Add new infra architecture 11
This commit is contained in:
Urtzi Alfaro
@@ -1,7 +1,9 @@
|
||||
{{- if .Values.createNamespace | default false }}
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ .Values.gitRepository.namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: flux
|
||||
kubernetes.io/metadata.name: {{ .Values.gitRepository.namespace }}
|
||||
kubernetes.io/metadata.name: {{ .Values.gitRepository.namespace }}
|
||||
{{- end }}
|
||||
@@ -6,7 +6,7 @@ gitRepository:
|
||||
name: bakery-ia
|
||||
namespace: flux-system
|
||||
interval: 1m
|
||||
url: http://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
|
||||
url: http://gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git
|
||||
ref:
|
||||
branch: main
|
||||
secretRef:
|
||||
|
||||
@@ -19,18 +19,23 @@ GITEA_NAMESPACE="gitea"
|
||||
BAKERY_NAMESPACE="bakery-ia"
|
||||
REGISTRY_HOST="registry.bakery-ia.local"
|
||||
ADMIN_USERNAME="bakery-admin"
|
||||
# Static password for consistent dev environment setup
|
||||
# This ensures the same credentials work across environment recreations
|
||||
STATIC_ADMIN_PASSWORD="pvYUkGWJijqc0QfIZEXw"
|
||||
|
||||
# Check if running in microk8s
|
||||
if command -v microk8s &> /dev/null; then
|
||||
KUBECTL="microk8s kubectl"
|
||||
fi
|
||||
|
||||
# Get or generate password
|
||||
# Get password from argument, environment variable, or use static default
|
||||
if [ -n "$1" ]; then
|
||||
ADMIN_PASSWORD="$1"
|
||||
elif [ -n "$GITEA_ADMIN_PASSWORD" ]; then
|
||||
ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
|
||||
else
|
||||
ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -d '/+=' | head -c 20)
|
||||
echo "Generated admin password: $ADMIN_PASSWORD"
|
||||
ADMIN_PASSWORD="$STATIC_ADMIN_PASSWORD"
|
||||
echo "Using static admin password for dev environment consistency"
|
||||
fi
|
||||
|
||||
# Create namespaces if they don't exist
|
||||
|
||||
65
infrastructure/cicd/gitea/values-prod.yaml
Normal file
65
infrastructure/cicd/gitea/values-prod.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
# Gitea Helm values for Production environment
|
||||
# This file overrides values.yaml for production deployment
|
||||
#
|
||||
# Installation:
|
||||
# helm upgrade --install gitea gitea/gitea -n gitea \
|
||||
# -f infrastructure/cicd/gitea/values.yaml \
|
||||
# -f infrastructure/cicd/gitea/values-prod.yaml
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
|
||||
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-production"
|
||||
hosts:
|
||||
- host: gitea.bakewise.ai
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: gitea-tls-cert
|
||||
hosts:
|
||||
- gitea.bakewise.ai
|
||||
apiIngress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
|
||||
cert-manager.io/cluster-issuer: "letsencrypt-production"
|
||||
hosts:
|
||||
- host: registry.bakewise.ai
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: registry-tls-cert
|
||||
hosts:
|
||||
- registry.bakewise.ai
|
||||
|
||||
gitea:
|
||||
admin:
|
||||
email: admin@bakewise.ai
|
||||
config:
|
||||
server:
|
||||
DOMAIN: gitea.bakewise.ai
|
||||
SSH_DOMAIN: gitea.bakewise.ai
|
||||
ROOT_URL: https://gitea.bakewise.ai
|
||||
|
||||
# Production resources - adjust based on expected load
|
||||
resources:
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 1Gi
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
|
||||
# Larger storage for production
|
||||
persistence:
|
||||
size: 50Gi
|
||||
@@ -25,7 +25,40 @@ service:
|
||||
# Registry authentication and API is handled by the main HTTP service
|
||||
|
||||
ingress:
|
||||
enabled: false # Disable Gitea's built-in ingress - use common ingress instead
|
||||
enabled: true
|
||||
className: nginx
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
|
||||
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
hosts:
|
||||
- host: gitea.bakery-ia.local
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: bakery-dev-tls-cert
|
||||
hosts:
|
||||
- gitea.bakery-ia.local
|
||||
- registry.bakery-ia.local
|
||||
# Additional ingress for container registry (same backend, different hostname)
|
||||
apiIngress:
|
||||
enabled: true
|
||||
className: nginx
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
|
||||
hosts:
|
||||
- host: registry.bakery-ia.local
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- secretName: bakery-dev-tls-cert
|
||||
hosts:
|
||||
- registry.bakery-ia.local
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
|
||||
@@ -17,6 +17,6 @@ After Tekton is installed, this chart will deploy:
|
||||
- Tasks, Pipelines, and Triggers for CI/CD
|
||||
|
||||
To check the status of deployed resources:
|
||||
kubectl get all -n {{ .Values.namespace }}
|
||||
kubectl get all -n {{ .Release.Namespace }}
|
||||
|
||||
For more information about Tekton, visit: https://tekton.dev/
|
||||
@@ -31,6 +31,10 @@ rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["create", "patch"]
|
||||
# Ability to list cluster-scoped trigger resources (needed for Tekton Triggers controller)
|
||||
- apiGroups: ["triggers.tekton.dev"]
|
||||
resources: ["clustertriggerbindings", "clusterinterceptors"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
---
|
||||
# ClusterRole for Pipeline execution (needed for git operations and deployments)
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
@@ -63,7 +67,7 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: tekton-triggers-eventlistener-role
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
|
||||
@@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pipeline-config
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: config
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
|
||||
kind: EventListener
|
||||
metadata:
|
||||
name: bakery-ia-event-listener
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
|
||||
@@ -7,7 +7,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Pipeline
|
||||
metadata:
|
||||
name: bakery-ia-ci
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: pipeline
|
||||
|
||||
@@ -9,7 +9,7 @@ metadata:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ .Values.serviceAccounts.triggers.name }}
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: tekton-triggers-role
|
||||
@@ -26,7 +26,7 @@ metadata:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ .Values.serviceAccounts.pipeline.name }}
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: tekton-pipeline-role
|
||||
@@ -37,14 +37,14 @@ apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: tekton-triggers-eventlistener-binding
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ .Values.serviceAccounts.triggers.name }}
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: tekton-triggers-eventlistener-role
|
||||
|
||||
@@ -4,7 +4,7 @@ apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-webhook-secret
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
@@ -17,11 +17,16 @@ stringData:
|
||||
# Secret for Gitea container registry credentials
|
||||
# Used by Kaniko to push images to Gitea registry
|
||||
# References the existing gitea-admin-secret for consistency
|
||||
{{- $giteaSecret := (lookup "v1" "Secret" "gitea" "gitea-admin-secret") }}
|
||||
{{- $giteaPassword := "" }}
|
||||
{{- if and $giteaSecret $giteaSecret.data (index $giteaSecret.data "password") }}
|
||||
{{- $giteaPassword = index $giteaSecret.data "password" | b64dec }}
|
||||
{{- end }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-registry-credentials
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: build
|
||||
@@ -29,13 +34,14 @@ metadata:
|
||||
note: "Registry credentials for pushing images - references gitea-admin-secret"
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
stringData:
|
||||
{{- $registryPassword := .Values.secrets.registry.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
|
||||
{{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username }}
|
||||
.dockerconfigjson: |
|
||||
{
|
||||
"auths": {
|
||||
{{ .Values.secrets.registry.registryUrl | quote }}: {
|
||||
"username": {{ .Values.secrets.registry.username | quote }},
|
||||
"password": {{ .Values.secrets.registry.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
|
||||
"password": {{ $registryPassword | quote }}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -49,7 +55,7 @@ apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: gitea-git-credentials
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: gitops
|
||||
@@ -57,8 +63,9 @@ metadata:
|
||||
note: "Git credentials for GitOps updates - references gitea-admin-secret"
|
||||
type: Opaque
|
||||
stringData:
|
||||
{{- $gitPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
|
||||
username: {{ .Values.secrets.git.username | quote }}
|
||||
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
|
||||
password: {{ $gitPassword | quote }}
|
||||
---
|
||||
# Secret for Flux GitRepository access
|
||||
# Used by Flux to pull from Gitea repository
|
||||
@@ -75,5 +82,6 @@ metadata:
|
||||
note: "Credentials for Flux GitRepository access - references gitea-admin-secret"
|
||||
type: Opaque
|
||||
stringData:
|
||||
{{- $fluxPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
|
||||
username: {{ .Values.secrets.git.username | quote }}
|
||||
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
|
||||
password: {{ $fluxPassword | quote }}
|
||||
|
||||
@@ -3,7 +3,7 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ .Values.serviceAccounts.triggers.name }}
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
@@ -13,7 +13,7 @@ apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ .Values.serviceAccounts.pipeline.name }}
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: pipeline
|
||||
@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: detect-changed-services
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: detection
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: git-clone
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: source
|
||||
|
||||
@@ -6,7 +6,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: kaniko-build
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: build
|
||||
@@ -29,11 +29,11 @@ spec:
|
||||
- name: base-registry
|
||||
type: string
|
||||
description: Base image registry URL (e.g., docker.io, ghcr.io/org)
|
||||
default: "docker.io"
|
||||
default: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
|
||||
- name: python-image
|
||||
type: string
|
||||
description: Python base image name and tag
|
||||
default: "python:3.11-slim"
|
||||
default: "python_3.11-slim"
|
||||
results:
|
||||
- name: build-status
|
||||
description: Status of the build operation
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: pipeline-summary
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: summary
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: run-tests
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: test
|
||||
@@ -23,7 +23,7 @@ spec:
|
||||
default: "false"
|
||||
steps:
|
||||
- name: run-unit-tests
|
||||
image: python:3.11-slim
|
||||
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
|
||||
workingDir: $(workspaces.source.path)
|
||||
script: |
|
||||
#!/bin/bash
|
||||
@@ -57,7 +57,7 @@ spec:
|
||||
cpu: 200m
|
||||
memory: 512Mi
|
||||
- name: run-integration-tests
|
||||
image: python:3.11-slim
|
||||
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
|
||||
workingDir: $(workspaces.source.path)
|
||||
script: |
|
||||
#!/bin/bash
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: tekton.dev/v1beta1
|
||||
kind: Task
|
||||
metadata:
|
||||
name: update-gitops
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: gitops
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
|
||||
kind: TriggerBinding
|
||||
metadata:
|
||||
name: bakery-ia-trigger-binding
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
|
||||
@@ -5,7 +5,7 @@ apiVersion: triggers.tekton.dev/v1beta1
|
||||
kind: TriggerTemplate
|
||||
metadata:
|
||||
name: bakery-ia-trigger-template
|
||||
namespace: {{ .Values.namespace }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: {{ .Values.labels.app.name }}
|
||||
app.kubernetes.io/component: triggers
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
global:
|
||||
# Registry configuration
|
||||
registry:
|
||||
url: "gitea.bakery-ia.local:5000"
|
||||
url: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
|
||||
|
||||
# Git configuration
|
||||
git:
|
||||
@@ -21,9 +21,9 @@ pipeline:
|
||||
verbosity: "info"
|
||||
# Base image registry configuration
|
||||
# For dev: localhost:5000 with python_3.11-slim
|
||||
# For prod: docker.io with python:3.11-slim
|
||||
baseRegistry: "docker.io"
|
||||
pythonImage: "python:3.11-slim"
|
||||
# For prod: gitea registry with python_3.11-slim
|
||||
baseRegistry: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
|
||||
pythonImage: "python_3.11-slim"
|
||||
|
||||
# Test configuration
|
||||
test:
|
||||
@@ -63,7 +63,8 @@ webhook:
|
||||
memory: 64Mi
|
||||
|
||||
# Namespace for Tekton resources
|
||||
namespace: "tekton-pipelines"
|
||||
# Set to empty/false to skip namespace creation (namespace is created by Tekton installation)
|
||||
namespace: ""
|
||||
|
||||
# Secrets configuration
|
||||
secrets:
|
||||
@@ -76,7 +77,7 @@ secrets:
|
||||
registry:
|
||||
username: "bakery-admin"
|
||||
password: "" # Will be populated from gitea-admin-secret
|
||||
registryUrl: "gitea.bakery-ia.local:5000"
|
||||
registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
|
||||
|
||||
# Git credentials for GitOps updates
|
||||
# Uses the same credentials as Gitea admin for consistency
|
||||
|
||||
Reference in New Issue
Block a user