Add new infra architecture

infrastructure/cicd/tekton/secrets/.gitignore

@@ -0,0 +1,4 @@
+# Ignore generated secrets
+.webhook-secret
+*-actual.yaml
+sealed-secrets.yaml

infrastructure/cicd/tekton/secrets/generate-secrets.sh

@@ -0,0 +1,167 @@
+#!/bin/bash
+# Generate CI/CD Secrets for Bakery-IA
+#
+# This script creates Kubernetes secrets required for the CI/CD pipeline.
+# Run this script once during initial setup.
+#
+# Usage:
+#   ./generate-secrets.sh [options]
+#
+# Options:
+#   --registry-url    Container registry URL (default: gitea.bakery-ia.local:5000)
+#   --gitea-user      Gitea username (will prompt if not provided)
+#   --gitea-password  Gitea password (will prompt if not provided)
+#   --dry-run         Print commands without executing
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Default values
+REGISTRY_URL="${REGISTRY_URL:-gitea.bakery-ia.local:5000}"
+DRY_RUN=false
+KUBECTL="kubectl"
+
+# Check if running in microk8s
+if command -v microk8s &> /dev/null; then
+    KUBECTL="microk8s kubectl"
+fi
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --registry-url)
+            REGISTRY_URL="$2"
+            shift 2
+            ;;
+        --gitea-user)
+            GITEA_USERNAME="$2"
+            shift 2
+            ;;
+        --gitea-password)
+            GITEA_PASSWORD="$2"
+            shift 2
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        *)
+            echo -e "${RED}Unknown option: $1${NC}"
+            exit 1
+            ;;
+    esac
+done
+
+echo "=========================================="
+echo "  Bakery-IA CI/CD Secrets Generator"
+echo "=========================================="
+echo ""
+
+# Prompt for credentials if not provided
+if [ -z "$GITEA_USERNAME" ]; then
+    read -p "Enter Gitea username: " GITEA_USERNAME
+fi
+
+if [ -z "$GITEA_PASSWORD" ]; then
+    read -s -p "Enter Gitea password: " GITEA_PASSWORD
+    echo ""
+fi
+
+# Generate webhook secret
+WEBHOOK_SECRET=$(openssl rand -hex 32)
+
+echo ""
+echo -e "${YELLOW}Configuration:${NC}"
+echo "  Registry URL: $REGISTRY_URL"
+echo "  Gitea User: $GITEA_USERNAME"
+echo "  Webhook Secret: ${WEBHOOK_SECRET:0:8}..."
+echo ""
+
+# Function to create secret
+create_secret() {
+    local cmd="$1"
+    if [ "$DRY_RUN" = true ]; then
+        echo -e "${YELLOW}[DRY-RUN]${NC} $cmd"
+    else
+        eval "$cmd"
+    fi
+}
+
+# Ensure namespaces exist
+echo -e "${GREEN}Creating namespaces if they don't exist...${NC}"
+create_secret "$KUBECTL create namespace tekton-pipelines --dry-run=client -o yaml | $KUBECTL apply -f -"
+create_secret "$KUBECTL create namespace flux-system --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+echo ""
+echo -e "${GREEN}Creating secrets...${NC}"
+
+# 1. Webhook Secret
+echo "  Creating gitea-webhook-secret..."
+create_secret "$KUBECTL create secret generic gitea-webhook-secret \
+    --namespace tekton-pipelines \
+    --from-literal=secretToken='$WEBHOOK_SECRET' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 2. Registry Credentials (docker-registry type)
+echo "  Creating gitea-registry-credentials..."
+create_secret "$KUBECTL create secret docker-registry gitea-registry-credentials \
+    --namespace tekton-pipelines \
+    --docker-server='$REGISTRY_URL' \
+    --docker-username='$GITEA_USERNAME' \
+    --docker-password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 3. Git Credentials for Tekton
+echo "  Creating gitea-git-credentials..."
+create_secret "$KUBECTL create secret generic gitea-git-credentials \
+    --namespace tekton-pipelines \
+    --from-literal=username='$GITEA_USERNAME' \
+    --from-literal=password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 4. Flux Git Credentials
+echo "  Creating gitea-credentials for Flux..."
+create_secret "$KUBECTL create secret generic gitea-credentials \
+    --namespace flux-system \
+    --from-literal=username='$GITEA_USERNAME' \
+    --from-literal=password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# Label all secrets
+echo ""
+echo -e "${GREEN}Adding labels to secrets...${NC}"
+for ns in tekton-pipelines flux-system; do
+    for secret in gitea-webhook-secret gitea-registry-credentials gitea-git-credentials gitea-credentials; do
+        if $KUBECTL get secret "$secret" -n "$ns" &> /dev/null; then
+            create_secret "$KUBECTL label secret $secret -n $ns app.kubernetes.io/name=bakery-ia-cicd --overwrite 2>/dev/null || true"
+        fi
+    done
+done
+
+echo ""
+echo "=========================================="
+echo -e "${GREEN}Secrets created successfully!${NC}"
+echo "=========================================="
+echo ""
+echo -e "${YELLOW}IMPORTANT:${NC} Save this webhook secret for Gitea webhook configuration:"
+echo ""
+echo "  Webhook Secret: $WEBHOOK_SECRET"
+echo ""
+echo "Configure this in Gitea:"
+echo "  1. Go to Repository Settings > Webhooks"
+echo "  2. Add webhook with URL: http://el-bakery-ia-listener.tekton-pipelines.svc.cluster.local:8080"
+echo "  3. Set Secret to the webhook secret above"
+echo "  4. Select events: Push"
+echo ""
+
+# Save webhook secret to a file for reference (gitignored)
+if [ "$DRY_RUN" = false ]; then
+    echo "$WEBHOOK_SECRET" > "$(dirname "$0")/.webhook-secret"
+    chmod 600 "$(dirname "$0")/.webhook-secret"
+    echo "Webhook secret saved to .webhook-secret (gitignored)"
+fi

infrastructure/cicd/tekton/secrets/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - secrets.yaml
+
+# Note: In production, use sealed-secrets or external-secrets-operator
+# to manage secrets securely. The secrets.yaml file contains placeholder
+# values that must be replaced before deployment.
+#
+# Example using sealed-secrets:
+# 1. Install sealed-secrets controller
+# 2. Create SealedSecret resources instead of plain Secrets
+# 3. Commit the SealedSecret manifests to Git (safe to commit)
+#
+# Example using external-secrets-operator:
+# 1. Install external-secrets-operator
+# 2. Configure a SecretStore (AWS Secrets Manager, HashiCorp Vault, etc.)
+# 3. Create ExternalSecret resources that reference the SecretStore

infrastructure/cicd/tekton/secrets/secrets-template.yaml

@@ -0,0 +1,79 @@
+# CI/CD Secrets Template for Tekton Pipelines
+#
+# DO NOT commit this file with actual credentials!
+# Use the generate-secrets.sh script to create secrets safely.
+#
+# For production, use one of these approaches:
+# 1. Sealed Secrets: kubeseal < secrets.yaml > sealed-secrets.yaml
+# 2. External Secrets Operator: Configure with your secret store
+# 3. Manual creation: kubectl create secret ... (see generate-secrets.sh)
+
+---
+# Secret for Gitea webhook validation
+# Used by EventListener to validate incoming webhooks
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-webhook-secret
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: triggers
+type: Opaque
+stringData:
+  # Generate with: openssl rand -hex 32
+  secretToken: "${WEBHOOK_SECRET_TOKEN}"
+
+---
+# Secret for Gitea container registry credentials
+# Used by Kaniko to push images to Gitea registry
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-registry-credentials
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: build
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "${REGISTRY_URL}": {
+          "username": "${GITEA_USERNAME}",
+          "password": "${GITEA_PASSWORD}"
+        }
+      }
+    }
+
+---
+# Secret for Git credentials (used by pipeline to push GitOps updates)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-git-credentials
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: gitops
+type: Opaque
+stringData:
+  username: "${GITEA_USERNAME}"
+  password: "${GITEA_PASSWORD}"
+
+---
+# Secret for Flux GitRepository access
+# Used by Flux to pull from Gitea repository
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-credentials
+  namespace: flux-system
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: flux
+type: Opaque
+stringData:
+  username: "${GITEA_USERNAME}"
+  password: "${GITEA_PASSWORD}"

infrastructure/cicd/tekton/secrets/secrets.yaml

@@ -0,0 +1,98 @@
+# CI/CD Secrets for Tekton Pipelines
+#
+# WARNING: This file contains EXAMPLE values only!
+# DO NOT use these values in production.
+#
+# To create actual secrets, use ONE of these methods:
+#
+# Method 1 (Recommended): Use the generate-secrets.sh script
+#   ./generate-secrets.sh --gitea-user <username> --gitea-password <password>
+#
+# Method 2: Create secrets manually with kubectl
+#   kubectl create secret generic gitea-webhook-secret \
+#     --namespace tekton-pipelines \
+#     --from-literal=secretToken="$(openssl rand -hex 32)"
+#
+# Method 3: Use Sealed Secrets for GitOps
+#   kubeseal < secrets-template.yaml > sealed-secrets.yaml
+#
+# Method 4: Use External Secrets Operator
+#   Configure ESO to pull from your secret store (Vault, AWS SM, etc.)
+
+---
+# Example Secret for Gitea webhook validation
+# Used by EventListener to validate incoming webhooks
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-webhook-secret
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: triggers
+  annotations:
+    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
+type: Opaque
+stringData:
+  # Generate with: openssl rand -hex 32
+  secretToken: "example-webhook-token-do-not-use-in-production"
+
+---
+# Example Secret for Gitea container registry credentials
+# Used by Kaniko to push images to Gitea registry
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-registry-credentials
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: build
+  annotations:
+    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: |
+    {
+      "auths": {
+        "gitea.bakery-ia.local:5000": {
+          "username": "example-user",
+          "password": "example-password"
+        }
+      }
+    }
+
+---
+# Example Secret for Git credentials (used by pipeline to push GitOps updates)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-git-credentials
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: gitops
+  annotations:
+    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
+type: Opaque
+stringData:
+  username: "example-user"
+  password: "example-password"
+
+---
+# Example Secret for Flux GitRepository access
+# Used by Flux to pull from Gitea repository
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-credentials
+  namespace: flux-system
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: flux
+  annotations:
+    note: "EXAMPLE - Replace with actual secret using generate-secrets.sh"
+type: Opaque
+stringData:
+  username: "example-user"
+  password: "example-password"