stonks-oracle/infra/inttest/services.yaml

# Application services for integration test sandbox
# Namespace is substituted at runtime via envsubst
# All env vars are inlined (no ConfigMap) so services are self-contained
# Images: ghcr.io/celesrenata/stonks-oracle/<service>:latest
#
# Services:
#   - query-api        (uvicorn services.api.app:app)
#   - symbol-registry  (uvicorn services.symbol_registry.app:app)
#   - risk             (uvicorn services.risk.app:app)
#   - trading-engine   (uvicorn services.trading.app:app)
---
# ── query-api ────────────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: query-api
  namespace: ${NAMESPACE}
  labels:
    app: query-api
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  replicas: 1
  selector:
    matchLabels:
      app: query-api
  template:
    metadata:
      labels:
        app: query-api
        tier: api
    spec:
      automountServiceAccountToken: false
      imagePullSecrets:
        - name: ghcr-credentials
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: query-api
          image: ghcr.io/celesrenata/stonks-oracle/query-api:latest
          imagePullPolicy: Always
          command: ["uvicorn", "services.api.app:app", "--host", "0.0.0.0", "--port", "8000"]
          ports:
            - containerPort: 8000
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          env:
            - name: POSTGRES_HOST
              value: "postgres"
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
              value: "stonks"
            - name: POSTGRES_USER
              value: "stonks"
            - name: POSTGRES_PASSWORD
              value: "inttest"
            - name: REDIS_HOST
              value: "redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_DB
              value: "0"
            - name: REDIS_PASSWORD
              value: ""
            - name: MINIO_ENDPOINT
              value: "minio:9000"
            - name: MINIO_SECURE
              value: "false"
            - name: MINIO_ACCESS_KEY
              value: "minioadmin"
            - name: MINIO_SECRET_KEY
              value: "minioadmin"
            - name: BROKER_MODE
              value: "paper"
            - name: LOG_LEVEL
              value: "INFO"
            - name: JSON_LOGS
              value: "false"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi
          readinessProbe:
            httpGet:
              path: /docs
              port: 8000
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 6
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir:
            sizeLimit: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: query-api
  namespace: ${NAMESPACE}
  labels:
    app: query-api
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  selector:
    app: query-api
  ports:
    - port: 8000
      targetPort: 8000
      protocol: TCP
---
# ── symbol-registry ──────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: symbol-registry
  namespace: ${NAMESPACE}
  labels:
    app: symbol-registry
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  replicas: 1
  selector:
    matchLabels:
      app: symbol-registry
  template:
    metadata:
      labels:
        app: symbol-registry
        tier: api
    spec:
      automountServiceAccountToken: false
      imagePullSecrets:
        - name: ghcr-credentials
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: symbol-registry
          image: ghcr.io/celesrenata/stonks-oracle/symbol-registry:latest
          imagePullPolicy: Always
          command: ["uvicorn", "services.symbol_registry.app:app", "--host", "0.0.0.0", "--port", "8000"]
          ports:
            - containerPort: 8000
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          env:
            - name: POSTGRES_HOST
              value: "postgres"
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
              value: "stonks"
            - name: POSTGRES_USER
              value: "stonks"
            - name: POSTGRES_PASSWORD
              value: "inttest"
            - name: REDIS_HOST
              value: "redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_DB
              value: "0"
            - name: REDIS_PASSWORD
              value: ""
            - name: MINIO_ENDPOINT
              value: "minio:9000"
            - name: MINIO_SECURE
              value: "false"
            - name: MINIO_ACCESS_KEY
              value: "minioadmin"
            - name: MINIO_SECRET_KEY
              value: "minioadmin"
            - name: BROKER_MODE
              value: "paper"
            - name: LOG_LEVEL
              value: "INFO"
            - name: JSON_LOGS
              value: "false"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi
          readinessProbe:
            httpGet:
              path: /docs
              port: 8000
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 6
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir:
            sizeLimit: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: symbol-registry
  namespace: ${NAMESPACE}
  labels:
    app: symbol-registry
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  selector:
    app: symbol-registry
  ports:
    - port: 8000
      targetPort: 8000
      protocol: TCP
---
# ── risk ─────────────────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: risk
  namespace: ${NAMESPACE}
  labels:
    app: risk
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  replicas: 1
  selector:
    matchLabels:
      app: risk
  template:
    metadata:
      labels:
        app: risk
        tier: api
    spec:
      automountServiceAccountToken: false
      imagePullSecrets:
        - name: ghcr-credentials
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: risk
          image: ghcr.io/celesrenata/stonks-oracle/risk:latest
          imagePullPolicy: Always
          command: ["uvicorn", "services.risk.app:app", "--host", "0.0.0.0", "--port", "8000"]
          ports:
            - containerPort: 8000
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          env:
            - name: POSTGRES_HOST
              value: "postgres"
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
              value: "stonks"
            - name: POSTGRES_USER
              value: "stonks"
            - name: POSTGRES_PASSWORD
              value: "inttest"
            - name: REDIS_HOST
              value: "redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_DB
              value: "0"
            - name: REDIS_PASSWORD
              value: ""
            - name: MINIO_ENDPOINT
              value: "minio:9000"
            - name: MINIO_SECURE
              value: "false"
            - name: MINIO_ACCESS_KEY
              value: "minioadmin"
            - name: MINIO_SECRET_KEY
              value: "minioadmin"
            - name: BROKER_MODE
              value: "paper"
            - name: LOG_LEVEL
              value: "INFO"
            - name: JSON_LOGS
              value: "false"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi
          readinessProbe:
            httpGet:
              path: /docs
              port: 8000
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 6
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir:
            sizeLimit: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: risk
  namespace: ${NAMESPACE}
  labels:
    app: risk
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  selector:
    app: risk
  ports:
    - port: 8000
      targetPort: 8000
      protocol: TCP
---
# ── trading-engine ───────────────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
  name: trading-engine
  namespace: ${NAMESPACE}
  labels:
    app: trading-engine
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  replicas: 1
  selector:
    matchLabels:
      app: trading-engine
  template:
    metadata:
      labels:
        app: trading-engine
        tier: api
    spec:
      automountServiceAccountToken: false
      imagePullSecrets:
        - name: ghcr-credentials
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: trading-engine
          image: ghcr.io/celesrenata/stonks-oracle/trading-engine:latest
          imagePullPolicy: Always
          command: ["uvicorn", "services.trading.app:app", "--host", "0.0.0.0", "--port", "8000"]
          ports:
            - containerPort: 8000
              protocol: TCP
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: ["ALL"]
          env:
            - name: POSTGRES_HOST
              value: "postgres"
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
              value: "stonks"
            - name: POSTGRES_USER
              value: "stonks"
            - name: POSTGRES_PASSWORD
              value: "inttest"
            - name: REDIS_HOST
              value: "redis"
            - name: REDIS_PORT
              value: "6379"
            - name: REDIS_DB
              value: "0"
            - name: REDIS_PASSWORD
              value: ""
            - name: MINIO_ENDPOINT
              value: "minio:9000"
            - name: MINIO_SECURE
              value: "false"
            - name: MINIO_ACCESS_KEY
              value: "minioadmin"
            - name: MINIO_SECRET_KEY
              value: "minioadmin"
            - name: BROKER_MODE
              value: "paper"
            - name: LOG_LEVEL
              value: "INFO"
            - name: JSON_LOGS
              value: "false"
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 256Mi
          readinessProbe:
            httpGet:
              path: /docs
              port: 8000
            initialDelaySeconds: 5
            periodSeconds: 10
            timeoutSeconds: 3
            failureThreshold: 6
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir:
            sizeLimit: 10Mi
---
apiVersion: v1
kind: Service
metadata:
  name: trading-engine
  namespace: ${NAMESPACE}
  labels:
    app: trading-engine
    tier: api
    app.kubernetes.io/part-of: stonks-oracle
spec:
  selector:
    app: trading-engine
  ports:
    - port: 8000
      targetPort: 8000
      protocol: TCP