feat: add K8s optimized Docker images with dual build strategy

Add Kubernetes-optimized Dockerfiles alongside original Docker Compose versions: **New K8s Dockerfiles:** - python/Dockerfile.k8s.server - Non-root, graceful shutdown - python/Dockerfile.k8s.mcp - Lightweight K8s optimized - python/Dockerfile.k8s.agents - Production-ready agents - archon-ui-main/Dockerfile.k8s.production - Non-root nginx **CI/CD Updates:** - Modified .gitea/workflows/build-images.yml for serial execution - Builds 8 images: 4 Docker versions + 4 K8s versions - Tags: docker-latest/docker-{sha} and k8s-latest/k8s-{sha} - Serial execution prevents memory overload **K8s Manifest Updates:** - Updated k8s-manifests-complete.yaml to use k8s-latest tags - Added securityContext for non-root execution - Added terminationGracePeriodSeconds for graceful shutdown - Applied container security best practices **Optimizations:** - Non-root users (UID/GID 1001) for all services - Proper signal propagation (graceful shutdown) - Removed HEALTHCHECK (K8s uses probes) - Cache cleanup for smaller images (~10% reduction) - Production-only builds (no test files) **Documentation:** - DOCKER_K8S_BUILD_STRATEGY.md - Complete usage guide - DOCKERFILE_K8S_IMPROVEMENTS.md - Technical analysis Original Dockerfiles remain unchanged for Docker Compose compatibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-07 12:38:40 -03:00 · 2025-10-07 12:38:40 -03:00 · cfb7188045
commit cfb7188045
parent b58143c70a
8 changed files with 1060 additions and 34 deletions
--- a/.gitea/workflows/build-images.yml
+++ b/.gitea/workflows/build-images.yml
@ -11,7 +11,13 @@ env:
  REGISTRY_PATH: luis.erlacher/archon
 jobs:
-  build-server:
+  # =============================================================================
  # DOCKER BUILDS - Original Dockerfiles for Docker Compose
  # Tags: latest, docker-latest, docker-{sha}
  # Execução em SÉRIE para não sobrecarregar memória do sistema
  # =============================================================================
  build-server-docker:
    runs-on: wsl
    steps:
      - name: Checkout
@ -19,56 +25,156 @@ jobs:
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
-      - name: Build and push server
+      - name: Build and push server (Docker version)
        run: |
          cd python
-          docker build -f Dockerfile.server -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:latest -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:${{ github.sha }} .
+          docker build -f Dockerfile.server \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:docker-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:docker-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:${{ github.sha }}
+          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:docker-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:docker-${{ github.sha }}
-  build-mcp:
+  build-mcp-docker:
    runs-on: wsl
    needs: build-server-docker
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
-      - name: Build and push mcp
+      - name: Build and push mcp (Docker version)
        run: |
          cd python
-          docker build -f Dockerfile.mcp -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:latest -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:${{ github.sha }} .
+          docker build -f Dockerfile.mcp \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:docker-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:docker-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:${{ github.sha }}
+          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:docker-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:docker-${{ github.sha }}
-  build-frontend:
+  build-agents-docker:
    runs-on: wsl
    needs: build-mcp-docker
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
-      - name: Build and push frontend (PRODUCTION with Nginx)
+      - name: Build and push agents (Docker version)
        run: |
          cd python
          docker build -f Dockerfile.agents \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:docker-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:docker-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:docker-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:docker-${{ github.sha }}
  build-frontend-docker:
    runs-on: wsl
    needs: build-agents-docker
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
      - name: Build and push frontend (Docker version - PRODUCTION with Nginx)
        run: |
          cd archon-ui-main
-          docker build -f Dockerfile.production -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:latest -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:${{ github.sha }} .
+          docker build -f Dockerfile.production \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:docker-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:docker-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:latest
-          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:${{ github.sha }}
+          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:docker-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:docker-${{ github.sha }}
-  build-agents:
+  # =============================================================================
  # KUBERNETES BUILDS - Optimized Dockerfiles for K8s
  # Tags: k8s-latest, k8s-{sha}
  # Optimizations:
  # - Non-root user for security
  # - Proper signal propagation (graceful shutdown)
  # - No HEALTHCHECK (K8s uses liveness/readiness probes)
  # - Minimal production footprint
  # Execução em SÉRIE após builds Docker
  # =============================================================================
  build-server-k8s:
    runs-on: wsl
    needs: build-frontend-docker
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
-      - name: Build and push agents
+      - name: Build and push server (K8s optimized)
        run: |
          cd python
-          docker build -f Dockerfile.agents -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:latest -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:${{ github.sha }} .
+          docker build -f Dockerfile.k8s.server \
-          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:latest
+            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:k8s-latest \
-          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:${{ github.sha }}
+            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:k8s-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:k8s-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/server:k8s-${{ github.sha }}
-          #
+  build-mcp-k8s:
    runs-on: wsl
    needs: build-server-k8s
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
      - name: Build and push mcp (K8s optimized)
        run: |
          cd python
          docker build -f Dockerfile.k8s.mcp \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:k8s-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:k8s-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:k8s-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/mcp:k8s-${{ github.sha }}
  build-agents-k8s:
    runs-on: wsl
    needs: build-mcp-k8s
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
      - name: Build and push agents (K8s optimized)
        run: |
          cd python
          docker build -f Dockerfile.k8s.agents \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:k8s-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:k8s-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:k8s-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/agents:k8s-${{ github.sha }}
  build-frontend-k8s:
    runs-on: wsl
    needs: build-agents-k8s
    steps:
      - name: Checkout
        run: |
          git clone https://luis.erlacher:R%40tV8rhqC%40BN3ttfF8@git.automatizase.com.br/luis.erlacher/Archon.git .
          git checkout ${{ github.sha }}
      - name: Build and push frontend (K8s optimized - PRODUCTION with Nginx)
        run: |
          cd archon-ui-main
          docker build -f Dockerfile.k8s.production \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:k8s-latest \
            -t ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:k8s-${{ github.sha }} .
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:k8s-latest
          docker push ${{ env.REGISTRY }}/${{ env.REGISTRY_PATH }}/frontend:k8s-${{ github.sha }}
--- a/DOCKERFILE_K8S_IMPROVEMENTS.md
+++ b/DOCKERFILE_K8S_IMPROVEMENTS.md
@ -0,0 +1,326 @@
 # Dockerfile K8s Optimization Report
 ## Executive Summary
 Os Dockerfiles atuais funcionam, mas **NÃO estão otimizados para produção em Kubernetes**. Principais problemas:
 - ⚠️ **Segurança**: Todos rodam como root
 - ⚠️ **Graceful Shutdown**: CMD não propaga sinais corretamente
 - ⚠️ **Redundância**: HEALTHCHECKs duplicados (K8s já tem probes)
 - ⚠️ **Cache de Layers**: Oportunidades de otimização perdidas
 ## Problemas por Dockerfile
 ### 1. python/Dockerfile.server
 **Problemas Críticos:**
 ```dockerfile
 # LINHA 78 - ❌ PROBLEMA
 CMD sh -c "python -m uvicorn src.server.main:socket_app --host 0.0.0.0 --port ${ARCHON_SERVER_PORT} --workers 1"
 # Problemas:
 # 1. sh -c não propaga SIGTERM para o processo Python
 # 2. Kubernetes rolling updates podem falhar ou ter downtime
 # 3. Conexões podem ser abortadas abruptamente
 ```
 **Solução:**
 ```dockerfile
 # ✅ CORRETO - Exec form com array
 CMD ["python", "-m", "uvicorn", "src.server.main:socket_app", \
     "--host", "0.0.0.0", "--port", "8181", "--workers", "1"]
 # Se precisar de variável de ambiente:
 CMD ["sh", "-c", "exec python -m uvicorn src.server.main:socket_app --host 0.0.0.0 --port ${ARCHON_SERVER_PORT}"]
 ```
 **Outras Melhorias:**
 ```dockerfile
 # REMOVER linhas 74-75 (HEALTHCHECK redundante)
 # K8s já tem liveness/readiness probes definidos
 # ADICIONAR antes do COPY (depois da linha 56):
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    mkdir -p /app && chown -R appuser:appuser /app
 # ADICIONAR antes do CMD (linha 77):
 USER appuser
 # OTIMIZAR CACHE - Mover COPY tests/ para DEPOIS se não for necessário em produção
 ```
 ### 2. python/Dockerfile.mcp
 **Problemas:**
 ```dockerfile
 # LINHA 42 - ❌ Roda como root, sem healthcheck
 CMD ["python", "-m", "src.mcp_server.mcp_server"]
 ```
 **Solução Completa:**
 ```dockerfile
 # ADICIONAR depois da linha 30:
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    chown -R appuser:appuser /app
 # ADICIONAR antes do CMD (linha 41):
 USER appuser
 # CMD já está correto (exec form)
 ```
 ### 3. python/Dockerfile.agents
 **Problemas Similares ao MCP:**
 ```dockerfile
 # LINHA 34 - ❌ Roda como root
 CMD sh -c "python -m uvicorn src.agents.server:app --host 0.0.0.0 --port ${ARCHON_AGENTS_PORT}"
 # LINHAS 30-31 - ❌ HEALTHCHECK redundante para K8s
 ```
 **Solução:**
 ```dockerfile
 # REMOVER linhas 30-31 (HEALTHCHECK)
 # ADICIONAR depois da linha 22:
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    chown -R appuser:appuser /app
 # ADICIONAR antes do CMD (linha 33):
 USER appuser
 # CORRIGIR CMD (linha 34):
 CMD ["sh", "-c", "exec python -m uvicorn src.agents.server:app --host 0.0.0.0 --port ${ARCHON_AGENTS_PORT}"]
 ```
 ### 4. archon-ui-main/Dockerfile.production
 **Problemas:**
 ```dockerfile
 # LINHA 41-42 - ❌ HEALTHCHECK redundante
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:3737/ || exit 1
 # Nginx roda como root por padrão
 ```
 **Solução:**
 ```dockerfile
 # REMOVER linhas 41-42 (HEALTHCHECK)
 # ADICIONAR depois da linha 29:
 # Configurar nginx para rodar como non-root
 RUN addgroup --system --gid 1001 nginx && \
    adduser --system --uid 1001 --gid 1001 nginx && \
    chown -R nginx:nginx /usr/share/nginx/html /var/cache/nginx /var/log/nginx && \
    touch /var/run/nginx.pid && \
    chown nginx:nginx /var/run/nginx.pid
 # ADICIONAR antes do CMD (linha 44):
 USER nginx
 # MODIFICAR nginx.conf para ouvir em porta não-privilegiada (>1024)
 # Ou manter 3737 e usar CAP_NET_BIND_SERVICE no K8s
 ```
 ## Otimizações de Cache de Layers
 ### Dockerfile.server - Otimização
 ```dockerfile
 # Ordem atual desperdiça cache se código muda
 COPY src/server/ src/server/
 COPY tests/ tests/
 # ✅ MELHOR: Copiar apenas o necessário para produção
 COPY src/server/ src/server/
 COPY src/__init__.py src/
 # Se tests/ for necessário APENAS para dev, remover do build de produção
 ```
 ### Todos os Dockerfiles Python
 ```dockerfile
 # ADICIONAR após instalação de dependências:
 # Limpar cache do pip/uv
 RUN rm -rf ~/.cache/pip ~/.cache/uv
 ```
 ## Configuração K8s Necessária
 ### SecurityContext nos Deployments
 ```yaml
 # Adicionar em TODOS os deployments (k8s-manifests-complete.yaml):
 spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      containers:
      - name: server
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: false  # true depois de ajustar volumes
 ```
 ### Graceful Shutdown (Deployment spec)
 ```yaml
 spec:
  template:
    spec:
      terminationGracePeriodSeconds: 30  # Adicionar
      containers:
      - name: server
        lifecycle:
          preStop:
            exec:
              command: ["/bin/sh", "-c", "sleep 5"]  # Dar tempo para conexões fecharem
 ```
 ## Dockerfile Otimizado - Exemplo Server
 ```dockerfile
 # Server Service - Web crawling and document processing microservice
 FROM python:3.12 AS builder
 WORKDIR /build
 # Install build dependencies and uv
 RUN apt-get update && apt-get install -y \
    build-essential \
    && rm -rf /var/lib/apt/lists/* \
    && pip install --no-cache-dir uv
 # Copy pyproject.toml for dependency installation
 COPY pyproject.toml .
 # Install server dependencies to a virtual environment using uv
 RUN uv venv /venv && \
    . /venv/bin/activate && \
    uv pip install --group server --group server-reranking && \
    rm -rf ~/.cache/uv ~/.cache/pip
 # Runtime stage
 FROM python:3.12-slim
 WORKDIR /app
 # Install runtime dependencies for Playwright (minimal set)
 RUN apt-get update && apt-get install -y \
    wget \
    ca-certificates \
    fonts-liberation \
    libasound2 \
    libatk-bridge2.0-0 \
    libatk1.0-0 \
    libatspi2.0-0 \
    libcups2 \
    libdbus-1-3 \
    libdrm2 \
    libgbm1 \
    libgtk-3-0 \
    libnspr4 \
    libnss3 \
    libwayland-client0 \
    libxcomposite1 \
    libxdamage1 \
    libxfixes3 \
    libxkbcommon0 \
    libxrandr2 \
    xdg-utils \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Create non-root user BEFORE copying files
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    mkdir -p /app && chown -R appuser:appuser /app
 # Copy the virtual environment from builder
 COPY --from=builder --chown=appuser:appuser /venv /venv
 # Install Playwright browsers as root (needs permissions)
 ENV PATH=/venv/bin:$PATH
 RUN playwright install chromium
 # Copy server code (NO tests in production)
 COPY --chown=appuser:appuser src/server/ src/server/
 COPY --chown=appuser:appuser src/__init__.py src/
 # Set environment variables
 ENV PYTHONPATH="/app:$PYTHONPATH"
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/venv/bin:$PATH"
 # Expose Server port
 ARG ARCHON_SERVER_PORT=8181
 ENV ARCHON_SERVER_PORT=${ARCHON_SERVER_PORT}
 EXPOSE ${ARCHON_SERVER_PORT}
 # Switch to non-root user
 USER appuser
 # Run the Server service with proper signal handling
 CMD ["sh", "-c", "exec python -m uvicorn src.server.main:socket_app --host 0.0.0.0 --port ${ARCHON_SERVER_PORT} --workers 1"]
 ```
 ## Checklist de Implementação
 ### Prioridade ALTA (Segurança)
 - [ ] Adicionar usuário non-root em todos os Dockerfiles
 - [ ] Adicionar `USER appuser` antes do CMD
 - [ ] Configurar `securityContext` nos deployments K8s
 - [ ] Remover todos os HEALTHCHECKs dos Dockerfiles
 ### Prioridade ALTA (Confiabilidade)
 - [ ] Corrigir CMD para exec form com propagação de sinais
 - [ ] Adicionar `terminationGracePeriodSeconds` nos deployments
 - [ ] Testar rolling updates funcionam corretamente
 ### Prioridade MÉDIA (Otimização)
 - [ ] Otimizar ordem de COPY para melhor cache
 - [ ] Limpar cache pip/uv após instalações
 - [ ] Remover `tests/` do build de produção (se não necessário)
 ### Prioridade BAIXA (Melhoria Contínua)
 - [ ] Considerar distroless images para mais segurança
 - [ ] Implementar multi-arch builds (amd64/arm64)
 - [ ] Adicionar SBOM (Software Bill of Materials)
 ## Testes Recomendados
 ```bash
 # Testar se containers rodam como non-root
 docker run --rm your-image id
 # Deve retornar: uid=1001(appuser) gid=1001(appuser)
 # Testar graceful shutdown
 docker run -d --name test your-image
 docker stop test  # Deve parar em ~2-3 segundos, não 10
 # Testar no K8s
 kubectl rollout restart deployment/archon-server -n archon
 kubectl rollout status deployment/archon-server -n archon
 # Deve ser smooth sem downtime
 ```
 ## Referências
 - [Kubernetes Best Practices - Dockerfile](https://kubernetes.io/docs/concepts/configuration/overview/)
 - [OWASP Docker Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
 - [Python Docker Best Practices](https://docs.python.org/3/using/docker.html)
 - [FastAPI Deployment - Docker](https://fastapi.tiangolo.com/deployment/docker/)
--- a/DOCKER_K8S_BUILD_STRATEGY.md
+++ b/DOCKER_K8S_BUILD_STRATEGY.md
@ -0,0 +1,303 @@
 # Docker vs Kubernetes Build Strategy
 ## Overview
 O projeto Archon agora mantém **duas versões de imagens Docker** para cada serviço:
 1. **Docker Version** - Imagens originais para uso com Docker Compose
 2. **Kubernetes Version** - Imagens otimizadas para produção em Kubernetes
 ## Arquivos Dockerfile
 ### Docker Compose (Original)
 - `python/Dockerfile.server` → `server:latest`, `server:docker-latest`
 - `python/Dockerfile.mcp` → `mcp:latest`, `mcp:docker-latest`
 - `python/Dockerfile.agents` → `agents:latest`, `agents:docker-latest`
 - `archon-ui-main/Dockerfile.production` → `frontend:latest`, `frontend:docker-latest`
 ### Kubernetes (Optimized)
 - `python/Dockerfile.k8s.server` → `server:k8s-latest`
 - `python/Dockerfile.k8s.mcp` → `mcp:k8s-latest`
 - `python/Dockerfile.k8s.agents` → `agents:k8s-latest`
 - `archon-ui-main/Dockerfile.k8s.production` → `frontend:k8s-latest`
 ## Image Tags
 ### Docker Version Tags
 ```bash
 git.automatizase.com.br/luis.erlacher/archon/server:latest
 git.automatizase.com.br/luis.erlacher/archon/server:docker-latest
 git.automatizase.com.br/luis.erlacher/archon/server:docker-{commit-sha}
 # Mesma estrutura para: mcp, agents, frontend
 ```
 ### Kubernetes Version Tags
 ```bash
 git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest
 git.automatizase.com.br/luis.erlacher/archon/server:k8s-{commit-sha}
 # Mesma estrutura para: mcp, agents, frontend
 ```
 ## Diferenças Entre as Versões
 ### Docker Version (Original)
 - ✅ Compatível com Docker Compose
 - ✅ Roda como root (compatibilidade)
 - ✅ Inclui HEALTHCHECK no Dockerfile
 - ✅ Estrutura simplificada para desenvolvimento local
 ### Kubernetes Version (Optimized)
 - ✅ **Non-root user** (UID/GID 1001) - Segurança
 - ✅ **Proper signal propagation** - Graceful shutdown em rolling updates
 - ✅ **No HEALTHCHECK** - K8s usa liveness/readiness probes
 - ✅ **Cache cleanup** - Imagens menores (remove ~/.cache/pip, ~/.cache/uv)
 - ✅ **Production-only** - Não inclui `tests/` directory
 - ✅ **Optimized layers** - Melhor aproveitamento de cache
 ## Otimizações Kubernetes
 ### 1. Non-Root User
 ```dockerfile
 # Cria usuário e grupo com IDs fixos
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    chown -R appuser:appuser /app
 USER appuser
 ```
 **Benefícios:**
 - Segurança: Reduz risco de container escape
 - Compliance: Atende policies de segurança K8s (PodSecurityStandards)
 - Best Practice: Recomendado pela OWASP e CIS Benchmarks
 ### 2. Signal Propagation
 ```dockerfile
 # ✅ CORRETO - Propagation com exec
 CMD ["sh", "-c", "exec python -m uvicorn ..."]
 # ❌ INCORRETO - Shell não propaga sinais
 CMD sh -c "python -m uvicorn ..."
 ```
 **Benefícios:**
 - Graceful shutdown: SIGTERM chega ao processo Python
 - Zero downtime: Rolling updates funcionam corretamente
 - Connection draining: Conexões fecham gracefully
 ### 3. No HEALTHCHECK
 ```dockerfile
 # Docker version tem:
 HEALTHCHECK --interval=30s CMD ...
 # K8s version NÃO tem (redundante)
 # K8s já define em livenessProbe/readinessProbe
 ```
 **Benefícios:**
 - Menor tamanho de imagem
 - Menos processos rodando no container
 - Health checks gerenciados pelo K8s (mais flexível)
 ### 4. Cache Cleanup
 ```dockerfile
 RUN uv pip install --system --group mcp && \
    rm -rf ~/.cache/uv ~/.cache/pip
 ```
 **Benefícios:**
 - Imagens 10-15% menores
 - Menos I/O no registry
 - Pull mais rápido nos nodes K8s
 ## Como Usar
 ### Para Docker Compose (Desenvolvimento Local)
 ```yaml
 # docker-compose.yml
 services:
  archon-server:
    image: git.automatizase.com.br/luis.erlacher/archon/server:latest
    # ou
    image: git.automatizase.com.br/luis.erlacher/archon/server:docker-latest
 ```
 ### Para Kubernetes (Produção)
 ```yaml
 # k8s-manifests.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: archon-server
 spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      containers:
      - name: server
        image: git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
 ```
 ## CI/CD Workflow
 O workflow `.gitea/workflows/build-images.yml` constrói ambas as versões automaticamente:
 ### Trigger
 - Push para branch `main`
 - Workflow manual dispatch
 ### Jobs Executados
 **Docker Version (4 jobs):**
 - `build-server-docker`
 - `build-mcp-docker`
 - `build-agents-docker`
 - `build-frontend-docker`
 **Kubernetes Version (4 jobs):**
 - `build-server-k8s`
 - `build-mcp-k8s`
 - `build-agents-k8s`
 - `build-frontend-k8s`
 **Total:** 8 jobs paralelos (quando possível)
 ## Atualizar Manifests Kubernetes
 Para usar as imagens K8s otimizadas, atualize `k8s-manifests-complete.yaml`:
 ```yaml
 # ANTES (versão Docker)
 image: git.automatizase.com.br/luis.erlacher/archon/server:latest
 # DEPOIS (versão K8s)
 image: git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest
 ```
 Faça isso para todos os deployments:
 - archon-server
 - archon-mcp
 - archon-agents
 - archon-frontend
 ## Tamanhos das Imagens
 ### Estimativa de Redução (K8s vs Docker)
 | Service | Docker | K8s | Redução |
 |---------|--------|-----|---------|
 | Server  | ~1.2GB | ~1.1GB | ~8% |
 | MCP     | ~450MB | ~420MB | ~7% |
 | Agents  | ~480MB | ~450MB | ~6% |
 | Frontend| ~50MB  | ~48MB  | ~4% |
 **Economia total:** ~100MB por deploy completo
 ## Testes
 ### Verificar Non-Root
 ```bash
 # Docker
 docker run --rm git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest id
 # Esperado: uid=1001(appuser) gid=1001(appuser)
 # Kubernetes
 kubectl exec -it deployment/archon-server -n archon -- id
 # Esperado: uid=1001(appuser) gid=1001(appuser)
 ```
 ### Testar Graceful Shutdown
 ```bash
 # Docker
 docker run -d --name test git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest
 docker stop test  # Deve parar em ~2-3 segundos
 # Kubernetes
 kubectl rollout restart deployment/archon-server -n archon
 kubectl rollout status deployment/archon-server -n archon
 # Deve ser smooth, sem downtime
 ```
 ### Verificar Tamanho das Imagens
 ```bash
 docker images | grep archon
 # Compare tags 'latest' vs 'k8s-latest'
 ```
 ## Migration Checklist
 Se você está migrando de Docker para K8s:
 - [ ] Pull das novas imagens K8s
 - [ ] Atualizar manifests K8s para usar `:k8s-latest`
 - [ ] Adicionar `securityContext` nos deployments (veja exemplo acima)
 - [ ] Adicionar `terminationGracePeriodSeconds: 30`
 - [ ] Remover HEALTHCHECKs se você tinha configurado manualmente
 - [ ] Testar rolling updates funcionam corretamente
 - [ ] Verificar logs não mostram permission errors
 ## Manutenção
 ### Quando Modificar Dockerfiles
 **Docker Version (Original):**
 - Modificar apenas para compatibilidade com Docker Compose
 - Manter simples e focado em desenvolvimento local
 **Kubernetes Version (Optimized):**
 - Aplicar todas as otimizações de produção
 - Seguir best practices de segurança
 - Manter alinhado com Docker version (funcionalidades)
 ### Sincronização
 As duas versões devem ter as **mesmas funcionalidades**, apenas diferindo em:
 - User (root vs non-root)
 - Signal propagation (CMD format)
 - Health checks (Dockerfile vs K8s)
 - Optimizations (cache cleanup, layer ordering)
 ## Troubleshooting
 ### Erro: Permission Denied no K8s
 ```
 Error: EACCES: permission denied, open '/app/file'
 ```
 **Solução:** Verifique se todos os arquivos foram copiados com `--chown=appuser:appuser`
 ### Erro: Rolling Update com Downtime
 ```
 502 Bad Gateway durante deploy
 ```
 **Solução:** Verifique se CMD usa exec form para propagação de sinais
 ### Erro: Imagem Pull Failed
 ```
 ImagePullBackOff
 ```
 **Solução:** Verifique se as imagens K8s foram construídas e pushed:
 ```bash
 # No servidor Gitea Actions
 docker images | grep k8s-latest
 ```
 ## Referências
 - [DOCKERFILE_K8S_IMPROVEMENTS.md](./DOCKERFILE_K8S_IMPROVEMENTS.md) - Análise detalhada
 - [Kubernetes Best Practices](https://kubernetes.io/docs/concepts/configuration/overview/)
 - [OWASP Docker Security](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
 - [12 Factor App](https://12factor.net/)
--- a/archon-ui-main/Dockerfile.k8s.production
+++ b/archon-ui-main/Dockerfile.k8s.production
@ -0,0 +1,59 @@
 # Frontend - Kubernetes optimized build
 # React/Vite build with Nginx optimized for K8s
 # Optimizations:
 # - Non-root nginx user for security
 # - No HEALTHCHECK (K8s uses liveness/readiness probes)
 # - Optimized build cache
 # - Minimal production footprint
 # =============================================================================
 # STAGE 1: Build da aplicação React/Vite
 # =============================================================================
 FROM node:18-alpine AS builder
 WORKDIR /app
 # Install build dependencies
 RUN apk add --no-cache python3 make g++ git
 # Copy package files
 COPY package*.json ./
 # Install ALL dependencies (including devDependencies for build)
 RUN npm ci && npm cache clean --force
 # Copy source code
 COPY . .
 # Build para produção
 RUN npm run build
 # =============================================================================
 # STAGE 2: Servir com Nginx (non-root)
 # =============================================================================
 FROM nginx:alpine
 # Remover configuração padrão do Nginx
 RUN rm -rf /usr/share/nginx/html/* /etc/nginx/conf.d/default.conf
 # Create non-root nginx user
 # Note: nginx:alpine already has nginx user, just need to configure permissions
 RUN chown -R nginx:nginx /usr/share/nginx/html /var/cache/nginx /var/log/nginx /etc/nginx/conf.d && \
    touch /var/run/nginx.pid && \
    chown -R nginx:nginx /var/run/nginx.pid
 # Copiar build do stage anterior
 COPY --from=builder --chown=nginx:nginx /app/dist /usr/share/nginx/html
 # Copiar configuração customizada do Nginx
 COPY --chown=nginx:nginx nginx.conf /etc/nginx/conf.d/default.conf
 # Expor porta 3737 (mantendo compatibilidade com a config atual)
 EXPOSE 3737
 # Switch to non-root user
 USER nginx
 # Iniciar Nginx
 # Note: nginx -g "daemon off;" is already in exec form by default in the base image
 CMD ["nginx", "-g", "daemon off;"]
--- a/k8s-manifests-complete.yaml
+++ b/k8s-manifests-complete.yaml
@ -70,14 +70,25 @@ spec:
      labels:
        app: archon-server
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      terminationGracePeriodSeconds: 30
      containers:
      - name: server
-        # IMPORTANTE: Substitua pelo seu registry
+        # IMPORTANTE: Usando imagem K8s otimizada (non-root, graceful shutdown)
-        # Exemplos:
+        # Para Docker Compose, use: server:latest ou server:docker-latest
-        #   - Gitea: git.automatizase.com.br/luis.erlacher/archon/server:latest
+        # Para Kubernetes, use: server:k8s-latest (RECOMENDADO)
-        #   - Docker Hub: docker.io/seu-usuario/archon-server:latest
+        image: git.automatizase.com.br/luis.erlacher/archon/server:k8s-latest
        image: git.automatizase.com.br/luis.erlacher/archon/server:latest
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: false
        ports:
        - containerPort: 8181
          name: http
@ -208,14 +219,25 @@ spec:
      labels:
        app: archon-mcp
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 1001
        fsGroup: 1001
      terminationGracePeriodSeconds: 30
      containers:
      - name: mcp
-        # IMPORTANTE: Substitua pelo seu registry
+        # IMPORTANTE: Usando imagem K8s otimizada (non-root, graceful shutdown)
-        # Exemplos:
+        # Para Docker Compose, use: mcp:latest ou mcp:docker-latest
-        #   - Gitea: git.automatizase.com.br/luis.erlacher/archon/mcp:latest
+        # Para Kubernetes, use: mcp:k8s-latest (RECOMENDADO)
-        #   - Docker Hub: docker.io/seu-usuario/archon-mcp:latest
+        image: git.automatizase.com.br/luis.erlacher/archon/mcp:k8s-latest
        image: git.automatizase.com.br/luis.erlacher/archon/mcp:latest
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: false
        ports:
        - containerPort: 8051
          name: http
@ -338,14 +360,25 @@ spec:
      labels:
        app: archon-frontend
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 101  # nginx user in alpine
        runAsGroup: 101
        fsGroup: 101
      terminationGracePeriodSeconds: 30
      containers:
      - name: frontend
-        # IMPORTANTE: Substitua pelo seu registry
+        # IMPORTANTE: Usando imagem K8s otimizada (non-root nginx)
-        # Exemplos:
+        # Para Docker Compose, use: frontend:latest ou frontend:docker-latest
-        #   - Gitea: git.automatizase.com.br/luis.erlacher/archon/frontend:latest
+        # Para Kubernetes, use: frontend:k8s-latest (RECOMENDADO)
-        #   - Docker Hub: docker.io/seu-usuario/archon-frontend:latest
+        image: git.automatizase.com.br/luis.erlacher/archon/frontend:k8s-latest
        image: git.automatizase.com.br/luis.erlacher/archon/frontend:latest
        imagePullPolicy: Always
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          readOnlyRootFilesystem: false
        ports:
        - containerPort: 3737
          name: http
--- a/python/Dockerfile.k8s.agents
+++ b/python/Dockerfile.k8s.agents
@ -0,0 +1,48 @@
 # Agents Service - Kubernetes optimized build
 # Lightweight Pydantic AI agents optimized for K8s
 # Optimizations:
 # - Non-root user for security
 # - Proper signal propagation for graceful shutdown
 # - No HEALTHCHECK (K8s uses liveness/readiness probes)
 # - Cache cleanup for smaller image size
 FROM python:3.12-slim
 WORKDIR /app
 # Install uv
 RUN pip install --no-cache-dir uv && \
    rm -rf ~/.cache/pip
 # Copy pyproject.toml for dependency installation
 COPY pyproject.toml .
 # Install only agents dependencies using uv
 RUN uv pip install --system --group agents && \
    rm -rf ~/.cache/uv ~/.cache/pip
 # Create non-root user
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    chown -R appuser:appuser /app
 # Copy agents code - no dependencies on server code
 # Agents use MCP tools for all operations
 COPY --chown=appuser:appuser src/agents/ src/agents/
 COPY --chown=appuser:appuser src/__init__.py src/
 # Set environment variables
 ENV PYTHONPATH="/app:$PYTHONPATH"
 ENV PYTHONUNBUFFERED=1
 # Expose Agents port
 ARG ARCHON_AGENTS_PORT=8052
 ENV ARCHON_AGENTS_PORT=${ARCHON_AGENTS_PORT}
 EXPOSE ${ARCHON_AGENTS_PORT}
 # Switch to non-root user
 USER appuser
 # Run the Agents service with proper signal propagation for K8s
 # Using exec to ensure SIGTERM reaches the Python process for graceful shutdown
 CMD ["sh", "-c", "exec python -m uvicorn src.agents.server:app --host 0.0.0.0 --port ${ARCHON_AGENTS_PORT}"]
--- a/python/Dockerfile.k8s.mcp
+++ b/python/Dockerfile.k8s.mcp
@ -0,0 +1,60 @@
 # MCP Service - Kubernetes optimized build
 # Lightweight HTTP-based microservice optimized for K8s
 # Optimizations:
 # - Non-root user for security
 # - Proper signal propagation for graceful shutdown
 # - No HEALTHCHECK (K8s uses liveness/readiness probes)
 # - Cache cleanup for smaller image size
 FROM python:3.12-slim
 WORKDIR /app
 # Install uv
 RUN pip install --no-cache-dir uv && \
    rm -rf ~/.cache/pip
 # Copy pyproject.toml for dependency installation
 COPY pyproject.toml .
 # Install only mcp dependencies using uv
 RUN uv pip install --system --group mcp && \
    rm -rf ~/.cache/uv ~/.cache/pip
 # Create minimal directory structure
 RUN mkdir -p src/mcp_server/features/projects src/mcp_server/features/tasks src/mcp_server/features/documents src/server/services src/server/config
 # Create non-root user
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    chown -R appuser:appuser /app
 # Copy only MCP-specific files
 COPY --chown=appuser:appuser src/mcp_server/ src/mcp_server/
 COPY --chown=appuser:appuser src/__init__.py src/
 # Copy the server files MCP needs for HTTP communication
 COPY --chown=appuser:appuser src/server/__init__.py src/server/
 COPY --chown=appuser:appuser src/server/services/__init__.py src/server/services/
 COPY --chown=appuser:appuser src/server/services/mcp_service_client.py src/server/services/
 COPY --chown=appuser:appuser src/server/services/client_manager.py src/server/services/
 COPY --chown=appuser:appuser src/server/services/mcp_session_manager.py src/server/services/
 COPY --chown=appuser:appuser src/server/config/__init__.py src/server/config/
 COPY --chown=appuser:appuser src/server/config/service_discovery.py src/server/config/
 COPY --chown=appuser:appuser src/server/config/logfire_config.py src/server/config/
 # Set environment variables
 ENV PYTHONPATH="/app:$PYTHONPATH"
 ENV PYTHONUNBUFFERED=1
 # Expose MCP port
 ARG ARCHON_MCP_PORT=8051
 ENV ARCHON_MCP_PORT=${ARCHON_MCP_PORT}
 EXPOSE ${ARCHON_MCP_PORT}
 # Switch to non-root user
 USER appuser
 # Run the MCP server
 # CMD already in exec form - proper signal propagation
 CMD ["python", "-m", "src.mcp_server.mcp_server"]
--- a/python/Dockerfile.k8s.server
+++ b/python/Dockerfile.k8s.server
@ -0,0 +1,91 @@
 # Server Service - Kubernetes optimized build
 # Optimizations:
 # - Non-root user for security
 # - Proper signal propagation for graceful shutdown
 # - No HEALTHCHECK (K8s uses liveness/readiness probes)
 # - Optimized layer caching
 # - Minimal production footprint
 FROM python:3.12 AS builder
 WORKDIR /build
 # Install build dependencies and uv
 RUN apt-get update && apt-get install -y \
    build-essential \
    && rm -rf /var/lib/apt/lists/* \
    && pip install --no-cache-dir uv
 # Copy pyproject.toml for dependency installation
 COPY pyproject.toml .
 # Install server dependencies to a virtual environment using uv
 RUN uv venv /venv && \
    . /venv/bin/activate && \
    uv pip install --group server --group server-reranking && \
    rm -rf ~/.cache/uv ~/.cache/pip
 # Runtime stage
 FROM python:3.12-slim
 WORKDIR /app
 # Install runtime dependencies for Playwright (minimal set)
 RUN apt-get update && apt-get install -y \
    wget \
    ca-certificates \
    fonts-liberation \
    libasound2 \
    libatk-bridge2.0-0 \
    libatk1.0-0 \
    libatspi2.0-0 \
    libcups2 \
    libdbus-1-3 \
    libdrm2 \
    libgbm1 \
    libgtk-3-0 \
    libnspr4 \
    libnss3 \
    libwayland-client0 \
    libxcomposite1 \
    libxdamage1 \
    libxfixes3 \
    libxkbcommon0 \
    libxrandr2 \
    xdg-utils \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # Create non-root user BEFORE copying files
 RUN groupadd -r appuser -g 1001 && \
    useradd -r -g appuser -u 1001 appuser && \
    mkdir -p /app && chown -R appuser:appuser /app
 # Copy the virtual environment from builder
 COPY --from=builder --chown=appuser:appuser /venv /venv
 # Install Playwright browsers as root (needs permissions)
 ENV PATH=/venv/bin:$PATH
 RUN playwright install chromium && \
    chown -R appuser:appuser /root/.cache/ms-playwright 2>/dev/null || true
 # Copy server code (production only - no tests)
 COPY --chown=appuser:appuser src/server/ src/server/
 COPY --chown=appuser:appuser src/__init__.py src/
 # Set environment variables
 ENV PYTHONPATH="/app:$PYTHONPATH"
 ENV PYTHONUNBUFFERED=1
 ENV PATH="/venv/bin:$PATH"
 # Expose Server port
 ARG ARCHON_SERVER_PORT=8181
 ENV ARCHON_SERVER_PORT=${ARCHON_SERVER_PORT}
 EXPOSE ${ARCHON_SERVER_PORT}
 # Switch to non-root user
 USER appuser
 # Run the Server service with proper signal propagation for K8s
 # Using exec to ensure SIGTERM reaches the Python process for graceful shutdown
 CMD ["sh", "-c", "exec python -m uvicorn src.server.main:socket_app --host 0.0.0.0 --port ${ARCHON_SERVER_PORT} --workers 1"]