update steering docs and hooks for current project state
This commit is contained in:
Celes Renata
@@ -1,21 +1,41 @@
|
||||
---
|
||||
inclusion: fileMatch
|
||||
fileMatchPattern: "infra/k8s/**"
|
||||
fileMatchPattern: "infra/**"
|
||||
---
|
||||
# Kubernetes Conventions
|
||||
# Kubernetes & Helm Conventions
|
||||
|
||||
## Namespace
|
||||
All Stonks Oracle workloads deploy to `stonks-oracle` namespace.
|
||||
The namespace is NOT managed by Helm — it's created by `runmefirst.sh` with Helm ownership labels.
|
||||
|
||||
## Helm Chart
|
||||
- Chart at `infra/helm/stonks-oracle/`
|
||||
- Services defined in `values.yaml` under `services:` — the deployments template iterates over them
|
||||
- Adding a new service: add entry to `values.yaml`, add network policy if it needs ingress, add ingress if it needs external access
|
||||
- Dashboard uses nginx-unprivileged on port 8080 (not 80)
|
||||
- Superset uses custom image `ghcr.io/celesrenata/stonks-oracle/superset:latest` with trino + psycopg2 drivers
|
||||
|
||||
## TLS
|
||||
- Internal services: use `ca-issuer` ClusterIssuer (local CA)
|
||||
- Public-facing services (Superset, Query API): use `celestium-le-production` ClusterIssuer (Let's Encrypt)
|
||||
- Annotate ingress with `cert-manager.io/cluster-issuer`
|
||||
- Annotate ingress with `cert-manager.io/cluster-issuer: ca-issuer`
|
||||
|
||||
## Ingress
|
||||
- Traefik ingress controller
|
||||
- Domain pattern: `<service>.celestium.life`
|
||||
- Always create both HTTP and HTTPS ingress rules
|
||||
- Dashboard: `stonks.celestium.life`
|
||||
- Query API: `stonks-api.celestium.life`
|
||||
- Symbol Registry: `stonks-registry.celestium.life`
|
||||
- Superset: `stonks-dash.celestium.life`
|
||||
- Trino: `stonks-trino.celestium.life`
|
||||
|
||||
## Network Policies
|
||||
- `default-deny-ingress` blocks all ingress by default
|
||||
- Each service that needs ingress must have an explicit allow policy
|
||||
- Dashboard needs: ingress from kube-system (Traefik) on 8080
|
||||
- Query API needs: ingress from kube-system + dashboard pod on 8000
|
||||
- Symbol Registry needs: ingress from kube-system + dashboard pod on 8000
|
||||
- Risk Engine needs: ingress from broker-adapter + query-api + dashboard on 8000
|
||||
- When adding a new externally-accessible service, add both an ingress AND a network policy
|
||||
|
||||
## Service References
|
||||
- PostgreSQL: `postgresql-rw.postgresql-service.svc.cluster.local:5432`
|
||||
@@ -25,9 +45,10 @@ All Stonks Oracle workloads deploy to `stonks-oracle` namespace.
|
||||
|
||||
## Images
|
||||
- All images from `ghcr.io/celesrenata/stonks-oracle/<service>:latest`
|
||||
- Use `imagePullPolicy: Always` in production
|
||||
- Use `imagePullSecrets` referencing `ghcr-secret` if repo is private
|
||||
- Use `imagePullPolicy: Always`
|
||||
- Use `imagePullSecrets` referencing `ghcr-credentials`
|
||||
|
||||
## Labels
|
||||
- `app.kubernetes.io/part-of: stonks-oracle`
|
||||
- `app: <service-name>`
|
||||
- `stonks-oracle/tier: <tier>` (api, frontend, processing, trading, orchestration, analytics)
|
||||
|
||||
Reference in New Issue
Block a user