apiVersion: v1 kind: Namespace metadata: name: bi-platform --- apiVersion: v1 kind: ConfigMap metadata: name: bi-platform-config namespace: bi-platform data: APP_ENV: "prod" LOG_LEVEL: "INFO" CORS_ORIGINS: "https://bi.example.com" REQUIRE_FRONTEND_AUTH: "true" FRONTEND_JWT_ISSUER_URL: "https://idp.example.com/realms/bi" FRONTEND_JWT_JWKS_URL: "https://idp.example.com/realms/bi/protocol/openid-connect/certs" FRONTEND_JWT_AUDIENCE: "otel-bi-api" FRONTEND_JWT_ALGORITHM: "RS256" FRONTEND_REQUIRED_SCOPES: "openid profile email" FRONTEND_CLOCK_SKEW_SECONDS: "30" INTERNAL_SERVICE_AUTH_ENABLED: "true" INTERNAL_SERVICE_TOKEN_TTL_SECONDS: "120" INTERNAL_SERVICE_TOKEN_AUDIENCE: "bi-internal" INTERNAL_SERVICE_ALLOWED_ISSUERS: "api-gateway" INTERNAL_TOKEN_CLOCK_SKEW_SECONDS: "15" QUERY_SERVICE_URL: "http://bi-query.bi-platform.svc.cluster.local:8000" ANALYTICS_SERVICE_URL: "http://analytics.bi-platform.svc.cluster.local:8000" PERSISTENCE_SERVICE_URL: "http://persistence.bi-platform.svc.cluster.local:8000" OTEL_COLLECTOR_ENDPOINT: "http://alloy.monitoring.svc.cluster.local:4318" --- apiVersion: v1 kind: Secret metadata: name: bi-platform-secrets namespace: bi-platform type: Opaque stringData: MSSQL_HOST: "mssql.dw.svc.cluster.local" MSSQL_PORT: "1433" MSSQL_USERNAME: "readonly_user" MSSQL_PASSWORD: "readonly_password" POSTGRES_HOST: "postgres.app.svc.cluster.local" POSTGRES_PORT: "5432" POSTGRES_DATABASE: "otel_bi_app" POSTGRES_USERNAME: "otel_bi_app" POSTGRES_PASSWORD: "otel_bi_app" POSTGRES_REQUIRED: "true" INTERNAL_SERVICE_SHARED_SECRET: "replace-with-strong-random-secret-min-32-bytes" --- apiVersion: apps/v1 kind: Deployment metadata: name: api-gateway namespace: bi-platform spec: replicas: 2 selector: matchLabels: app: api-gateway template: metadata: labels: app: api-gateway spec: automountServiceAccountToken: false containers: - name: api-gateway image: ghcr.io/your-org/otel-bi-backend:latest imagePullPolicy: IfNotPresent command: [ "uvicorn", "microservices.api_gateway.main:app", "--host", "0.0.0.0", "--port", "8000", ] envFrom: - configMapRef: name: bi-platform-config - secretRef: name: bi-platform-secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault ports: - containerPort: 8000 --- apiVersion: v1 kind: Service metadata: name: api-gateway namespace: bi-platform spec: selector: app: api-gateway ports: - port: 8000 targetPort: 8000 --- apiVersion: apps/v1 kind: Deployment metadata: name: bi-query namespace: bi-platform spec: replicas: 2 selector: matchLabels: app: bi-query template: metadata: labels: app: bi-query spec: automountServiceAccountToken: false containers: - name: bi-query image: ghcr.io/your-org/otel-bi-backend:latest imagePullPolicy: IfNotPresent command: [ "uvicorn", "microservices.bi_query.main:app", "--host", "0.0.0.0", "--port", "8000", ] envFrom: - configMapRef: name: bi-platform-config - secretRef: name: bi-platform-secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault ports: - containerPort: 8000 --- apiVersion: v1 kind: Service metadata: name: bi-query namespace: bi-platform spec: selector: app: bi-query ports: - port: 8000 targetPort: 8000 --- apiVersion: apps/v1 kind: Deployment metadata: name: analytics namespace: bi-platform spec: replicas: 2 selector: matchLabels: app: analytics template: metadata: labels: app: analytics spec: automountServiceAccountToken: false containers: - name: analytics image: ghcr.io/your-org/otel-bi-backend:latest imagePullPolicy: IfNotPresent command: [ "uvicorn", "microservices.analytics.main:app", "--host", "0.0.0.0", "--port", "8000", ] envFrom: - configMapRef: name: bi-platform-config - secretRef: name: bi-platform-secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault ports: - containerPort: 8000 --- apiVersion: v1 kind: Service metadata: name: analytics namespace: bi-platform spec: selector: app: analytics ports: - port: 8000 targetPort: 8000 --- apiVersion: apps/v1 kind: Deployment metadata: name: persistence namespace: bi-platform spec: replicas: 2 selector: matchLabels: app: persistence template: metadata: labels: app: persistence spec: automountServiceAccountToken: false containers: - name: persistence image: ghcr.io/your-org/otel-bi-backend:latest imagePullPolicy: IfNotPresent command: [ "uvicorn", "microservices.persistence.main:app", "--host", "0.0.0.0", "--port", "8000", ] envFrom: - configMapRef: name: bi-platform-config - secretRef: name: bi-platform-secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true runAsUser: 10001 seccompProfile: type: RuntimeDefault ports: - containerPort: 8000 --- apiVersion: v1 kind: Service metadata: name: persistence namespace: bi-platform spec: selector: app: persistence ports: - port: 8000 targetPort: 8000