phase 14-15: docker build validation and helm deployment
This commit is contained in:
Celes Renata
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: aggregation-worker
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: aggregation-worker
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: aggregation-worker
|
||||
image: ghcr.io/celesrenata/stonks-oracle/aggregation:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: broker-adapter
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: trading
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,32 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: broker-adapter
|
||||
stonks-oracle/tier: trading
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: broker-adapter
|
||||
image: ghcr.io/celesrenata/stonks-oracle/broker-adapter:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
- secretRef:
|
||||
name: stonks-broker-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
@@ -32,3 +49,10 @@ spec:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 128Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -25,15 +25,48 @@ data:
|
||||
OLLAMA_BASE_URL: "http://ollama.ollama-service.svc.cluster.local:11434"
|
||||
OLLAMA_MODEL: "llama3.1:8b"
|
||||
OLLAMA_TIMEOUT: "120"
|
||||
OLLAMA_MAX_RETRIES: "2"
|
||||
OLLAMA_RETRY_BASE_DELAY: "1.0"
|
||||
OLLAMA_RETRY_MAX_DELAY: "10.0"
|
||||
OLLAMA_RETRY_BACKOFF_MULTIPLIER: "2.0"
|
||||
|
||||
# Trino — deployed in stonks-oracle namespace
|
||||
TRINO_HOST: "trino.stonks-oracle.svc.cluster.local"
|
||||
TRINO_PORT: "8080"
|
||||
TRINO_CATALOG: "lakehouse"
|
||||
TRINO_SCHEMA: "stonks"
|
||||
TRINO_ICEBERG_CATALOG: "iceberg"
|
||||
|
||||
# Broker
|
||||
BROKER_MODE: "paper"
|
||||
BROKER_PROVIDER: "alpaca"
|
||||
|
||||
# Market Data
|
||||
MARKET_DATA_BASE_URL: "https://api.polygon.io"
|
||||
MARKET_DATA_PROVIDER: "polygon"
|
||||
|
||||
# Retention (days per bucket class)
|
||||
RETENTION_RAW_MARKET_DAYS: "90"
|
||||
RETENTION_RAW_NEWS_DAYS: "180"
|
||||
RETENTION_RAW_FILINGS_DAYS: "365"
|
||||
RETENTION_NORMALIZED_DAYS: "180"
|
||||
RETENTION_LLM_PROMPTS_DAYS: "365"
|
||||
RETENTION_LLM_RESULTS_DAYS: "365"
|
||||
RETENTION_LAKEHOUSE_DAYS: "730"
|
||||
RETENTION_AUDIT_DAYS: "730"
|
||||
RETENTION_CLEANUP_INTERVAL_HOURS: "24"
|
||||
RETENTION_BATCH_SIZE: "1000"
|
||||
|
||||
# General
|
||||
LOG_LEVEL: "INFO"
|
||||
JSON_LOGS: "true"
|
||||
|
||||
# Alerting thresholds
|
||||
ALERT_SOURCE_FAILURE_THRESHOLD: "3"
|
||||
ALERT_SOURCE_FAILURE_WINDOW_HOURS: "6"
|
||||
ALERT_SCHEMA_FAILURE_RATE_THRESHOLD: "0.3"
|
||||
ALERT_SCHEMA_FAILURE_WINDOW_HOURS: "1"
|
||||
ALERT_LAKE_LAG_THRESHOLD_MINUTES: "60"
|
||||
ALERT_BROKER_ERROR_THRESHOLD: "3"
|
||||
ALERT_BROKER_ERROR_WINDOW_HOURS: "1"
|
||||
ALERT_CHECK_INTERVAL_SECONDS: "120"
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: extractor-worker
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: extractor-worker
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: extractor-worker
|
||||
image: ghcr.io/celesrenata/stonks-oracle/extractor:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: 512Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: hive-metastore
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,22 +16,121 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: hive-metastore
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: hive-config-init
|
||||
image: busybox:1.36
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
cat > /hive-config/core-site.xml <<EOF
|
||||
<?xml version="1.0"?>
|
||||
<configuration>
|
||||
<property>
|
||||
<name>fs.s3a.endpoint</name>
|
||||
<value>http://minio.minio-service.svc.cluster.local:80</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>fs.s3a.access.key</name>
|
||||
<value>${MINIO_ACCESS_KEY}</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>fs.s3a.secret.key</name>
|
||||
<value>${MINIO_SECRET_KEY}</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>fs.s3a.path.style.access</name>
|
||||
<value>true</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>fs.s3a.impl</name>
|
||||
<value>org.apache.hadoop.fs.s3a.S3AFileSystem</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>fs.s3a.connection.ssl.enabled</name>
|
||||
<value>false</value>
|
||||
</property>
|
||||
</configuration>
|
||||
EOF
|
||||
cat > /hive-config/metastore-site.xml <<EOF
|
||||
<?xml version="1.0"?>
|
||||
<configuration>
|
||||
<property>
|
||||
<name>metastore.thrift.uris</name>
|
||||
<value>thrift://0.0.0.0:9083</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>metastore.task.threads.always</name>
|
||||
<value>org.apache.hadoop.hive.metastore.events.EventCleanerTask</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>metastore.expression.proxy</name>
|
||||
<value>org.apache.hadoop.hive.metastore.DefaultPartitionExpressionProxy</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>javax.jdo.option.ConnectionDriverName</name>
|
||||
<value>org.apache.derby.jdbc.EmbeddedDriver</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>javax.jdo.option.ConnectionURL</name>
|
||||
<value>jdbc:derby:/opt/hive/data/metastore_db;create=true</value>
|
||||
</property>
|
||||
<property>
|
||||
<name>metastore.warehouse.dir</name>
|
||||
<value>s3a://stonks-lakehouse/warehouse</value>
|
||||
</property>
|
||||
</configuration>
|
||||
EOF
|
||||
env:
|
||||
- name: MINIO_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-core-secrets
|
||||
key: MINIO_ACCESS_KEY
|
||||
- name: MINIO_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-core-secrets
|
||||
key: MINIO_SECRET_KEY
|
||||
volumeMounts:
|
||||
- name: hive-config
|
||||
mountPath: /hive-config
|
||||
containers:
|
||||
- name: hive-metastore
|
||||
image: apache/hive:4.0.0
|
||||
ports:
|
||||
- containerPort: 9083
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
env:
|
||||
- name: SERVICE_NAME
|
||||
value: metastore
|
||||
- name: DB_DRIVER
|
||||
value: derby
|
||||
- name: SERVICE_OPTS
|
||||
value: "-Djavax.jdo.option.ConnectionURL=jdbc:derby:/opt/hive/data/metastore_db;create=true"
|
||||
volumeMounts:
|
||||
- name: hive-data
|
||||
mountPath: /opt/hive/data
|
||||
- name: hive-config
|
||||
mountPath: /opt/hive/conf/core-site.xml
|
||||
subPath: core-site.xml
|
||||
- name: hive-config
|
||||
mountPath: /opt/hive/conf/metastore-site.xml
|
||||
subPath: metastore-site.xml
|
||||
resources:
|
||||
requests:
|
||||
cpu: 200m
|
||||
@@ -42,6 +142,8 @@ spec:
|
||||
- name: hive-data
|
||||
persistentVolumeClaim:
|
||||
claimName: hive-metastore-data
|
||||
- name: hive-config
|
||||
emptyDir: {}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: ingestion-worker
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: ingestion
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
@@ -15,16 +16,32 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: ingestion-worker
|
||||
stonks-oracle/tier: ingestion
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: ingestion-worker
|
||||
image: ghcr.io/celesrenata/stonks-oracle/ingestion:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
- secretRef:
|
||||
name: stonks-market-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -32,3 +49,10 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: lake-publisher
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: lake-publisher
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: lake-publisher
|
||||
image: ghcr.io/celesrenata/stonks-oracle/lake-publisher:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -4,3 +4,4 @@ metadata:
|
||||
name: stonks-oracle
|
||||
labels:
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
kubernetes.io/metadata.name: stonks-oracle
|
||||
|
||||
@@ -0,0 +1,173 @@
|
||||
##
|
||||
## Stonks Oracle — Network Policies
|
||||
##
|
||||
## Default-deny ingress for the namespace, then allow only the
|
||||
## traffic patterns each component actually needs.
|
||||
##
|
||||
## Requirements: 8.2 (trading isolation), 12.1 (observability)
|
||||
##
|
||||
|
||||
# ── Default deny all ingress in the namespace ──────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: default-deny-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector: {}
|
||||
policyTypes:
|
||||
- Ingress
|
||||
---
|
||||
# ── Query API: accept from Traefik ingress only ───────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-query-api-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: query-api
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
---
|
||||
# ── Symbol Registry API: accept from Traefik ingress only ─────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-symbol-registry-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: symbol-registry-api
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
---
|
||||
# ── Risk Engine: accept from broker-adapter only ───────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-risk-engine-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: risk-engine
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: broker-adapter
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: query-api
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
---
|
||||
# ── Superset: accept from Traefik ingress only ────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-superset-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: superset
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8088
|
||||
---
|
||||
# ── Trino: accept from Superset and query-api ─────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-trino-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: trino
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: superset
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: query-api
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: kube-system
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8080
|
||||
---
|
||||
# ── Hive Metastore: accept from Trino and lake-publisher ──────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-hive-metastore-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: hive-metastore
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: trino
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: lake-publisher
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 9083
|
||||
---
|
||||
# ── Broker adapter: isolated — no inbound from other pods ──────────────
|
||||
# The broker-adapter only makes outbound calls to the broker API
|
||||
# and reads from Redis queues. No pod needs to call into it.
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: deny-broker-adapter-ingress
|
||||
namespace: stonks-oracle
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: broker-adapter
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress: []
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: parser-worker
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: parser-worker
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: parser-worker
|
||||
image: ghcr.io/celesrenata/stonks-oracle/parser:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: query-api
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: api
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,18 +16,32 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: query-api
|
||||
stonks-oracle/tier: api
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: query-api
|
||||
image: ghcr.io/celesrenata/stonks-oracle/query-api:latest
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -40,6 +55,13 @@ spec:
|
||||
port: 8000
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: recommendation-worker
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: recommendation-worker
|
||||
stonks-oracle/tier: processing
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: recommendation-worker
|
||||
image: ghcr.io/celesrenata/stonks-oracle/recommendation:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: risk-engine
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: trading
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,18 +16,34 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: risk-engine
|
||||
stonks-oracle/tier: trading
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: risk-engine
|
||||
image: ghcr.io/celesrenata/stonks-oracle/risk:latest
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
- secretRef:
|
||||
name: stonks-broker-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -34,6 +51,13 @@ spec:
|
||||
limits:
|
||||
cpu: 500m
|
||||
memory: 256Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: scheduler
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: orchestration
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,16 +16,30 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: scheduler
|
||||
stonks-oracle/tier: orchestration
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: scheduler
|
||||
image: ghcr.io/celesrenata/stonks-oracle/scheduler:latest
|
||||
imagePullPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
@@ -32,3 +47,10 @@ spec:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 128Mi
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
|
||||
+54
-8
@@ -1,17 +1,63 @@
|
||||
##
|
||||
## Stonks Oracle — Scoped Secrets
|
||||
##
|
||||
## Secrets are split by concern so that only the services that need
|
||||
## broker or market-data credentials actually receive them.
|
||||
## Replace placeholder values before deploying.
|
||||
##
|
||||
## Requirements: 8.2 (broker credential isolation)
|
||||
##
|
||||
|
||||
# ── Core infrastructure secrets (DB, object store, cache) ──────────────
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
namespace: stonks-oracle
|
||||
labels:
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
type: Opaque
|
||||
stringData:
|
||||
POSTGRES_PASSWORD: "changeme"
|
||||
MINIO_ACCESS_KEY: "changeme"
|
||||
MINIO_SECRET_KEY: "changeme"
|
||||
POSTGRES_PASSWORD: "REPLACE_ME"
|
||||
MINIO_ACCESS_KEY: "REPLACE_ME"
|
||||
MINIO_SECRET_KEY: "REPLACE_ME"
|
||||
REDIS_PASSWORD: ""
|
||||
BROKER_API_KEY: ""
|
||||
BROKER_API_SECRET: ""
|
||||
BROKER_BASE_URL: ""
|
||||
SUPERSET_SECRET_KEY: "stonks-superset-secret-change-me"
|
||||
---
|
||||
# ── Broker secrets — only for broker-adapter and risk-engine ───────────
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: stonks-broker-secrets
|
||||
namespace: stonks-oracle
|
||||
labels:
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
type: Opaque
|
||||
stringData:
|
||||
BROKER_API_KEY: "REPLACE_ME"
|
||||
BROKER_API_SECRET: "REPLACE_ME"
|
||||
BROKER_BASE_URL: "https://paper-api.alpaca.markets"
|
||||
---
|
||||
# ── Market data secrets — only for ingestion and adapters ──────────────
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: stonks-market-secrets
|
||||
namespace: stonks-oracle
|
||||
labels:
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
type: Opaque
|
||||
stringData:
|
||||
MARKET_DATA_API_KEY: "REPLACE_ME"
|
||||
---
|
||||
# ── Dashboard secrets — only for Superset ──────────────────────────────
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: stonks-dashboard-secrets
|
||||
namespace: stonks-oracle
|
||||
labels:
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
type: Opaque
|
||||
stringData:
|
||||
SUPERSET_SECRET_KEY: "REPLACE_ME"
|
||||
SUPERSET_ADMIN_PASSWORD: "REPLACE_ME"
|
||||
|
||||
+47
-3
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: superset
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: dashboard
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,22 +16,38 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: superset
|
||||
stonks-oracle/tier: dashboard
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: superset
|
||||
image: apache/superset:latest
|
||||
ports:
|
||||
- containerPort: 8088
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
env:
|
||||
- name: SUPERSET_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-dashboard-secrets
|
||||
key: SUPERSET_SECRET_KEY
|
||||
- name: ADMIN_USERNAME
|
||||
value: admin
|
||||
- name: ADMIN_PASSWORD
|
||||
value: admin
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-dashboard-secrets
|
||||
key: SUPERSET_ADMIN_PASSWORD
|
||||
- name: ADMIN_EMAIL
|
||||
value: admin@stonks.local
|
||||
volumeMounts:
|
||||
@@ -94,12 +111,39 @@ data:
|
||||
import os
|
||||
SECRET_KEY = os.getenv("SUPERSET_SECRET_KEY", "stonks-dev-secret-key-change-me")
|
||||
SQLALCHEMY_DATABASE_URI = "trino://trino@trino.stonks-oracle.svc.cluster.local:8080/lakehouse/stonks"
|
||||
# Additional database connections available in Superset UI:
|
||||
# Hive catalog: trino://trino@trino.stonks-oracle.svc.cluster.local:8080/lakehouse/stonks
|
||||
# Iceberg catalog: trino://trino@trino.stonks-oracle.svc.cluster.local:8080/iceberg/stonks
|
||||
FEATURE_FLAGS = {"ENABLE_TEMPLATE_PROCESSING": True}
|
||||
CACHE_CONFIG = {
|
||||
"CACHE_TYPE": "RedisCache",
|
||||
"CACHE_DEFAULT_TIMEOUT": 300,
|
||||
"CACHE_KEY_PREFIX": "superset_",
|
||||
"CACHE_REDIS_HOST": os.getenv("REDIS_HOST", "redis.redis-service.svc.cluster.local"),
|
||||
"CACHE_REDIS_HOST": os.getenv("REDIS_HOST", "redis-master.redis-service.svc.cluster.local"),
|
||||
"CACHE_REDIS_PORT": int(os.getenv("REDIS_PORT", "6379")),
|
||||
"CACHE_REDIS_DB": 1,
|
||||
}
|
||||
|
||||
# --- Security hardening ---
|
||||
# Disable public user role (require login)
|
||||
PUBLIC_ROLE_LIKE = None
|
||||
# Session cookie security
|
||||
SESSION_COOKIE_HTTPONLY = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SAMESITE = "Lax"
|
||||
# Talisman CSP headers
|
||||
TALISMAN_ENABLED = True
|
||||
TALISMAN_CONFIG = {
|
||||
"content_security_policy": {
|
||||
"default-src": ["'self'"],
|
||||
"img-src": ["'self'", "data:"],
|
||||
"style-src": ["'self'", "'unsafe-inline'"],
|
||||
"script-src": ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
|
||||
},
|
||||
"force_https": False, # TLS terminated at ingress
|
||||
}
|
||||
# Prevent Superset from allowing arbitrary SQL database connections
|
||||
PREVENT_UNSAFE_DB_CONNECTIONS = True
|
||||
# Row limit for queries
|
||||
ROW_LIMIT = 50000
|
||||
SQL_MAX_ROW = 100000
|
||||
|
||||
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: symbol-registry-api
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: api
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,18 +16,32 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: symbol-registry-api
|
||||
stonks-oracle/tier: api
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
containers:
|
||||
- name: symbol-registry-api
|
||||
image: ghcr.io/celesrenata/stonks-oracle/symbol-registry:latest
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: true
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: stonks-config
|
||||
- secretRef:
|
||||
name: stonks-secrets
|
||||
name: stonks-core-secrets
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -46,6 +61,13 @@ spec:
|
||||
port: 8000
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 30
|
||||
volumeMounts:
|
||||
- name: tmp
|
||||
mountPath: /tmp
|
||||
volumes:
|
||||
- name: tmp
|
||||
emptyDir:
|
||||
sizeLimit: 10Mi
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
|
||||
+63
-26
@@ -6,6 +6,7 @@ metadata:
|
||||
labels:
|
||||
app: trino
|
||||
app.kubernetes.io/part-of: stonks-oracle
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@@ -15,12 +16,73 @@ spec:
|
||||
metadata:
|
||||
labels:
|
||||
app: trino
|
||||
stonks-oracle/tier: analytics
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- name: catalog-init
|
||||
image: busybox:1.36
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
command: ["sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
cat > /catalog/iceberg.properties <<EOF
|
||||
connector.name=iceberg
|
||||
iceberg.catalog.type=hive_metastore
|
||||
hive.metastore.uri=thrift://hive-metastore.stonks-oracle.svc.cluster.local:9083
|
||||
hive.s3.endpoint=http://minio.minio-service.svc.cluster.local:80
|
||||
hive.s3.path-style-access=true
|
||||
hive.s3.aws-access-key=${MINIO_ACCESS_KEY}
|
||||
hive.s3.aws-secret-key=${MINIO_SECRET_KEY}
|
||||
fs.native-s3.enabled=true
|
||||
s3.endpoint=http://minio.minio-service.svc.cluster.local:80
|
||||
s3.path-style-access=true
|
||||
s3.aws-access-key=${MINIO_ACCESS_KEY}
|
||||
s3.aws-secret-key=${MINIO_SECRET_KEY}
|
||||
EOF
|
||||
cat > /catalog/lakehouse.properties <<EOF
|
||||
connector.name=hive
|
||||
hive.metastore.uri=thrift://hive-metastore.stonks-oracle.svc.cluster.local:9083
|
||||
hive.s3.endpoint=http://minio.minio-service.svc.cluster.local:80
|
||||
hive.s3.path-style-access=true
|
||||
hive.s3.aws-access-key=${MINIO_ACCESS_KEY}
|
||||
hive.s3.aws-secret-key=${MINIO_SECRET_KEY}
|
||||
hive.non-managed-table-writes-enabled=true
|
||||
hive.s3select-pushdown.enabled=true
|
||||
EOF
|
||||
env:
|
||||
- name: MINIO_ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-core-secrets
|
||||
key: MINIO_ACCESS_KEY
|
||||
- name: MINIO_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: stonks-core-secrets
|
||||
key: MINIO_SECRET_KEY
|
||||
volumeMounts:
|
||||
- name: catalog-config
|
||||
mountPath: /catalog
|
||||
containers:
|
||||
- name: trino
|
||||
image: trinodb/trino:latest
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
volumeMounts:
|
||||
- name: catalog-config
|
||||
mountPath: /etc/trino/catalog
|
||||
@@ -39,8 +101,7 @@ spec:
|
||||
periodSeconds: 10
|
||||
volumes:
|
||||
- name: catalog-config
|
||||
configMap:
|
||||
name: trino-catalog
|
||||
emptyDir: {}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
@@ -53,27 +114,3 @@ spec:
|
||||
ports:
|
||||
- port: 8080
|
||||
targetPort: 8080
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: trino-catalog
|
||||
namespace: stonks-oracle
|
||||
data:
|
||||
iceberg.properties: |
|
||||
connector.name=iceberg
|
||||
iceberg.catalog.type=hive_metastore
|
||||
hive.metastore.uri=thrift://hive-metastore.stonks-oracle.svc.cluster.local:9083
|
||||
hive.s3.endpoint=http://minio.minio-service.svc.cluster.local:80
|
||||
hive.s3.path-style-access=true
|
||||
hive.s3.aws-access-key=changeme
|
||||
hive.s3.aws-secret-key=changeme
|
||||
lakehouse.properties: |
|
||||
connector.name=hive
|
||||
hive.metastore.uri=thrift://hive-metastore.stonks-oracle.svc.cluster.local:9083
|
||||
hive.s3.endpoint=http://minio.minio-service.svc.cluster.local:80
|
||||
hive.s3.path-style-access=true
|
||||
hive.s3.aws-access-key=changeme
|
||||
hive.s3.aws-secret-key=changeme
|
||||
hive.non-managed-table-writes-enabled=true
|
||||
hive.s3select-pushdown.enabled=true
|
||||
|
||||
Reference in New Issue
Block a user