phase 14-15: docker build validation and helm deployment

2026-04-11 11:59:45 -07:00
parent 7394d241c9
commit ce10afa034
179 changed files with 32559 additions and 576 deletions
@@ -0,0 +1,173 @@
+##
+## Stonks Oracle — Network Policies
+##
+## Default-deny ingress for the namespace, then allow only the
+## traffic patterns each component actually needs.
+##
+## Requirements: 8.2 (trading isolation), 12.1 (observability)
+##
+
+# ── Default deny all ingress in the namespace ──────────────────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+# ── Query API: accept from Traefik ingress only ───────────────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-query-api-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: query-api
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8000
+---
+# ── Symbol Registry API: accept from Traefik ingress only ─────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-symbol-registry-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: symbol-registry-api
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8000
+---
+# ── Risk Engine: accept from broker-adapter only ───────────────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-risk-engine-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: risk-engine
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: broker-adapter
+        - podSelector:
+            matchLabels:
+              app: query-api
+      ports:
+        - protocol: TCP
+          port: 8000
+---
+# ── Superset: accept from Traefik ingress only ────────────────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-superset-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: superset
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8088
+---
+# ── Trino: accept from Superset and query-api ─────────────────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-trino-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: trino
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: superset
+        - podSelector:
+            matchLabels:
+              app: query-api
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8080
+---
+# ── Hive Metastore: accept from Trino and lake-publisher ──────────────
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-hive-metastore-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: hive-metastore
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: trino
+        - podSelector:
+            matchLabels:
+              app: lake-publisher
+      ports:
+        - protocol: TCP
+          port: 9083
+---
+# ── Broker adapter: isolated — no inbound from other pods ──────────────
+# The broker-adapter only makes outbound calls to the broker API
+# and reads from Redis queues. No pod needs to call into it.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-broker-adapter-ingress
+  namespace: stonks-oracle
+spec:
+  podSelector:
+    matchLabels:
+      app: broker-adapter
+  policyTypes:
+    - Ingress
+  ingress: []