feat: metricas backend (1.3) + ServiceMonitor + dashboard + netpol monitoring; rename ingress acme

platform/monitoring/athleticmap-dashboard.yaml

@@ -0,0 +1,51 @@
+# Dashboard Grafana dos backends Athletic Map (auto-importado pelo sidecar via label grafana_dashboard)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: athleticmap-dashboard
+  namespace: monitoring
+  labels:
+    grafana_dashboard: "1"
+data:
+  athleticmap-backends.json: |
+    {
+      "title": "Athletic Map — Backends",
+      "uid": "athleticmap-backends",
+      "tags": ["athleticmap"],
+      "timezone": "browser",
+      "schemaVersion": 39,
+      "version": 1,
+      "refresh": "30s",
+      "time": { "from": "now-6h", "to": "now" },
+      "templating": {
+        "list": [
+          { "name": "datasource", "type": "datasource", "query": "prometheus", "hide": 0, "current": {} }
+        ]
+      },
+      "panels": [
+        {
+          "type": "timeseries", "title": "HTTP req/s por tenant",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 0 },
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "targets": [ { "expr": "sum(rate(http_server_requests_seconds_count[5m])) by (tenant)", "legendFormat": "{{tenant}}" } ]
+        },
+        {
+          "type": "timeseries", "title": "p95 latencia (s) por tenant",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 0 },
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "targets": [ { "expr": "histogram_quantile(0.95, sum(rate(http_server_requests_seconds_bucket[5m])) by (le,tenant))", "legendFormat": "{{tenant}}" } ]
+        },
+        {
+          "type": "timeseries", "title": "JVM heap usado (bytes) por tenant",
+          "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 },
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "targets": [ { "expr": "sum(jvm_memory_used_bytes{area=\"heap\"}) by (tenant)", "legendFormat": "{{tenant}}" } ]
+        },
+        {
+          "type": "timeseries", "title": "CPU do processo por tenant",
+          "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 },
+          "datasource": { "type": "prometheus", "uid": "${datasource}" },
+          "targets": [ { "expr": "sum(process_cpu_usage) by (tenant)", "legendFormat": "{{tenant}}" } ]
+        }
+      ]
+    }

platform/monitoring/backends-servicemonitor.yaml

@@ -0,0 +1,18 @@
+# Scrape das metricas Prometheus dos backends Spring Boot (qualquer tenant: service label app=backend)
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: athleticmap-backends
+  namespace: monitoring
+  labels:
+    release: monitoring
+spec:
+  namespaceSelector:
+    any: true
+  selector:
+    matchLabels:
+      app: backend
+  endpoints:
+    - port: http
+      path: /actuator/prometheus
+      interval: 30s

tenants/acme/30-apps-stubs.yaml

@@ -1,11 +1,11 @@
 # Apps do tenant demo:
-#  - backend: Spring Boot OAuth2 Resource Server (imagem athletic-map-backend:1.2, porta 8083)
+#  - backend: Spring Boot OAuth2 Resource Server (imagem athletic-map-backend:1.3, porta 8083)
 #  - frontend: SPA OIDC Authorization Code + PKCE (keycloak-js) chamando /api/me
 #  - bff: stub (whoami)
 ---
 apiVersion: apps/v1
 kind: Deployment
-metadata: { name: backend, namespace: acme-prod }
+metadata: { name: backend, namespace: acme-prod, labels: { app: backend } }
 spec:
   replicas: 1
   selector: { matchLabels: { app: backend } }
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: backend
-          image: docker.io/library/athletic-map-backend:1.2
+          image: docker.io/library/athletic-map-backend:1.3
           imagePullPolicy: Never
           env:
             - { name: ATM_JWK_SET_URI, value: "http://keycloak:8080/realms/athleticmap/protocol/openid-connect/certs" }
@@ -29,10 +29,10 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata: { name: backend, namespace: acme-prod }
+metadata: { name: backend, namespace: acme-prod, labels: { app: backend } }
 spec:
   selector: { app: backend }
-  ports: [{ port: 80, targetPort: 8083 }]
+  ports: [{ name: http, port: 80, targetPort: 8083 }]
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -126,7 +126,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: demo
+  name: acme
   namespace: acme-prod
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod

tenants/demo/30-apps-stubs.yaml

@@ -1,11 +1,11 @@
 # Apps do tenant demo:
-#  - backend: Spring Boot OAuth2 Resource Server (imagem athletic-map-backend:1.2, porta 8083)
+#  - backend: Spring Boot OAuth2 Resource Server (imagem athletic-map-backend:1.3, porta 8083)
 #  - frontend: SPA OIDC Authorization Code + PKCE (keycloak-js) chamando /api/me
 #  - bff: stub (whoami)
 ---
 apiVersion: apps/v1
 kind: Deployment
-metadata: { name: backend, namespace: demo-prod }
+metadata: { name: backend, namespace: demo-prod, labels: { app: backend } }
 spec:
   replicas: 1
   selector: { matchLabels: { app: backend } }
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: backend
-          image: docker.io/library/athletic-map-backend:1.2
+          image: docker.io/library/athletic-map-backend:1.3
           imagePullPolicy: Never
           env:
             - { name: ATM_JWK_SET_URI, value: "http://keycloak:8080/realms/athleticmap/protocol/openid-connect/certs" }
@@ -29,10 +29,10 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata: { name: backend, namespace: demo-prod }
+metadata: { name: backend, namespace: demo-prod, labels: { app: backend } }
 spec:
   selector: { app: backend }
-  ports: [{ port: 80, targetPort: 8083 }]
+  ports: [{ name: http, port: 80, targetPort: 8083 }]
 ---
 apiVersion: apps/v1
 kind: Deployment

tenants/piloto/00-namespace-quota-netpol.yaml

@@ -55,6 +55,9 @@ spec:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: kube-system   # Traefik (ingress)
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: monitoring
   egress:
     - to:                                        # intra-namespace (pods) + ClusterIPs (VIP de service, pre-DNAT)
         - podSelector: {}

tenants/piloto/30-apps-stubs.yaml

@@ -5,7 +5,7 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
-metadata: { name: backend, namespace: piloto-prod }
+metadata: { name: backend, namespace: piloto-prod, labels: { app: backend } }
 spec:
   replicas: 1
   selector: { matchLabels: { app: backend } }
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
         - name: backend
-          image: docker.io/library/athletic-map-backend:1.2
+          image: docker.io/library/athletic-map-backend:1.3
           imagePullPolicy: Never
           env:
             - { name: ATM_JWK_SET_URI, value: "http://keycloak:8080/realms/athleticmap/protocol/openid-connect/certs" }
@@ -29,10 +29,10 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata: { name: backend, namespace: piloto-prod }
+metadata: { name: backend, namespace: piloto-prod, labels: { app: backend } }
 spec:
   selector: { app: backend }
-  ports: [{ port: 80, targetPort: 8083 }]
+  ports: [{ name: http, port: 80, targetPort: 8083 }]
 ---
 apiVersion: apps/v1
 kind: Deployment