--- inclusion: fileMatch fileMatchPattern: "infra/**" --- # Kubernetes & Helm Conventions ## Namespace All Stonks Oracle workloads deploy to `stonks-oracle` namespace. The namespace is NOT managed by Helm — it's created by `runmefirst.sh` with Helm ownership labels. ## Helm Chart - Chart at `infra/helm/stonks-oracle/` - Services defined in `values.yaml` under `services:` — the deployments template iterates over them - Adding a new service: add entry to `values.yaml`, add network policy if it needs ingress, add ingress if it needs external access - Dashboard uses nginx-unprivileged on port 8080 (not 80) - Superset uses custom image `registry.celestium.life/stonks-oracle/superset:latest` with trino + psycopg2 drivers ## TLS - Internal services: use `ca-issuer` ClusterIssuer (local CA) - Annotate ingress with `cert-manager.io/cluster-issuer: ca-issuer` ## Ingress - Traefik ingress controller - Domain pattern: `.celestium.life` - Dashboard: `stonks.celestium.life` - Query API: `stonks-api.celestium.life` - Symbol Registry: `stonks-registry.celestium.life` - Superset: `stonks-dash.celestium.life` - Trino: `stonks-trino.celestium.life` ## Network Policies - `default-deny-ingress` blocks all ingress by default - Each service that needs ingress must have an explicit allow policy - Dashboard needs: ingress from kube-system (Traefik) on 8080 - Query API needs: ingress from kube-system + dashboard pod on 8000 - Symbol Registry needs: ingress from kube-system + dashboard pod on 8000 - Risk Engine needs: ingress from broker-adapter + query-api + dashboard on 8000 - When adding a new externally-accessible service, add both an ingress AND a network policy ## Service References - PostgreSQL: `postgresql-rw.postgresql-service.svc.cluster.local:5432` - Redis: `redis-master.redis-service.svc.cluster.local:6379` - MinIO API: `minio.minio-service.svc.cluster.local:80` - Ollama: `ollama.ollama-service.svc.cluster.local:11434` ## Images - All images from `registry.celestium.life/stonks-oracle/:latest` - Use `imagePullPolicy: Always` ## Labels - `app.kubernetes.io/part-of: stonks-oracle` - `app: ` - `stonks-oracle/tier: ` (api, frontend, processing, trading, orchestration, analytics)