admin/stonks-oracle
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5be3ce2db95ebfa8b62030213d65cea817e0a64a
stonks-oracle/.kiro/steering/kubernetes-conventions.md
T
Celes Renata 5be3ce2db9 feat: migrate CI/CD from GHCR to local Harbor registry 
- Makefile: GHCR -> registry.celestium.life/stonks-oracle
- GitHub Actions: login to Harbor, use HARBOR_PASSWORD secret
- infra/k8s/*.yaml: all image refs -> registry.celestium.life
- inttest pipeline: remove GHCR pull secret (local registry, no auth)
- Steering docs: update registry/git endpoints
2026-04-19 07:34:28 +00:00

54 lines
2.2 KiB
Markdown
Raw Blame History

---
inclusion: fileMatch
fileMatchPattern: "infra/**"
---
# Kubernetes & Helm Conventions
## Namespace
All Stonks Oracle workloads deploy to `stonks-oracle` namespace.
The namespace is NOT managed by Helm — it's created by `runmefirst.sh` with Helm ownership labels.
## Helm Chart
- Chart at `infra/helm/stonks-oracle/`
- Services defined in `values.yaml` under `services:` — the deployments template iterates over them
- Adding a new service: add entry to `values.yaml`, add network policy if it needs ingress, add ingress if it needs external access
- Dashboard uses nginx-unprivileged on port 8080 (not 80)
- Superset uses custom image `registry.celestium.life/stonks-oracle/superset:latest` with trino + psycopg2 drivers
## TLS
- Internal services: use `ca-issuer` ClusterIssuer (local CA)
- Annotate ingress with `cert-manager.io/cluster-issuer: ca-issuer`
## Ingress
- Traefik ingress controller
- Domain pattern: `<service>.celestium.life`
- Dashboard: `stonks.celestium.life`
- Query API: `stonks-api.celestium.life`
- Symbol Registry: `stonks-registry.celestium.life`
- Superset: `stonks-dash.celestium.life`
- Trino: `stonks-trino.celestium.life`
## Network Policies
- `default-deny-ingress` blocks all ingress by default
- Each service that needs ingress must have an explicit allow policy
- Dashboard needs: ingress from kube-system (Traefik) on 8080
- Query API needs: ingress from kube-system + dashboard pod on 8000
- Symbol Registry needs: ingress from kube-system + dashboard pod on 8000
- Risk Engine needs: ingress from broker-adapter + query-api + dashboard on 8000
- When adding a new externally-accessible service, add both an ingress AND a network policy
## Service References
- PostgreSQL: `postgresql-rw.postgresql-service.svc.cluster.local:5432`
- Redis: `redis-master.redis-service.svc.cluster.local:6379`
- MinIO API: `minio.minio-service.svc.cluster.local:80`
- Ollama: `ollama.ollama-service.svc.cluster.local:11434`
## Images
- All images from `registry.celestium.life/stonks-oracle/<service>:latest`
- Use `imagePullPolicy: Always`
## Labels
- `app.kubernetes.io/part-of: stonks-oracle`
- `app: <service-name>`
- `stonks-oracle/tier: <tier>` (api, frontend, processing, trading, orchestration, analytics)
Reference in New Issue View Git Blame Copy Permalink