---
inclusion: fileMatch
fileMatchPattern: "infra/k8s/**"
---
# Kubernetes Conventions

## Namespace
All Stonks Oracle workloads deploy to `stonks-oracle` namespace.

## TLS
- Internal services: use `ca-issuer` ClusterIssuer (local CA)
- Public-facing services (Superset, Query API): use `celestium-le-production` ClusterIssuer (Let's Encrypt)
- Annotate ingress with `cert-manager.io/cluster-issuer`

## Ingress
- Traefik ingress controller
- Domain pattern: `<service>.celestium.life`
- Always create both HTTP and HTTPS ingress rules

## Service References
- PostgreSQL: `postgresql-rw.postgresql-service.svc.cluster.local:5432`
- Redis: `redis-master.redis-service.svc.cluster.local:6379`
- MinIO API: `minio.minio-service.svc.cluster.local:80`
- Ollama: `ollama.ollama-service.svc.cluster.local:11434`

## Images
- All images from `ghcr.io/celesrenata/stonks-oracle/<service>:latest`
- Use `imagePullPolicy: Always` in production
- Use `imagePullSecrets` referencing `ghcr-secret` if repo is private

## Labels
- `app.kubernetes.io/part-of: stonks-oracle`
- `app: <service-name>`