fix: redis default password, update README with kustomize structure

README.md

@@ -8,14 +8,29 @@ Refactored cloud microservices from project-ai.
 cloud-services/
 ├── pkg/                    # Shared Go packages
 │   ├── kafka/              # Pure Go Kafka client (franz-go)
+│   ├── redis/              # Redis connection pool
 │   ├── dbc/                # CAN database signal definitions
 │   ├── can-go/             # CAN protocol library
 │   └── ...                 # Other shared modules
 ├── services/
 │   └── gateway/            # API gateway service
+│       └── Dockerfile      # Service-specific Dockerfile
 ├── deploy/
-│   ├── base/               # Base k8s manifests
-│   └── overlays/           # Environment-specific configs
+│   ├── base/               # Base k8s manifests (configMapGenerator)
+│   │   ├── kustomization.yaml
+│   │   └── config.env      # Common environment config
+│   └── overlays/
+│       └── development/    # Dev environment overlay
+│           ├── kustomization.yaml
+│           ├── secrets.yaml
+│           └── services/
+│               └── gateway/
+│                   ├── deployment.yaml
+│                   ├── ingress.yaml
+│                   └── external-secret.yaml
+├── argocd-apps/
+│   └── development/
+│       └── cloud-services.yaml  # ArgoCD Application
 └── scripts/                # Build and utility scripts
 ```
 
@@ -31,8 +46,8 @@ go build ./services/gateway
 # Run tests
 go test ./...
 
-# Build Docker image
-docker build -t gateway -f services/gateway/Dockerfile .
+# Build Docker image (arm64 for Mac Mini cluster)
+docker build --platform linux/arm64 -t localhost:32000/gateway:latest -f services/gateway/Dockerfile .
 ```
 
 ## Services
@@ -48,6 +63,7 @@ WebSocket gateway for TRex, HMI, and Mobile connections. Handles auth, message r
 ### Prerequisites
 - Go 1.25+
 - Docker (for container builds)
+- devbox (optional, for consistent dev environment)
 
 ### Module Structure
 Uses Go workspaces (`go.work`) for local development:
@@ -64,22 +80,37 @@ CAN signal definitions are generated from DBC files. See `pkg/dbc/README.md`.
 
 ## Deployment
 
-Kubernetes manifests in `deploy/` use Kustomize overlays:
+### Kustomize Structure
+
+Uses `configMapGenerator` with hash suffixes for automatic rolling updates when config changes:
 
 ```bash
-# Development
-kubectl apply -k deploy/overlays/development
+# Preview what will be deployed
+kustomize build deploy/overlays/development
 
-# Or via ArgoCD
-# See k8s-gitops-setup repo
+# Apply directly (without ArgoCD)
+kustomize build deploy/overlays/development | kubectl apply -f -
 ```
 
+### ArgoCD
+
+The `argocd-apps/development/cloud-services.yaml` Application points to `deploy/overlays/development` and auto-syncs changes from git.
+
+### Secrets
+
+Database credentials are managed via ExternalSecrets from Vault:
+- `cloud-db-credentials` - DB_PASSWORD, MONGO_USER, MONGO_PASSWORD
+
 ## Environment Variables
 
+Configured in `deploy/base/config.env`:
+
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `KAFKA_HOSTS` | `localhost:9092` | Kafka brokers |
-| `REDIS_HOST` | `localhost` | Redis host |
+| `DB_HOST` | `cloud-dev-rw.cnpg-system.svc.cluster.local` | PostgreSQL host |
+| `KAFKA_HOSTS` | `cloud-dev-kafka-bootstrap.kafka.svc.cluster.local:9092` | Kafka brokers |
+| `REDIS_HOST` | `cloud-dev.redis.svc.cluster.local` | Redis host |
 | `REDIS_PORT` | `6379` | Redis port |
-| `JWK_URL` | - | JWKS endpoint for JWT validation |
+| `MONGO_HOST` | `cloud-dev-svc.mongodb.svc.cluster.local` | MongoDB host |
+| `OIDC_ISSUER` | Keycloak URL | OIDC issuer for JWT validation |
 | `LOG_LEVEL` | `info` | Log level |