Add new infra architecture

2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
--- a/infrastructure/cicd/gitea/ingress.yaml.disabled
+++ b/infrastructure/cicd/gitea/ingress.yaml.disabled
@@ -0,0 +1,44 @@
+# Gitea Ingress Configuration
+# Routes external traffic to Gitea service for web UI and Git HTTP access
+#
+# Prerequisites:
+#   - Gitea must be deployed in the 'gitea' namespace
+#   - Ingress controller must be installed (nginx, traefik, etc.)
+#   - For HTTPS: cert-manager with a ClusterIssuer named 'letsencrypt-prod' or 'local-ca-issuer'
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+  namespace: gitea
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/component: ingress
+    app.kubernetes.io/part-of: bakery-ia-cicd
+  annotations:
+    # For nginx ingress controller
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    # For traefik ingress controller
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    # For TLS with cert-manager (uncomment for HTTPS)
+    # cert-manager.io/cluster-issuer: "local-ca-issuer"
+spec:
+  ingressClassName: nginx
+  # Uncomment for HTTPS
+  # tls:
+  #   - hosts:
+  #       - gitea.bakery-ia.local
+  #     secretName: gitea-tls
+  rules:
+    - host: gitea.bakery-ia.local
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea-http
+                port:
+                  number: 3000
--- a/infrastructure/cicd/gitea/setup-admin-secret.sh
+++ b/infrastructure/cicd/gitea/setup-admin-secret.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Setup Gitea Admin Secret
+#
+# This script creates the Kubernetes secret required for Gitea admin credentials.
+# Run this BEFORE installing Gitea with Helm.
+#
+# Usage:
+#   ./setup-admin-secret.sh [password]
+#
+# If password is not provided, a random one will be generated.
+
+set -e
+
+KUBECTL="kubectl"
+NAMESPACE="gitea"
+
+# Check if running in microk8s
+if command -v microk8s &> /dev/null; then
+    KUBECTL="microk8s kubectl"
+fi
+
+# Get or generate password
+if [ -n "$1" ]; then
+    ADMIN_PASSWORD="$1"
+else
+    ADMIN_PASSWORD=$(openssl rand -base64 24 | tr -d '/+=' | head -c 20)
+    echo "Generated admin password: $ADMIN_PASSWORD"
+fi
+
+# Create namespace if it doesn't exist
+$KUBECTL create namespace "$NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
+
+# Create the secret
+$KUBECTL create secret generic gitea-admin-secret \
+    --namespace "$NAMESPACE" \
+    --from-literal=username=bakery-admin \
+    --from-literal=password="$ADMIN_PASSWORD" \
+    --dry-run=client -o yaml | $KUBECTL apply -f -
+
+echo ""
+echo "Gitea admin secret created successfully!"
+echo ""
+echo "Admin credentials:"
+echo "  Username: bakery-admin"
+echo "  Password: $ADMIN_PASSWORD"
+echo ""
+echo "Now install Gitea with:"
+echo "  helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"
--- a/infrastructure/cicd/gitea/values.yaml
+++ b/infrastructure/cicd/gitea/values.yaml
@@ -0,0 +1,83 @@
+# Gitea Helm values configuration for Bakery-IA CI/CD
+# This configuration sets up Gitea with registry support and appropriate storage
+#
+# Installation:
+#   helm repo add gitea https://dl.gitea.io/charts
+#   kubectl create namespace gitea
+#   helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml
+#
+# NOTE: The namespace is determined by the -n flag during helm install, not in this file.
+
+service:
+  http:
+    type: ClusterIP
+    port: 3000
+  ssh:
+    type: ClusterIP
+    port: 2222
+
+persistence:
+  enabled: true
+  size: 10Gi
+  # Use standard storage class (works with Kind's default provisioner)
+  # For microk8s: storageClass: "microk8s-hostpath"
+  # For Kind: leave empty or use "standard"
+  storageClass: ""
+
+gitea:
+  admin:
+    username: bakery-admin
+    # IMPORTANT: Override this with --set gitea.admin.password=<secure-password>
+    # or use existingSecret
+    password: ""
+    email: admin@bakery-ia.local
+    existingSecret: gitea-admin-secret
+  config:
+    server:
+      DOMAIN: gitea.bakery-ia.local
+      SSH_DOMAIN: gitea.bakery-ia.local
+      # Use HTTP internally; TLS termination happens at ingress
+      ROOT_URL: http://gitea.bakery-ia.local
+      HTTP_PORT: 3000
+      # For external HTTPS access via ingress, set:
+      # ROOT_URL: https://gitea.bakery-ia.local
+    repository:
+      ENABLE_PUSH_CREATE_USER: true
+      ENABLE_PUSH_CREATE_ORG: true
+    packages:
+      ENABLED: true
+    webhook:
+      ALLOWED_HOST_LIST: "*"
+      # Allow internal cluster URLs for Tekton EventListener
+      SKIP_TLS_VERIFY: true
+    service:
+      DISABLE_REGISTRATION: false
+      REQUIRE_SIGNIN_VIEW: false
+
+# Use embedded SQLite for simpler local development
+# For production, enable postgresql
+postgresql:
+  enabled: false
+
+# Use embedded in-memory cache for local dev
+redis-cluster:
+  enabled: false
+
+# Resource configuration for local development
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+
+# Init containers timeout
+initContainers:
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi