'], labels=['services']) k8s_resource('external-service', resource_deps=['external-migration', 'external-data-init', 'redis'], labels=['services']) k8s_resource('notification-service', resource_deps=['notification-migration', 'redis', 'rabbitmq'], labels=['services']) k8s_resource('inventory-service', resource_deps=['inventory-migration', 'redis'], labels=['services']) k8s_resource('recipes-service', resource_deps=['recipes-migration', 'redis'], labels=['services']) k8s_resource('suppliers-service', resource_deps=['suppliers-migration', 'redis'], labels=['services']) k8s_resource('pos-service', resource_deps=['pos-migration', 'redis'], labels=['services']) k8s_resource('orders-service', resource_deps=['orders-migration', 'redis'], labels=['services']) k8s_resource('production-service', resource_deps=['production-migration', 'redis'], labels=['services']) k8s_resource('procurement-service', resource_deps=['procurement-migration', 'redis'], labels=['services']) k8s_resource('orchestrator-service', resource_deps=['orchestrator-migration', 'redis'], labels=['services']) k8s_resource('ai-insights-service', resource_deps=['ai-insights-migration', 'redis', 'forecasting-service', 'production-service', 'procurement-service'], labels=['services']) k8s_resource('alert-processor-service', resource_deps=['alert-processor-migration', 'redis', 'rabbitmq'], labels=['services']) k8s_resource('alert-processor-api', resource_deps=['alert-processor-migration'], labels=['services']) k8s_resource('demo-session-service', resource_deps=['demo-session-migration', 'redis'], labels=['services']) k8s_resource('nominatim', labels=['services']) # Apply environment variable patch to demo-session-service with the inventory image local_resource('patch-demo-session-env', cmd=''' # Wait a moment for deployments to stabilize sleep 2 # Get current inventory-service image tag INVENTORY_IMAGE=$(kubectl get deployment inventory-service -n bakery-ia -o jsonpath="{.spec.template.spec.containers[0].image}" 2>/dev/null || echo "bakery/inventory-service:latest") # Update demo-session-service environment variable kubectl set env deployment/demo-session-service -n bakery-ia CLONE_JOB_IMAGE=$INVENTORY_IMAGE echo "✅ Set CLONE_JOB_IMAGE to: $INVENTORY_IMAGE" ''', resource_deps=['demo-session-service', 'inventory-service'], auto_init=True, labels=['config']) # ============================================================================= # DATA INITIALIZATION JOBS (External Service v2.0) # ============================================================================= k8s_resource('external-data-init', resource_deps=['external-migration', 'redis'], labels=['data-init']) k8s_resource('nominatim-init', labels=['data-init']) # ============================================================================= # CRONJOBS # ============================================================================= k8s_resource('demo-session-cleanup', resource_deps=['demo-session-service'], labels=['cronjobs']) k8s_resource('external-data-rotation', resource_deps=['external-service'], labels=['cronjobs']) # ============================================================================= # GATEWAY & FRONTEND # ============================================================================= k8s_resource('gateway', resource_deps=['auth-service'], labels=['frontend']) k8s_resource('frontend', resource_deps=['gateway'], labels=['frontend']) # ============================================================================= # CONFIGURATION # ============================================================================= # Update check interval - how often Tilt checks for file changes update_settings( max_parallel_updates=3, k8s_upsert_timeout_secs=60 ) # Watch settings - configure file watching behavior watch_settings( # Ignore patterns that should never trigger rebuilds ignore=[ '.git/**', '**/__pycache__/**', '**/*.pyc', '**/.pytest_cache/**', '**/node_modules/**', '**/.DS_Store', '**/*.swp', '**/*.swo', '**/.venv/**', '**/venv/**', '**/.mypy_cache/**', '**/.ruff_cache/**', '**/.tox/**', '**/htmlcov/**', '**/.coverage', '**/dist/**', '**/build/**', '**/*.egg-info/**', # Ignore TLS certificate files (don't trigger rebuilds) '**/infrastructure/tls/**/*.pem', '**/infrastructure/tls/**/*.cnf', '**/infrastructure/tls/**/*.csr', '**/infrastructure/tls/**/*.srl', # Ignore temporary files from migrations and other processes '**/*.tmp', '**/*.tmp.*', '**/migrations/versions/*.tmp.*', # Ignore test artifacts and reports (playwright) '**/playwright-report/**', '**/test-results/**', ] ) # Print security status on startup print(""" ✅ Security setup complete! Database Security Features Active: 🔐 TLS encryption: PostgreSQL and Redis 🔑 Strong passwords: 32-character cryptographic 💾 Persistent storage: PVCs for all databases 🔒 Column encryption: pgcrypto extension 📋 Audit logging: PostgreSQL query logging Access your application: Frontend: http://localhost:3000 (or via ingress) Gateway: http://localhost:8000 (or via ingress) Verify security: kubectl get pvc -n bakery-ia kubectl get secrets -n bakery-ia | grep tls kubectl logs -n bakery-ia | grep SSL Security documentation: docs/SECURITY_IMPLEMENTATION_COMPLETE.md docs/DATABASE_SECURITY_ANALYSIS_REPORT.md ====================================== """) # Optimize for local development # Note: You may see "too many open files" warnings on macOS with many services. # This is a Kind/Kubernetes limitation and doesn't affect service functionality. # To work on specific services only, use: tilt up