bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

335
Tiltfile
View File

@@ -17,6 +17,43 @@
# =============================================================================
# =============================================================================
# PREPULL BASE IMAGES STEP - CRITICAL FIRST STEP
# =============================================================================
# Run the prepull script first - if this fails, don't continue
local_resource(
'prepull-base-images',
cmd='''#!/usr/bin/env bash
echo "=========================================="
echo "PREPULLING BASE IMAGES - CRITICAL STEP"
echo "=========================================="
echo ""
# Run the prepull script
if ./scripts/prepull-base-images.sh; then
echo ""
echo "✓ Base images prepull completed successfully"
echo "=========================================="
echo "CONTINUING WITH TILT SETUP..."
echo "=========================================="
exit 0
else
echo ""
echo "❌ Base images prepull FAILED - stopping Tilt execution"
echo "This usually happens due to Docker Hub rate limits"
echo "Please try again later or configure Docker Hub credentials"
echo "=========================================="
# Exit with error code to prevent further execution
exit 1
fi
''',
labels=['00-prepull'],
auto_init=True,
allow_parallel=False
)
# =============================================================================
# TILT CONFIGURATION
# =============================================================================
@@ -191,132 +228,68 @@ Monitoring:
Applying security configurations...
""")
# Create Docker Hub secret for image pulls (if credentials are available)
local_resource(
'dockerhub-secret',
cmd='''
echo "Setting up Docker Hub image pull secret..."
# Check if Docker Hub credentials are available
if [ -n "$DOCKERHUB_USERNAME" ] && [ -n "$DOCKERHUB_PASSWORD" ]; then
echo " Found DOCKERHUB_USERNAME and DOCKERHUB_PASSWORD environment variables"
./infrastructure/kubernetes/create-dockerhub-secret.sh
elif [ -f "$HOME/.docker/config.json" ]; then
echo " Attempting to use Docker CLI credentials..."
./infrastructure/kubernetes/create-dockerhub-secret.sh
else
echo " Docker Hub credentials not found"
echo " To enable automatic Docker Hub authentication:"
echo " 1. Run 'docker login', OR"
echo " 2. Set environment variables:"
echo " export DOCKERHUB_USERNAME='your-username'"
echo " export DOCKERHUB_PASSWORD='your-password-or-token'"
echo ""
echo " Continuing without Docker Hub authentication..."
echo " (This is OK for local development using local registry)"
fi
''',
labels=['00-security'],
auto_init=True
)
# Apply security configurations before loading main manifests
local_resource(
'security-setup',
cmd='''
echo "Applying security secrets and configurations..."
kubectl apply -f infrastructure/kubernetes/base/secrets.yaml
kubectl apply -f infrastructure/kubernetes/base/secrets/postgres-tls-secret.yaml
kubectl apply -f infrastructure/kubernetes/base/secrets/redis-tls-secret.yaml
kubectl apply -f infrastructure/kubernetes/base/configs/postgres-init-config.yaml
kubectl apply -f infrastructure/kubernetes/base/configmaps/postgres-logging-config.yaml
# First, ensure all required namespaces exist
echo "Creating namespaces..."
kubectl apply -f infrastructure/namespaces/bakery-ia.yaml
kubectl apply -f infrastructure/namespaces/tekton-pipelines.yaml
kubectl apply -f infrastructure/namespaces/flux-system.yaml
# Wait for namespaces to be ready
echo "Waiting for namespaces to be ready..."
for ns in bakery-ia tekton-pipelines flux-system; do
until kubectl get namespace $ns 2>/dev/null; do
echo "Waiting for namespace $ns to be created..."
sleep 2
done
echo "Namespace $ns is available"
done
# Apply common secrets and configs
kubectl apply -f infrastructure/environments/common/configs/configmap.yaml
kubectl apply -f infrastructure/environments/common/configs/secrets.yaml
# Apply database secrets and configs
kubectl apply -f infrastructure/platform/storage/postgres/secrets/postgres-tls-secret.yaml
kubectl apply -f infrastructure/platform/storage/postgres/configs/postgres-init-config.yaml
kubectl apply -f infrastructure/platform/storage/postgres/configs/postgres-logging-config.yaml
# Apply Redis secrets
kubectl apply -f infrastructure/platform/storage/redis/secrets/redis-tls-secret.yaml
# Apply MinIO secrets and configs
kubectl apply -f infrastructure/platform/storage/minio/minio-secrets.yaml
kubectl apply -f infrastructure/platform/storage/minio/secrets/minio-tls-secret.yaml
# Apply Mail/SMTP secrets
kubectl apply -f infrastructure/platform/mail/mailu/mailu-secrets.yaml
# Apply CI/CD secrets
kubectl apply -f infrastructure/cicd/tekton/secrets/secrets.yaml
echo "Security configurations applied"
''',
resource_deps=['dockerhub-secret'],
resource_deps=['prepull-base-images'], # Removed dockerhub-secret dependency
labels=['00-security'],
auto_init=True
)
# Verify TLS certificates are mounted correctly
local_resource(
'verify-tls',
cmd='''
echo "Verifying TLS configuration..."
sleep 5 # Wait for pods to be ready
# Check if auth-db pod exists and has TLS certs
AUTH_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=auth-db -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [ -n "$AUTH_POD" ]; then
echo " Checking PostgreSQL TLS certificates..."
kubectl exec -n bakery-ia "$AUTH_POD" -- ls -la /tls/ 2>/dev/null && \
echo " PostgreSQL TLS certificates mounted" || \
echo " PostgreSQL TLS certificates not found (pods may still be starting)"
fi
# Check if redis pod exists and has TLS certs
REDIS_POD=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/name=redis -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || echo "")
if [ -n "$REDIS_POD" ]; then
echo " Checking Redis TLS certificates..."
kubectl exec -n bakery-ia "$REDIS_POD" -- ls -la /tls/ 2>/dev/null && \
echo " Redis TLS certificates mounted" || \
echo " Redis TLS certificates not found (pods may still be starting)"
fi
echo "TLS verification complete"
''',
resource_deps=['auth-db', 'redis'],
auto_init=True,
labels=['00-security']
)
# Verify PVCs are bound
local_resource(
'verify-pvcs',
cmd='''
echo "Verifying PersistentVolumeClaims..."
kubectl get pvc -n bakery-ia | grep -E "NAME|db-pvc" || echo " PVCs not yet bound"
PVC_COUNT=$(kubectl get pvc -n bakery-ia -o json | jq '.items | length')
echo " Found $PVC_COUNT PVCs"
echo "PVC verification complete"
''',
resource_deps=['auth-db'],
auto_init=True,
labels=['00-security']
)
# Install and verify cert-manager
local_resource(
'cert-manager-install',
cmd='''
echo "Installing cert-manager..."
# Check if cert-manager CRDs already exist
if kubectl get crd certificates.cert-manager.io >/dev/null 2>&1; then
echo " cert-manager CRDs already installed"
else
echo " Installing cert-manager v1.13.2..."
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
echo " Waiting for cert-manager to be ready..."
kubectl wait --for=condition=available --timeout=120s deployment/cert-manager -n cert-manager
kubectl wait --for=condition=available --timeout=120s deployment/cert-manager-webhook -n cert-manager
echo " cert-manager installed and ready"
fi
echo "cert-manager verification complete"
''',
labels=['00-security'],
auto_init=True
)
# =============================================================================
# LOAD KUBERNETES MANIFESTS
# =============================================================================
k8s_yaml(kustomize('infrastructure/kubernetes/overlays/dev'))
# Load the main kustomize overlay for the dev environment
k8s_yaml(kustomize('infrastructure/environments/dev/k8s-manifests'))
# =============================================================================
# DOCKER BUILD HELPERS
@@ -509,6 +482,9 @@ k8s_resource('nominatim', labels=['01-infrastructure'])
k8s_resource('minio', resource_deps=['security-setup'], labels=['01-infrastructure'])
k8s_resource('minio-bucket-init', resource_deps=['minio'], labels=['01-infrastructure'])
# Mail Infrastructure (Mailu)
k8s_resource('mailu-front', resource_deps=['security-setup'], labels=['01-infrastructure'])
# =============================================================================
# MONITORING RESOURCES - SigNoz (Unified Observability)
# =============================================================================
@@ -520,15 +496,6 @@ local_resource(
echo "Deploying SigNoz Monitoring Stack..."
echo ""
# Ensure Docker Hub secret exists in bakery-ia namespace
echo "Ensuring Docker Hub secret exists in bakery-ia namespace..."
if ! kubectl get secret dockerhub-creds -n bakery-ia &>/dev/null; then
echo " Docker Hub secret not found, attempting to create..."
./infrastructure/kubernetes/create-dockerhub-secret.sh || echo " Continuing without Docker Hub authentication..."
else
echo " Docker Hub secret exists"
fi
echo ""
# Check if SigNoz is already deployed
if helm list -n bakery-ia | grep -q signoz; then
@@ -544,7 +511,7 @@ local_resource(
# Install SigNoz with custom values in the bakery-ia namespace
helm upgrade --install signoz signoz/signoz \
-n bakery-ia \
-f infrastructure/helm/signoz-values-dev.yaml \
-f infrastructure/monitoring/signoz/signoz-values-dev.yaml \
--timeout 10m \
--wait
@@ -568,43 +535,6 @@ local_resource(
auto_init=False,
)
# Track SigNoz pods in Tilt UI using workload tracking
# These will automatically discover pods once SigNoz is deployed
local_resource(
'signoz-status',
cmd='''
echo "SigNoz Status Check"
echo ""
# Check pod status
echo "Current SigNoz pods:"
kubectl get pods -n bakery-ia -l app.kubernetes.io/instance=signoz -o wide 2>/dev/null || echo "No pods found"
echo ""
echo "SigNoz Services:"
kubectl get svc -n bakery-ia -l app.kubernetes.io/instance=signoz 2>/dev/null || echo "No services found"
# Check if all pods are ready
TOTAL_PODS=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/instance=signoz --no-headers 2>/dev/null | wc -l | tr -d ' ')
READY_PODS=$(kubectl get pods -n bakery-ia -l app.kubernetes.io/instance=signoz --field-selector=status.phase=Running --no-headers 2>/dev/null | wc -l | tr -d ' ')
if [ "$TOTAL_PODS" -gt 0 ]; then
echo ""
echo "Pod Status: $READY_PODS/$TOTAL_PODS ready"
if [ "$READY_PODS" -eq "$TOTAL_PODS" ]; then
echo "All SigNoz pods are running!"
echo ""
echo "Access SigNoz at: https://monitoring.bakery-ia.local"
echo "Credentials: admin / admin"
else
echo "Waiting for pods to become ready..."
fi
fi
''',
labels=['05-monitoring'],
auto_init=False,
)
# Optional exporters (in monitoring namespace) - DISABLED since using SigNoz
# k8s_resource('node-exporter', labels=['05-monitoring'])
@@ -774,6 +704,98 @@ watch_settings(
]
)
# =============================================================================
# CI/CD INFRASTRUCTURE - MANUAL TRIGGERS
# =============================================================================
# Tekton Pipelines - Manual trigger for local development
local_resource(
'tekton-pipelines',
cmd='''
echo "Setting up Tekton Pipelines for CI/CD..."
echo ""
# Check if Tekton CRDs are already installed
if kubectl get crd pipelines.tekton.dev >/dev/null 2>&1; then
echo " Tekton CRDs already installed"
else
echo " Installing Tekton v0.57.0..."
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
echo " Waiting for Tekton to be ready..."
kubectl wait --for=condition=available --timeout=180s deployment/tekton-pipelines-controller -n tekton-pipelines
kubectl wait --for=condition=available --timeout=180s deployment/tekton-pipelines-webhook -n tekton-pipelines
echo " Tekton installed and ready"
fi
echo ""
echo "Applying Tekton configurations..."
kubectl apply -f infrastructure/cicd/tekton/kustomization.yaml
kubectl apply -f infrastructure/cicd/tekton/rbac/
kubectl apply -f infrastructure/cicd/tekton/tasks/
kubectl apply -f infrastructure/cicd/tekton/pipelines/
echo ""
echo "Tekton setup complete!"
echo "To check status: kubectl get pods -n tekton-pipelines"
''',
labels=['99-cicd'],
auto_init=False, # Manual trigger only
)
# Flux CD - Manual trigger for GitOps
local_resource(
'flux-cd',
cmd='''
echo "Setting up Flux CD for GitOps..."
echo ""
# Check if Flux CRDs are already installed
if kubectl get crd gitrepositories.source.toolkit.fluxcd.io >/dev/null 2>&1; then
echo " Flux CRDs already installed"
else
echo " Installing Flux v2.2.3..."
curl -sL https://fluxcd.io/install.sh | sudo bash
flux install --version=latest
echo " Flux installed and ready"
fi
echo ""
echo "Applying Flux configurations..."
kubectl apply -f infrastructure/cicd/flux/
echo ""
echo "Flux setup complete!"
echo "To check status: flux check"
''',
labels=['99-cicd'],
auto_init=False, # Manual trigger only
)
# Gitea - Manual trigger for local Git server
local_resource(
'gitea',
cmd='''
echo "Setting up Gitea for local Git server..."
echo ""
# Apply Gitea configurations
kubectl create namespace gitea || true
kubectl apply -f infrastructure/cicd/gitea/
echo ""
echo "Gitea setup complete!"
echo "Access Gitea at: http://gitea.local (add to /etc/hosts)"
echo "Default credentials: admin/admin123 (change after first login)"
echo "To check status: kubectl get pods -n gitea"
''',
labels=['99-cicd'],
auto_init=False, # Manual trigger only
)
# =============================================================================
# STARTUP SUMMARY
# =============================================================================
@@ -804,11 +826,16 @@ Access your application:
SigNoz (Unified Observability):
Deploy via Tilt: Trigger 'signoz-deployment' resource
Manual deploy: ./infrastructure/helm/deploy-signoz.sh dev
Manual deploy: ./infrastructure/monitoring/signoz/deploy-signoz.sh dev
Access (if deployed): https://monitoring.bakery-ia.local
Username: admin
Password: admin
CI/CD Infrastructure (Manual Triggers):
Tekton: Trigger 'tekton-pipelines' resource
Flux: Trigger 'flux-cd' resource
Gitea: Trigger 'gitea' resource
Verify security:
kubectl get pvc -n bakery-ia
kubectl get secrets -n bakery-ia | grep tls