Add new infra architecture 11

infrastructure/cicd/gitea/setup-admin-secret.sh

@@ -19,18 +19,23 @@ GITEA_NAMESPACE="gitea"
 BAKERY_NAMESPACE="bakery-ia"
 REGISTRY_HOST="registry.bakery-ia.local"
 ADMIN_USERNAME="bakery-admin"
+# Static password for consistent dev environment setup
+# This ensures the same credentials work across environment recreations
+STATIC_ADMIN_PASSWORD="pvYUkGWJijqc0QfIZEXw"
 
 # Check if running in microk8s
 if command -v microk8s &> /dev/null; then
     KUBECTL="microk8s kubectl"
 fi
 
-# Get or generate password
+# Get password from argument, environment variable, or use static default
 if [ -n "$1" ]; then
     ADMIN_PASSWORD="$1"
+elif [ -n "$GITEA_ADMIN_PASSWORD" ]; then
+    ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
 else
-    ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -d '/+=' | head -c 20)
-    echo "Generated admin password: $ADMIN_PASSWORD"
+    ADMIN_PASSWORD="$STATIC_ADMIN_PASSWORD"
+    echo "Using static admin password for dev environment consistency"
 fi
 
 # Create namespaces if they don't exist

infrastructure/cicd/gitea/values-prod.yaml

@@ -0,0 +1,65 @@
+# Gitea Helm values for Production environment
+# This file overrides values.yaml for production deployment
+#
+# Installation:
+#   helm upgrade --install gitea gitea/gitea -n gitea \
+#     -f infrastructure/cicd/gitea/values.yaml \
+#     -f infrastructure/cicd/gitea/values-prod.yaml
+
+ingress:
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
+  hosts:
+    - host: gitea.bakewise.ai
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: gitea-tls-cert
+      hosts:
+        - gitea.bakewise.ai
+  apiIngress:
+    enabled: true
+    className: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+      cert-manager.io/cluster-issuer: "letsencrypt-production"
+    hosts:
+      - host: registry.bakewise.ai
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: registry-tls-cert
+        hosts:
+          - registry.bakewise.ai
+
+gitea:
+  admin:
+    email: admin@bakewise.ai
+  config:
+    server:
+      DOMAIN: gitea.bakewise.ai
+      SSH_DOMAIN: gitea.bakewise.ai
+      ROOT_URL: https://gitea.bakewise.ai
+
+# Production resources - adjust based on expected load
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 200m
+    memory: 512Mi
+
+# Larger storage for production
+persistence:
+  size: 50Gi

infrastructure/cicd/gitea/values.yaml

@@ -25,7 +25,40 @@ service:
   # Registry authentication and API is handled by the main HTTP service
 
 ingress:
-  enabled: false  # Disable Gitea's built-in ingress - use common ingress instead
+  enabled: true
+  className: nginx
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+  hosts:
+    - host: gitea.bakery-ia.local
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: bakery-dev-tls-cert
+      hosts:
+        - gitea.bakery-ia.local
+        - registry.bakery-ia.local
+  # Additional ingress for container registry (same backend, different hostname)
+  apiIngress:
+    enabled: true
+    className: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+    hosts:
+      - host: registry.bakery-ia.local
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: bakery-dev-tls-cert
+        hosts:
+          - registry.bakery-ia.local
 
 persistence:
   enabled: true