2ee4aa51e4
This commit enables HTTPS in the development environment using self-signed certificates to further improve dev-prod parity and catch SSL-related issues early. Changes made: 1. Created self-signed certificate for localhost - File: infrastructure/kubernetes/overlays/dev/dev-certificate.yaml - Type: Self-signed via cert-manager - Validity: 90 days (auto-renewed) - Valid for: localhost, bakery-ia.local, *.bakery-ia.local, 127.0.0.1 - Issuer: selfsigned-issuer ClusterIssuer 2. Updated dev ingress to enable HTTPS - File: infrastructure/kubernetes/overlays/dev/dev-ingress.yaml - Enabled SSL redirect: ssl-redirect: false → true - Added TLS configuration with certificate - Updated CORS origins to prefer HTTPS (HTTPS URLs first, HTTP fallback) - Access: https://localhost (instead of http://localhost) 3. Added cert-manager resources to dev overlay - File: infrastructure/kubernetes/overlays/dev/kustomization.yaml - Added dev-certificate.yaml - Added selfsigned-issuer ClusterIssuer 4. Created comprehensive HTTPS setup guide - File: docs/DEV-HTTPS-SETUP.md - Includes certificate trust instructions for macOS, Linux, Windows - Testing procedures with curl and browsers - Troubleshooting guide - FAQ section 5. Updated dev-prod parity documentation - File: docs/DEV-PROD-PARITY-CHANGES.md - Added HTTPS as 4th improvement - Updated "What Stays Different" table (SSL/TLS → Certificates) - Added HTTPS benefits section Benefits: ✓ Matches production HTTPS-only behavior ✓ Tests SSL/TLS configurations in development ✓ Catches mixed content warnings early ✓ Tests secure cookie handling (Secure, SameSite attributes) ✓ Validates cert-manager integration ✓ Tests certificate auto-renewal ✓ Better security testing capabilities Impact: - Browser will show certificate warning (self-signed) - Users can trust certificate or click "Proceed" - No additional resource usage - Access via https://localhost (was http://localhost) Certificate details: - Type: Self-signed - Algorithm: RSA 2048-bit - Validity: 90 days - Auto-renewal: 15 days before expiration - Common Name: localhost - DNS Names: localhost, bakery-ia.local, *.bakery-ia.local - IP Addresses: 127.0.0.1, ::1 Setup required: - Optional: Trust certificate in system/browser (see DEV-HTTPS-SETUP.md) - Required: cert-manager must be installed in cluster - Access at: https://localhost What stays different from production: - Certificate type: Self-signed (dev) vs Let's Encrypt (prod) - Trust: Manual (dev) vs Automatic (prod) - Domain: localhost (dev) vs real domain (prod) This completes the dev-prod parity improvements, bringing development environment much closer to production with: 1. 2 replicas for critical services ✓ 2. Rate limiting enabled ✓ 3. Specific CORS origins ✓ 4. HTTPS enabled ✓ See docs/DEV-HTTPS-SETUP.md for complete setup and testing instructions.
Bakery IA Kubernetes Configuration
This directory contains Kubernetes manifests for deploying the Bakery IA platform in local development and production environments with HTTPS support using cert-manager and NGINX ingress.
Quick Start
Deploy the entire platform with these 5 commands:
# 1. Start Colima with adequate resources
colima start --cpu 6 --memory 12 --disk 120 --runtime docker --profile k8s-local
# 2. Create Kind cluster with permanent localhost access
kind create cluster --config kind-config.yaml
# 3. Install NGINX Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=300s
# 4. Configure permanent localhost access
kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"NodePort","ports":[{"name":"http","port":80,"targetPort":"http","nodePort":30080},{"name":"https","port":443,"targetPort":"https","nodePort":30443}]}}'
# 5. Deploy with Skaffold
skaffold dev --profile=dev
# 🎉 Access at: https://localhost
Prerequisites
Install the following tools on macOS:
# Install via Homebrew
brew install colima kind kubectl skaffold
# Verify installations
colima version && kind version && kubectl version --client && skaffold version
Directory Structure
infrastructure/kubernetes/
├── base/ # Base Kubernetes resources
│ ├── namespace.yaml # Namespace definition
│ ├── configmap.yaml # Shared configuration
│ ├── secrets.yaml # Base64 encoded secrets
│ ├── ingress-https.yaml # HTTPS ingress rules
│ ├── kustomization.yaml # Base kustomization
│ └── components/ # Individual component manifests
│ ├── cert-manager/ # Certificate management
│ ├── auth/ # Authentication service
│ ├── tenant/ # Tenant management
│ ├── training/ # ML training service
│ ├── forecasting/ # Demand forecasting
│ ├── sales/ # Sales management
│ ├── external/ # External API service
│ ├── notification/ # Notification service
│ ├── inventory/ # Inventory management
│ ├── recipes/ # Recipe management
│ ├── suppliers/ # Supplier management
│ ├── pos/ # Point of sale
│ ├── orders/ # Order management
│ ├── production/ # Production planning
│ ├── alert-processor/ # Alert processing
│ ├── frontend/ # React frontend
│ ├── databases/ # Database deployments
│ └── infrastructure/ # Gateway & monitoring
└── overlays/
└── dev/ # Development environment
├── kustomization.yaml # Dev-specific configuration
└── dev-patches.yaml # Development patches
Access URLs
Primary Access (Standard Web Ports)
- Frontend: https://localhost
- API Gateway: https://localhost/api
Named Host Access (Optional)
Add to /etc/hosts for named access:
echo "127.0.0.1 bakery-ia.local" | sudo tee -a /etc/hosts
echo "127.0.0.1 api.bakery-ia.local" | sudo tee -a /etc/hosts
echo "127.0.0.1 monitoring.bakery-ia.local" | sudo tee -a /etc/hosts
Then access via:
- Frontend: https://bakery-ia.local
- API: https://api.bakery-ia.local
- Monitoring: https://monitoring.bakery-ia.local
Direct Service Access (Development)
- Frontend: http://localhost:3000
- Gateway: http://localhost:8000
Development Workflow
Start Development Environment
# Start development mode with hot-reload
skaffold dev --profile=dev
# Or one-time deployment
skaffold run --profile=dev
Key Features
- ✅ Hot-reload development - Automatic rebuilds on code changes
- ✅ Permanent localhost access - No port forwarding needed
- ✅ HTTPS by default - Local CA certificates for secure development
- ✅ Microservices architecture - All services deployed together
- ✅ Database management - PostgreSQL, Redis, and RabbitMQ included
Monitor and Debug
# Check all resources
kubectl get all -n bakery-ia
# View logs
kubectl logs -n bakery-ia deployment/auth-service -f
# Check ingress status
kubectl get ingress -n bakery-ia
# Debug certificate issues
kubectl describe certificate bakery-ia-tls-cert -n bakery-ia
Certificate Management
The platform uses cert-manager for automatic HTTPS certificate generation:
- Local CA: For development (default)
- Let's Encrypt Staging: For testing
- Let's Encrypt Production: For production deployments
Trust Local Certificates
# Export CA certificate
kubectl get secret local-ca-key-pair -n cert-manager -o jsonpath='{.data.tls\.crt}' | base64 -d > bakery-ia-ca.crt
# Trust in macOS
open bakery-ia-ca.crt
# In Keychain Access, set "bakery-ia-local-ca" to "Always Trust"
Configuration Management
Secrets
Base64-encoded secrets are stored in base/secrets.yaml. For production:
- Use external secret management (HashiCorp Vault, AWS Secrets Manager)
- Never commit real secrets to version control
# Encode secrets
echo -n "your-secret-value" | base64
# Decode secrets
echo "eW91ci1zZWNyZXQtdmFsdWU=" | base64 -d
Environment Configuration
Development-specific settings are in overlays/dev/:
- Resource limits: Reduced for local development
- Image pull policy: Never (for local images)
- Debug settings: Enabled
- CORS: Configured for localhost
Scaling and Resource Management
Scale Services
# Scale individual service
kubectl scale -n bakery-ia deployment/auth-service --replicas=3
# Or update kustomization.yaml replicas section
Resource Configuration
Development environment uses minimal resources:
- Databases: 64Mi-256Mi memory, 25m-200m CPU
- Services: 64Mi-256Mi memory, 25m-200m CPU
- Training Service: 256Mi-1Gi memory (ML workloads)
Troubleshooting
Common Issues
-
Images not found
# Build images with Skaffold skaffold build --profile=dev -
Database corruption after restart
# Delete corrupted PVC and restart kubectl delete pod -n bakery-ia -l app.kubernetes.io/name=inventory-db kubectl delete pvc -n bakery-ia inventory-db-pvc -
HTTPS certificate not issued
# Check cert-manager logs kubectl logs -n cert-manager deployment/cert-manager kubectl describe certificate bakery-ia-tls-cert -n bakery-ia -
Port conflicts
# Check what's using ports 80/443 sudo lsof -i :80 -i :443
Debug Commands
# Get cluster events
kubectl get events -n bakery-ia --sort-by='.firstTimestamp'
# Resource usage
kubectl top pods -n bakery-ia
kubectl top nodes
# Execute in pod
kubectl exec -n bakery-ia -it <pod-name> -- bash
Cleanup
Quick Cleanup
# Stop Skaffold (Ctrl+C or)
skaffold delete --profile=dev
Complete Cleanup
# Delete everything
kubectl delete namespace bakery-ia
kind delete cluster --name bakery-ia-local
colima stop --profile k8s-local
Restart Sequence
# Post-restart startup
colima start --cpu 6 --memory 12 --disk 120 --runtime docker --profile k8s-local
kind create cluster --config kind-config.yaml
skaffold dev --profile=dev
Production Considerations
For production deployment:
- Security: Implement RBAC, network policies, pod security standards
- Monitoring: Deploy Prometheus, Grafana, and alerting
- Backup: Database backup strategies
- High Availability: Multi-replica deployments with anti-affinity
- External Secrets: Use managed secret services
- TLS: Production Let's Encrypt certificates
- CI/CD: Automated deployment pipelines
Next Steps
- Add comprehensive monitoring and logging
- Implement automated testing
- Set up CI/CD pipelines
- Add health checks and metrics endpoints
- Implement proper backup strategies