[Refactor] Review and improve configurations

.env.example

@@ -1,25 +1,105 @@
 # =============================================================================
-# Environment Variables for docker-compose-all.yml
+# Environment Variables Reference
 # =============================================================================
-# Copy this file to .env and customize values for your environment.
-#
-# Usage:
-#   cp .env.example .env
-#   # Edit .env with your values
-#   docker compose -f docker-compose-all.yml up -d
+# Copy to .env and customize:  cp .env.example .env
 #
 # SECURITY WARNING:
 #   - Never commit .env to version control
 #   - Use secrets management (Vault, AWS Secrets Manager) in production
+#
+# Profiles:
+#   - local: Docker Compose auto-configures DB/Kafka (minimal .env needed)
+#   - dev:   Requires DB_*, JWT_*, KAFKA_* variables
+#   - prod:  Requires all security-sensitive variables
 # =============================================================================
 
-# Database password (used by both app and postgres containers)
+# -----------------------------------------------------------------------------
+# Profile Selection
+# -----------------------------------------------------------------------------
+SPRING_PROFILES_ACTIVE=local
+
+# -----------------------------------------------------------------------------
+# Database Configuration
+# -----------------------------------------------------------------------------
+# Required for: dev, prod profiles
+# Local profile uses Docker Compose auto-configuration
+DB_URL=jdbc:postgresql://localhost:5432/users
+DB_USERNAME=app_user
 DB_PASSWORD=your_secure_password_here
 
-# JWT secrets - MUST be at least 64 bytes for HS512
-# Generate with: openssl rand -base64 64
+# Connection Pool (optional, has defaults)
+# DB_POOL_MAX=10    # Default: 10 (local/dev), 20 (prod)
+# DB_POOL_MIN=2     # Default: 2 (local/dev), 5 (prod)
+
+# -----------------------------------------------------------------------------
+# Kafka Configuration
+# -----------------------------------------------------------------------------
+# Required for: dev, prod profiles
+# Local profile defaults to localhost:29092 (Docker Compose)
+KAFKA_BOOTSTRAP_SERVERS=localhost:29092
+
+# -----------------------------------------------------------------------------
+# JWT Configuration
+# -----------------------------------------------------------------------------
+# SECURITY: Generate secrets with: openssl rand -base64 64
+# Required for: dev, prod profiles
+# Local profile uses insecure defaults (DO NOT use in production)
 JWT_ACCESS_SECRET=your-64-byte-access-secret-generated-with-openssl-rand-base64-64-command
 JWT_REFRESH_SECRET=your-64-byte-refresh-secret-generated-with-openssl-rand-base64-64-command
 
-# CORS allowed origins (comma-separated for multiple)
+# Token expiration (optional, has defaults)
+# JWT_ACCESS_EXPIRES_IN=15m
+# JWT_REFRESH_EXPIRES_IN=7d
+# JWT_ISSUER=user-service
+
+# -----------------------------------------------------------------------------
+# CORS Configuration
+# -----------------------------------------------------------------------------
+# Required for: prod profile
+# Dev/local default to http://localhost:3000
 CORS_ALLOWED_ORIGINS=http://localhost:3000
+
+# -----------------------------------------------------------------------------
+# Mail Configuration (Optional)
+# -----------------------------------------------------------------------------
+# Required only if email functionality is needed
+MAIL_HOST=smtp.gmail.com
+MAIL_PORT=587
+MAIL_USERNAME=
+MAIL_PASSWORD=
+APP_MAIL_FROM=noreply@example.com
+APP_MAIL_FROM_NAME=User Service
+
+# -----------------------------------------------------------------------------
+# OAuth2 Configuration (Optional)
+# -----------------------------------------------------------------------------
+# Required only if social login is enabled
+
+# Google OAuth2
+OAUTH2_GOOGLE_CLIENT_ID=
+OAUTH2_GOOGLE_CLIENT_SECRET=
+
+# GitHub OAuth2
+OAUTH2_GITHUB_CLIENT_ID=
+OAUTH2_GITHUB_CLIENT_SECRET=
+
+# OAuth2 Redirect URLs (optional, defaults to static pages)
+# APP_OAUTH2_SUCCESS_URL=http://localhost:3000/auth/callback
+# APP_OAUTH2_FAILURE_URL=http://localhost:3000/auth/error
+
+# -----------------------------------------------------------------------------
+# Server Configuration (Optional)
+# -----------------------------------------------------------------------------
+# SERVER_PORT=8080
+# GRPC_PORT=9090
+# GRPC_REFLECTION_ENABLED=true    # Set to false in prod
+
+# -----------------------------------------------------------------------------
+# Logging (Optional)
+# -----------------------------------------------------------------------------
+# LOG_LEVEL_APP=INFO    # DEBUG for dev, INFO for prod
+
+# -----------------------------------------------------------------------------
+# Swagger (Optional)
+# -----------------------------------------------------------------------------
+# SWAGGER_ENABLED=false   # Overridden by profile configs

auto/docker_logs

@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 
-docker compose -f docker-compose-all.yml logs -f --tail 50
+docker compose -f docker-compose-app.yml logs -f --tail 50

auto/docker_start

@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 
-docker compose -f docker-compose-all.yml up -d --build
+docker compose -f docker-compose-app.yml up -d --build

auto/docker_stop

@@ -1,3 +1,3 @@
 #!/usr/bin/env sh
 
-docker compose -f docker-compose-all.yml down
+docker compose -f docker-compose-app.yml down -v

deploy/README.md

@@ -0,0 +1,172 @@
+# Deployment Configurations
+
+This directory contains deployment configurations for AWS ECS and Kubernetes (EKS).
+
+## Directory Structure
+
+```
+deploy/
+├── ecs/
+│   ├── task-def.dev.json      # ECS Fargate task definition (dev)
+│   └── task-def.prod.json     # ECS Fargate task definition (prod)
+└── k8s/
+    ├── base/                   # Base Kubernetes manifests
+    │   ├── deployment.yaml
+    │   ├── service.yaml
+    │   ├── serviceaccount.yaml
+    │   ├── configmap.yaml
+    │   ├── external-secret.yaml
+    │   └── kustomization.yaml
+    └── overlays/
+        ├── dev/                # Dev environment overlay
+        │   └── kustomization.yaml
+        └── prod/               # Prod environment overlay
+            ├── kustomization.yaml
+            ├── hpa.yaml        # Horizontal Pod Autoscaler
+            └── pdb.yaml        # Pod Disruption Budget
+```
+
+## AWS ECS Deployment
+
+### Prerequisites
+
+1. Create secrets in AWS Secrets Manager:
+   ```bash
+   # Dev secrets
+   aws secretsmanager create-secret --name dev/user-service/db \
+     --secret-string '{"username":"app_user","password":"your-password"}'
+
+   aws secretsmanager create-secret --name dev/user-service/jwt \
+     --secret-string '{"access-secret":"your-64-byte-secret","refresh-secret":"your-64-byte-secret"}'
+
+   # Repeat for prod/user-service/*
+   ```
+
+2. Create ECS Task Execution Role with Secrets Manager access
+
+### Deploy
+
+```bash
+# Replace variables and register task definition
+export AWS_ACCOUNT_ID=123456789
+export AWS_REGION=ap-southeast-2
+export IMAGE_TAG=v1.0.0
+
+# Dev
+envsubst < deploy/ecs/task-def.dev.json | \
+  aws ecs register-task-definition --cli-input-json file:///dev/stdin
+
+# Prod
+envsubst < deploy/ecs/task-def.prod.json | \
+  aws ecs register-task-definition --cli-input-json file:///dev/stdin
+
+# Update service
+aws ecs update-service --cluster user-service-dev \
+  --service user-service --task-definition user-service-dev
+```
+
+## Kubernetes (EKS) Deployment
+
+### Prerequisites
+
+1. Install [External Secrets Operator](https://external-secrets.io/):
+   ```bash
+   helm repo add external-secrets https://charts.external-secrets.io
+   helm install external-secrets external-secrets/external-secrets \
+     -n external-secrets --create-namespace
+   ```
+
+2. Create ClusterSecretStore for AWS Secrets Manager:
+   ```yaml
+   apiVersion: external-secrets.io/v1beta1
+   kind: ClusterSecretStore
+   metadata:
+     name: aws-secrets-manager
+   spec:
+     provider:
+       aws:
+         service: SecretsManager
+         region: ap-southeast-2
+         auth:
+           jwt:
+             serviceAccountRef:
+               name: external-secrets
+               namespace: external-secrets
+   ```
+
+3. Create secrets in AWS Secrets Manager (same as ECS)
+
+### Deploy with Kustomize
+
+```bash
+# Preview dev manifests
+kubectl kustomize deploy/k8s/overlays/dev
+
+# Deploy to dev
+kubectl apply -k deploy/k8s/overlays/dev
+
+# Deploy to prod
+kubectl apply -k deploy/k8s/overlays/prod
+```
+
+### Deploy with kubectl directly
+
+```bash
+# Build and apply
+kustomize build deploy/k8s/overlays/dev | kubectl apply -f -
+```
+
+## Environment-Specific Configuration
+
+| Setting | Dev | Prod |
+|---------|-----|------|
+| Replicas | 1 | 2 (HPA: 2-10) |
+| CPU Request | 100m | 250m |
+| CPU Limit | 500m | 1000m |
+| Memory Request | 256Mi | 512Mi |
+| Memory Limit | 512Mi | 1Gi |
+| DB Pool Max | 5 | 20 |
+| DB Pool Min | 2 | 5 |
+
+## Secrets Structure in AWS Secrets Manager
+
+```
+dev/user-service/db          # {"username": "...", "password": "..."}
+dev/user-service/jwt         # {"access-secret": "...", "refresh-secret": "..."}
+dev/user-service/mail        # {"username": "...", "password": "..."}
+dev/user-service/oauth2      # {"google-client-id": "...", "google-client-secret": "...", ...}
+
+prod/user-service/db
+prod/user-service/jwt
+prod/user-service/mail
+prod/user-service/oauth2
+```
+
+## CI/CD Integration
+
+### GitHub Actions Example
+
+```yaml
+- name: Deploy to ECS
+  run: |
+    envsubst < deploy/ecs/task-def.${{ env.ENVIRONMENT }}.json > task-def.json
+    aws ecs register-task-definition --cli-input-json file://task-def.json
+    aws ecs update-service --cluster ${{ env.CLUSTER }} --service user-service \
+      --task-definition user-service-${{ env.ENVIRONMENT }}
+```
+
+### ArgoCD (Kubernetes)
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: user-service-dev
+spec:
+  source:
+    repoURL: https://github.com/your-org/java-springboot
+    path: deploy/k8s/overlays/dev
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: user-service-dev
+```