admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
stonks-oracle/.kiro/steering/kubernetes-conventions.md
T
Celes Renata 5be3ce2db9 feat: migrate CI/CD from GHCR to local Harbor registry 
- Makefile: GHCR -> registry.celestium.life/stonks-oracle
- GitHub Actions: login to Harbor, use HARBOR_PASSWORD secret
- infra/k8s/*.yaml: all image refs -> registry.celestium.life
- inttest pipeline: remove GHCR pull secret (local registry, no auth)
- Steering docs: update registry/git endpoints
2026-04-19 07:34:28 +00:00

2.2 KiB
Raw Permalink Blame History

inclusion, fileMatchPattern
inclusion fileMatchPattern
fileMatch infra/**

Kubernetes & Helm Conventions

Namespace

All Stonks Oracle workloads deploy to stonks-oracle namespace. The namespace is NOT managed by Helm — it's created by runmefirst.sh with Helm ownership labels.

Helm Chart

  • Chart at infra/helm/stonks-oracle/
  • Services defined in values.yaml under services: — the deployments template iterates over them
  • Adding a new service: add entry to values.yaml, add network policy if it needs ingress, add ingress if it needs external access
  • Dashboard uses nginx-unprivileged on port 8080 (not 80)
  • Superset uses custom image registry.celestium.life/stonks-oracle/superset:latest with trino + psycopg2 drivers

TLS

  • Internal services: use ca-issuer ClusterIssuer (local CA)
  • Annotate ingress with cert-manager.io/cluster-issuer: ca-issuer

Ingress

  • Traefik ingress controller
  • Domain pattern: <service>.celestium.life
  • Dashboard: stonks.celestium.life
  • Query API: stonks-api.celestium.life
  • Symbol Registry: stonks-registry.celestium.life
  • Superset: stonks-dash.celestium.life
  • Trino: stonks-trino.celestium.life

Network Policies

  • default-deny-ingress blocks all ingress by default
  • Each service that needs ingress must have an explicit allow policy
  • Dashboard needs: ingress from kube-system (Traefik) on 8080
  • Query API needs: ingress from kube-system + dashboard pod on 8000
  • Symbol Registry needs: ingress from kube-system + dashboard pod on 8000
  • Risk Engine needs: ingress from broker-adapter + query-api + dashboard on 8000
  • When adding a new externally-accessible service, add both an ingress AND a network policy

Service References

  • PostgreSQL: postgresql-rw.postgresql-service.svc.cluster.local:5432
  • Redis: redis-master.redis-service.svc.cluster.local:6379
  • MinIO API: minio.minio-service.svc.cluster.local:80
  • Ollama: ollama.ollama-service.svc.cluster.local:11434

Images

  • All images from registry.celestium.life/stonks-oracle/<service>:latest
  • Use imagePullPolicy: Always

Labels

  • app.kubernetes.io/part-of: stonks-oracle
  • app: <service-name>
  • stonks-oracle/tier: <tier> (api, frontend, processing, trading, orchestration, analytics)
Reference in New Issue View Git Blame Copy Permalink