bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture 11

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-20 22:05:10 +01:00
parent 0217ad83be
commit 2512de4173
42 changed files with 1056 additions and 874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
infrastructure/cicd/flux/templates/namespace.yaml
View File

@@ -1,7 +1,9 @@
{{- if .Values.createNamespace | default false }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.gitRepository.namespace }}
labels:
app.kubernetes.io/name: flux
kubernetes.io/metadata.name: {{ .Values.gitRepository.namespace }}
kubernetes.io/metadata.name: {{ .Values.gitRepository.namespace }}
{{- end }}

2
infrastructure/cicd/flux/values.yaml
View File

@@ -6,7 +6,7 @@ gitRepository:
name: bakery-ia
namespace: flux-system
interval: 1m
url: http://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
url: http://gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git
ref:
branch: main
secretRef:

11
infrastructure/cicd/gitea/setup-admin-secret.sh
View File

@@ -19,18 +19,23 @@ GITEA_NAMESPACE="gitea"
BAKERY_NAMESPACE="bakery-ia"
REGISTRY_HOST="registry.bakery-ia.local"
ADMIN_USERNAME="bakery-admin"
# Static password for consistent dev environment setup
# This ensures the same credentials work across environment recreations
STATIC_ADMIN_PASSWORD="pvYUkGWJijqc0QfIZEXw"
# Check if running in microk8s
if command -v microk8s &> /dev/null; then
KUBECTL="microk8s kubectl"
fi
# Get or generate password
# Get password from argument, environment variable, or use static default
if [ -n "$1" ]; then
ADMIN_PASSWORD="$1"
elif [ -n "$GITEA_ADMIN_PASSWORD" ]; then
ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
else
ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -d '/+=' | head -c 20)
echo "Generated admin password: $ADMIN_PASSWORD"
ADMIN_PASSWORD="$STATIC_ADMIN_PASSWORD"
echo "Using static admin password for dev environment consistency"
fi
# Create namespaces if they don't exist

65
infrastructure/cicd/gitea/values-prod.yaml Normal file
View File

@@ -0,0 +1,65 @@
# Gitea Helm values for Production environment
# This file overrides values.yaml for production deployment
#
# Installation:
# helm upgrade --install gitea gitea/gitea -n gitea \
# -f infrastructure/cicd/gitea/values.yaml \
# -f infrastructure/cicd/gitea/values-prod.yaml
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
cert-manager.io/cluster-issuer: "letsencrypt-production"
hosts:
- host: gitea.bakewise.ai
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls-cert
hosts:
- gitea.bakewise.ai
apiIngress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
cert-manager.io/cluster-issuer: "letsencrypt-production"
hosts:
- host: registry.bakewise.ai
paths:
- path: /
pathType: Prefix
tls:
- secretName: registry-tls-cert
hosts:
- registry.bakewise.ai
gitea:
admin:
email: admin@bakewise.ai
config:
server:
DOMAIN: gitea.bakewise.ai
SSH_DOMAIN: gitea.bakewise.ai
ROOT_URL: https://gitea.bakewise.ai
# Production resources - adjust based on expected load
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 200m
memory: 512Mi
# Larger storage for production
persistence:
size: 50Gi

35
infrastructure/cicd/gitea/values.yaml
View File

@@ -25,7 +25,40 @@ service:
# Registry authentication and API is handled by the main HTTP service
ingress:
enabled: false # Disable Gitea's built-in ingress - use common ingress instead
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
hosts:
- host: gitea.bakery-ia.local
paths:
- path: /
pathType: Prefix
tls:
- secretName: bakery-dev-tls-cert
hosts:
- gitea.bakery-ia.local
- registry.bakery-ia.local
# Additional ingress for container registry (same backend, different hostname)
apiIngress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
hosts:
- host: registry.bakery-ia.local
paths:
- path: /
pathType: Prefix
tls:
- secretName: bakery-dev-tls-cert
hosts:
- registry.bakery-ia.local
persistence:
enabled: true

2
infrastructure/cicd/tekton-helm/templates/NOTES.txt
View File

@@ -17,6 +17,6 @@ After Tekton is installed, this chart will deploy:
- Tasks, Pipelines, and Triggers for CI/CD
To check the status of deployed resources:
kubectl get all -n {{ .Values.namespace }}
kubectl get all -n {{ .Release.Namespace }}
For more information about Tekton, visit: https://tekton.dev/

6
infrastructure/cicd/tekton-helm/templates/clusterroles.yaml
View File

@@ -31,6 +31,10 @@ rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# Ability to list cluster-scoped trigger resources (needed for Tekton Triggers controller)
- apiGroups: ["triggers.tekton.dev"]
resources: ["clustertriggerbindings", "clusterinterceptors"]
verbs: ["get", "list", "watch"]
---
# ClusterRole for Pipeline execution (needed for git operations and deployments)
apiVersion: rbac.authorization.k8s.io/v1
@@ -63,7 +67,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-triggers-eventlistener-role
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers

2
infrastructure/cicd/tekton-helm/templates/configmap.yaml
View File

@@ -2,7 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: pipeline-config
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: config

2
infrastructure/cicd/tekton-helm/templates/event-listener.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: bakery-ia-event-listener
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers

2
infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml
View File

@@ -7,7 +7,7 @@ apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: bakery-ia-ci
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline

8
infrastructure/cicd/tekton-helm/templates/rolebindings.yaml
View File

@@ -9,7 +9,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: tekton-triggers-role
@@ -26,7 +26,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.pipeline.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: tekton-pipeline-role
@@ -37,14 +37,14 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-triggers-eventlistener-binding
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: tekton-triggers-eventlistener-role

20
infrastructure/cicd/tekton-helm/templates/secrets.yaml
View File

@@ -4,7 +4,7 @@ apiVersion: v1
kind: Secret
metadata:
name: gitea-webhook-secret
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
@@ -17,11 +17,16 @@ stringData:
# Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
# References the existing gitea-admin-secret for consistency
{{- $giteaSecret := (lookup "v1" "Secret" "gitea" "gitea-admin-secret") }}
{{- $giteaPassword := "" }}
{{- if and $giteaSecret $giteaSecret.data (index $giteaSecret.data "password") }}
{{- $giteaPassword = index $giteaSecret.data "password" | b64dec }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry-credentials
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
@@ -29,13 +34,14 @@ metadata:
note: "Registry credentials for pushing images - references gitea-admin-secret"
type: kubernetes.io/dockerconfigjson
stringData:
{{- $registryPassword := .Values.secrets.registry.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
{{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username }}
.dockerconfigjson: |
{
"auths": {
{{ .Values.secrets.registry.registryUrl | quote }}: {
"username": {{ .Values.secrets.registry.username | quote }},
"password": {{ .Values.secrets.registry.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
"password": {{ $registryPassword | quote }}
}
}
}
@@ -49,7 +55,7 @@ apiVersion: v1
kind: Secret
metadata:
name: gitea-git-credentials
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops
@@ -57,8 +63,9 @@ metadata:
note: "Git credentials for GitOps updates - references gitea-admin-secret"
type: Opaque
stringData:
{{- $gitPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
password: {{ $gitPassword | quote }}
---
# Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
@@ -75,5 +82,6 @@ metadata:
note: "Credentials for Flux GitRepository access - references gitea-admin-secret"
type: Opaque
stringData:
{{- $fluxPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
password: {{ $fluxPassword | quote }}

4
infrastructure/cicd/tekton-helm/templates/serviceaccounts.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
@@ -13,7 +13,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.pipeline.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline

2
infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: detect-changed-services
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: detection

2
infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: source

6
infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
View File

@@ -6,7 +6,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kaniko-build
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
@@ -29,11 +29,11 @@ spec:
- name: base-registry
type: string
description: Base image registry URL (e.g., docker.io, ghcr.io/org)
default: "docker.io"
default: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
- name: python-image
type: string
description: Python base image name and tag
default: "python:3.11-slim"
default: "python_3.11-slim"
results:
- name: build-status
description: Status of the build operation

2
infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pipeline-summary
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: summary

6
infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: run-tests
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: test
@@ -23,7 +23,7 @@ spec:
default: "false"
steps:
- name: run-unit-tests
image: python:3.11-slim
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/bash
@@ -57,7 +57,7 @@ spec:
cpu: 200m
memory: 512Mi
- name: run-integration-tests
image: python:3.11-slim
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/bash

2
infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: update-gitops
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops

2
infrastructure/cicd/tekton-helm/templates/trigger-binding.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: bakery-ia-trigger-binding
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers

2
infrastructure/cicd/tekton-helm/templates/trigger-template.yaml
View File

@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: bakery-ia-trigger-template
namespace: {{ .Values.namespace }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers

13
infrastructure/cicd/tekton-helm/values.yaml
View File

@@ -5,7 +5,7 @@
global:
# Registry configuration
registry:
url: "gitea.bakery-ia.local:5000"
url: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
# Git configuration
git:
@@ -21,9 +21,9 @@ pipeline:
verbosity: "info"
# Base image registry configuration
# For dev: localhost:5000 with python_3.11-slim
# For prod: docker.io with python:3.11-slim
baseRegistry: "docker.io"
pythonImage: "python:3.11-slim"
# For prod: gitea registry with python_3.11-slim
baseRegistry: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
pythonImage: "python_3.11-slim"
# Test configuration
test:
@@ -63,7 +63,8 @@ webhook:
memory: 64Mi
# Namespace for Tekton resources
namespace: "tekton-pipelines"
# Set to empty/false to skip namespace creation (namespace is created by Tekton installation)
namespace: ""
# Secrets configuration
secrets:
@@ -76,7 +77,7 @@ secrets:
registry:
username: "bakery-admin"
password: "" # Will be populated from gitea-admin-secret
registryUrl: "gitea.bakery-ia.local:5000"
registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
# Git credentials for GitOps updates
# Uses the same credentials as Gitea admin for consistency

2
infrastructure/environments/dev/k8s-manifests/dev-certificate.yaml
View File

@@ -25,6 +25,8 @@ spec:
- bakery-ia.local
- api.bakery-ia.local
- monitoring.bakery-ia.local
- gitea.bakery-ia.local
- registry.bakery-ia.local
- "*.bakery-ia.local"
- "mail.bakery-ia.dev"
- "*.bakery-ia.dev"

94
infrastructure/environments/dev/k8s-manifests/kustomization.yaml
View File

@@ -40,41 +40,6 @@ patches:
value: "true"
# NOTE: nominatim patches removed - nominatim is now deployed via Helm (tilt trigger nominatim-helm)
# Add imagePullSecrets to all Deployments for Gitea registry authentication
- target:
kind: Deployment
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all StatefulSets for Gitea registry authentication
- target:
kind: StatefulSet
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all Jobs for Gitea registry authentication
- target:
kind: Job
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all CronJobs for Gitea registry authentication
- target:
kind: CronJob
patch: |-
- op: add
path: /spec/jobTemplate/spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
labels:
- includeSelectors: true
@@ -82,59 +47,58 @@ labels:
environment: development
tier: local
# Dev image overrides - use Gitea registry to avoid Docker Hub rate limits
# Dev image overrides - use Kind registry to avoid Docker Hub rate limits
# IMPORTANT: All image names must be lowercase (Docker requirement)
# The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/
# For internal cluster access, use the Gitea service directly
# Format: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/<package-name>:<original-tag>
# The prepull-base-images.sh script pushes images to localhost:5000/ with format: <repo>_<tag>
# Format: localhost:5000/<package-name>_<tag>:latest
images:
# Database images
- name: postgres
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/postgres
newTag: "17-alpine"
newName: localhost:5000/postgres_17_alpine
newTag: latest
- name: redis
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/redis
newTag: "7.4-alpine"
newName: localhost:5000/redis_7_4_alpine
newTag: latest
- name: rabbitmq
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/rabbitmq
newTag: "4.1-management-alpine"
newName: localhost:5000/rabbitmq_4_1_management_alpine
newTag: latest
# Utility images
- name: busybox
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/busybox
newTag: "1.36"
newName: localhost:5000/busybox_1_36
newTag: latest
- name: curlimages/curl
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/curlimages-curl
newName: localhost:5000/curlimages_curl_latest
newTag: latest
- name: bitnami/kubectl
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bitnami-kubectl
newName: localhost:5000/bitnami_kubectl_latest
newTag: latest
# Alpine variants
- name: alpine
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine
newTag: "3.19"
newName: localhost:5000/alpine_3_19
newTag: latest
- name: alpine/git
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine-git
newTag: "2.43.0"
# CI/CD images (cached in Gitea registry for consistency)
newName: localhost:5000/alpine_git_2_43_0
newTag: latest
# CI/CD images (cached in Kind registry for consistency)
- name: gcr.io/kaniko-project/executor
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-kaniko-project-executor
newTag: v1.23.0
newName: localhost:5000/gcr_io_kaniko_project_executor_v1_23_0
newTag: latest
- name: gcr.io/go-containerregistry/crane
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-go-containerregistry-crane
newName: localhost:5000/gcr_io_go_containerregistry_crane_latest
newTag: latest
- name: registry.k8s.io/kustomize/kustomize
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/registry.k8s.io-kustomize-kustomize
newTag: v5.3.0
newName: localhost:5000/registry_k8s_io_kustomize_kustomize_v5_3_0
newTag: latest
# Storage images
- name: minio/minio
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-minio
newTag: RELEASE.2024-11-07T00-52-20Z
newName: localhost:5000/minio_minio_release_2024_11_07t00_52_20z
newTag: latest
- name: minio/mc
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-mc
newTag: RELEASE.2024-11-17T19-35-25Z
newName: localhost:5000/minio_mc_release_2024_11_17t19_35_25z
newTag: latest
# NOTE: nominatim image override removed - nominatim is now deployed via Helm
# Python base image
- name: python
newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python
newTag: "3.11-slim"
newName: localhost:5000/python_3_11_slim
newTag: latest

1
infrastructure/environments/prod/k8s-manifests/prod-certificate.yaml
View File

@@ -26,6 +26,7 @@ spec:
- mail.bakewise.ai
- monitoring.bakewise.ai
- gitea.bakewise.ai
- registry.bakewise.ai
- api.bakewise.ai
# Use Let's Encrypt production issuer

2
infrastructure/platform/cert-manager/cluster-issuer-production.yaml
View File

@@ -16,7 +16,7 @@ spec:
solvers:
- http01:
ingress:
class: nginx
class: public
podTemplate:
spec:
nodeSelector:

2
infrastructure/platform/cert-manager/cluster-issuer-staging.yaml
View File

@@ -17,7 +17,7 @@ spec:
solvers:
- http01:
ingress:
class: nginx
class: public
podTemplate:
spec:
nodeSelector:

8
infrastructure/platform/cert-manager/selfsigned-issuer.yaml Normal file
View File

@@ -0,0 +1,8 @@
# Self-signed ClusterIssuer for local development certificates
# This issuer can generate self-signed certificates without needing external CA
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}

77
infrastructure/platform/mail/mailu-helm/configs/mailgun-credentials-secret.yaml Normal file
View File

@@ -0,0 +1,77 @@
# Mailgun SMTP Credentials Secret for Mailu
#
# This secret stores Mailgun credentials for outbound email relay.
# Mailu uses Mailgun as an external SMTP relay to send all outbound emails.
#
# HOW TO CONFIGURE:
# 1. Go to https://www.mailgun.com and create an account
# 2. Add and verify your domain (e.g., bakery-ia.dev or bakewise.ai)
# 3. Go to Domain Settings > SMTP credentials
# 4. Note your SMTP credentials:
# - SMTP hostname: smtp.mailgun.org
# - Port: 587 (TLS)
# - Username: usually postmaster@yourdomain.com
# - Password: your Mailgun SMTP password (NOT API key)
# 5. Base64 encode your password:
# echo -n 'your-mailgun-smtp-password' | base64
# 6. Replace MAILGUN_SMTP_PASSWORD_BASE64 below with the encoded value
# 7. Apply this secret:
# kubectl apply -f mailgun-credentials-secret.yaml -n bakery-ia
#
# IMPORTANT NOTES:
# - Use the SMTP password from Mailgun, not the API key
# - The username is typically postmaster@yourdomain.com
# - For sandbox domains, Mailgun requires authorized recipients
# - Production domains need DNS verification (SPF, DKIM, MX records)
#
# DNS RECORDS REQUIRED FOR MAILGUN:
# You will need to add these DNS records for your domain:
# - SPF: TXT record for email authentication
# - DKIM: TXT records for email signing (Mailgun provides these)
# - MX: If you want to receive emails via Mailgun (optional for relay-only)
#
---
apiVersion: v1
kind: Secret
metadata:
name: mailu-mailgun-credentials
namespace: bakery-ia
labels:
app: mailu
component: external-relay
type: Opaque
data:
# Base64 encoded Mailgun SMTP password
# To encode: echo -n 'your-password' | base64
# To decode: echo 'encoded-value' | base64 -d
RELAY_PASSWORD: MAILGUN_SMTP_PASSWORD_BASE64
---
# Development environment secret (separate for different Mailgun domain)
apiVersion: v1
kind: Secret
metadata:
name: mailu-mailgun-credentials-dev
namespace: bakery-ia
labels:
app: mailu
component: external-relay
environment: dev
type: Opaque
data:
# Mailgun credentials for bakery-ia.dev domain
RELAY_PASSWORD: MAILGUN_DEV_SMTP_PASSWORD_BASE64
---
# Production environment secret
apiVersion: v1
kind: Secret
metadata:
name: mailu-mailgun-credentials-prod
namespace: bakery-ia
labels:
app: mailu
component: external-relay
environment: prod
type: Opaque
data:
# Mailgun credentials for bakewise.ai domain
RELAY_PASSWORD: MAILGUN_PROD_SMTP_PASSWORD_BASE64

12
infrastructure/platform/mail/mailu-helm/dev/values.yaml
View File

@@ -36,11 +36,17 @@ domain: "bakery-ia.dev"
hostnames:
- "mail.bakery-ia.dev"
# External relay configuration for dev
# External relay configuration for dev (Mailgun)
# All outbound emails will be relayed through Mailgun SMTP
# To configure:
# 1. Register at mailgun.com and verify your domain (bakery-ia.dev)
# 2. Get your SMTP credentials from Mailgun dashboard
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@bakery-ia.dev"
password: "mailgun-api-key-replace-in-production"
username: "postmaster@bakery-ia.dev" # Your Mailgun SMTP username (usually postmaster@yourdomain)
password: "" # Will be loaded from secret - see configs/mailgun-credentials-secret.yaml
# Environment-specific configurations
persistence:

23
infrastructure/platform/mail/mailu-helm/mailu-ingress.yaml
View File

@@ -2,27 +2,30 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mailu-ingress
namespace: bakery-ia # Same as Mailu's namespace
namespace: bakery-ia
labels:
app.kubernetes.io/name: mailu
app.kubernetes.io/component: ingress
annotations:
kubernetes.io/ingress.class: nginx # Or your Ingress class
nginx.ingress.kubernetes.io/proxy-body-size: "100m" # Allow larger email attachments
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # For long connections
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # Redirect HTTP to HTTPS
# If using Cert-Manager: cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- mail.bakery-ia.dev # or mail.bakewise.ai for prod
secretName: mail-tls-secret # Your TLS Secret
- mail.bakery-ia.dev
secretName: bakery-dev-tls-cert
rules:
- host: mail.bakery-ia.dev # or mail.bakewise.ai for prod
- host: mail.bakery-ia.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mailu-front-http # Mailu's front service (check with kubectl get svc -n bakery-ia)
name: mailu-front # Helm release name 'mailu' + component 'front'
port:
number: 80

12
infrastructure/platform/mail/mailu-helm/prod/values.yaml
View File

@@ -21,11 +21,17 @@ domain: "bakewise.ai"
hostnames:
- "mail.bakewise.ai"
# External relay configuration for production
# External relay configuration for production (Mailgun)
# All outbound emails will be relayed through Mailgun SMTP
# To configure:
# 1. Register at mailgun.com and verify your domain (bakewise.ai)
# 2. Get your SMTP credentials from Mailgun dashboard
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@bakewise.ai"
password: "PRODUCTION_MAILGUN_API_KEY" # This should be set via secret
username: "postmaster@bakewise.ai" # Your Mailgun SMTP username
password: "" # Will be loaded from secret - see configs/mailgun-credentials-secret.yaml
# Environment-specific configurations
persistence:

6
infrastructure/platform/mail/mailu-helm/values.yaml
View File

@@ -39,10 +39,12 @@ limits:
value: "200/day"
# External relay configuration (Mailgun)
# Mailu will relay all outbound emails through Mailgun SMTP
# Credentials should be provided via Kubernetes secret or environment-specific values
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@DOMAIN_PLACEHOLDER"
password: "mailgun-api-key-replace-in-production"
username: "" # Set in environment-specific values or via secret
password: "" # Set in environment-specific values or via secret
# Webmail configuration
webmail:

18
infrastructure/platform/networking/ingress/overlays/dev/gitea-service.yaml
View File

@@ -1,18 +0,0 @@
---
# Service to route traffic from bakery-ia namespace to Gitea in gitea namespace
# Using ExternalName pointing to the headless service FQDN
# The ingress controller can resolve headless services via DNS (returns pod IPs)
# NOTE: Gitea's container registry is served on port 3000 (same as HTTP) at /v2/ path
apiVersion: v1
kind: Service
metadata:
name: gitea-http
namespace: bakery-ia
spec:
type: ExternalName
# Use the headless service DNS name - nginx ingress resolves this to pod IPs
externalName: gitea-http.gitea.svc.cluster.local
ports:
- name: http
port: 3000
targetPort: 3000

21
infrastructure/platform/networking/ingress/overlays/dev/kustomization.yaml
View File

@@ -3,7 +3,6 @@ kind: Kustomization
resources:
- ../../base
- gitea-service.yaml
namePrefix: dev-
@@ -15,30 +14,14 @@ patches:
- op: replace
path: /spec/tls/0/hosts/0
value: bakery-ia.local
- op: replace
path: /spec/tls/0/hosts/1
value: gitea.bakery-ia.local
- op: replace
path: /spec/tls/0/hosts/2
value: registry.bakery-ia.local
- op: replace
path: /spec/tls/0/hosts/3
value: mail.bakery-ia.dev
- op: replace
path: /spec/tls/0/secretName
value: bakery-dev-tls-cert
- op: replace
path: /spec/rules/0/host
value: bakery-ia.local
- op: replace
path: /spec/rules/1/host
value: gitea.bakery-ia.local
- op: replace
path: /spec/rules/2/host
value: registry.bakery-ia.local
- op: replace
path: /spec/rules/3/host
value: mail.bakery-ia.dev
- op: replace
path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-origin
value: "https://localhost,https://localhost:3000,https://localhost:3001,https://127.0.0.1,https://127.0.0.1:3000,https://127.0.0.1:3001,https://bakery-ia.local,https://registry.bakery-ia.local,https://gitea.bakery-ia.local,http://localhost,http://localhost:3000,http://localhost:3001,http://127.0.0.1,http://127.0.0.1:3000"
# NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart (infrastructure/cicd/gitea/values.yaml)
# NOTE: Mail ingress (mail.bakery-ia.dev) is deployed separately via mailu-helm Tilt resource

11
infrastructure/platform/networking/ingress/overlays/prod/gitea-service.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-http
namespace: bakery-ia
spec:
type: ExternalName
externalName: gitea-http.gitea.svc.cluster.local
ports:
- port: 3000
targetPort: 3000