Add new infra architecture

2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
--- a/infrastructure/cicd/tekton/secrets/generate-secrets.sh
+++ b/infrastructure/cicd/tekton/secrets/generate-secrets.sh
@@ -0,0 +1,167 @@
+#!/bin/bash
+# Generate CI/CD Secrets for Bakery-IA
+#
+# This script creates Kubernetes secrets required for the CI/CD pipeline.
+# Run this script once during initial setup.
+#
+# Usage:
+#   ./generate-secrets.sh [options]
+#
+# Options:
+#   --registry-url    Container registry URL (default: gitea.bakery-ia.local:5000)
+#   --gitea-user      Gitea username (will prompt if not provided)
+#   --gitea-password  Gitea password (will prompt if not provided)
+#   --dry-run         Print commands without executing
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Default values
+REGISTRY_URL="${REGISTRY_URL:-gitea.bakery-ia.local:5000}"
+DRY_RUN=false
+KUBECTL="kubectl"
+
+# Check if running in microk8s
+if command -v microk8s &> /dev/null; then
+    KUBECTL="microk8s kubectl"
+fi
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --registry-url)
+            REGISTRY_URL="$2"
+            shift 2
+            ;;
+        --gitea-user)
+            GITEA_USERNAME="$2"
+            shift 2
+            ;;
+        --gitea-password)
+            GITEA_PASSWORD="$2"
+            shift 2
+            ;;
+        --dry-run)
+            DRY_RUN=true
+            shift
+            ;;
+        *)
+            echo -e "${RED}Unknown option: $1${NC}"
+            exit 1
+            ;;
+    esac
+done
+
+echo "=========================================="
+echo "  Bakery-IA CI/CD Secrets Generator"
+echo "=========================================="
+echo ""
+
+# Prompt for credentials if not provided
+if [ -z "$GITEA_USERNAME" ]; then
+    read -p "Enter Gitea username: " GITEA_USERNAME
+fi
+
+if [ -z "$GITEA_PASSWORD" ]; then
+    read -s -p "Enter Gitea password: " GITEA_PASSWORD
+    echo ""
+fi
+
+# Generate webhook secret
+WEBHOOK_SECRET=$(openssl rand -hex 32)
+
+echo ""
+echo -e "${YELLOW}Configuration:${NC}"
+echo "  Registry URL: $REGISTRY_URL"
+echo "  Gitea User: $GITEA_USERNAME"
+echo "  Webhook Secret: ${WEBHOOK_SECRET:0:8}..."
+echo ""
+
+# Function to create secret
+create_secret() {
+    local cmd="$1"
+    if [ "$DRY_RUN" = true ]; then
+        echo -e "${YELLOW}[DRY-RUN]${NC} $cmd"
+    else
+        eval "$cmd"
+    fi
+}
+
+# Ensure namespaces exist
+echo -e "${GREEN}Creating namespaces if they don't exist...${NC}"
+create_secret "$KUBECTL create namespace tekton-pipelines --dry-run=client -o yaml | $KUBECTL apply -f -"
+create_secret "$KUBECTL create namespace flux-system --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+echo ""
+echo -e "${GREEN}Creating secrets...${NC}"
+
+# 1. Webhook Secret
+echo "  Creating gitea-webhook-secret..."
+create_secret "$KUBECTL create secret generic gitea-webhook-secret \
+    --namespace tekton-pipelines \
+    --from-literal=secretToken='$WEBHOOK_SECRET' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 2. Registry Credentials (docker-registry type)
+echo "  Creating gitea-registry-credentials..."
+create_secret "$KUBECTL create secret docker-registry gitea-registry-credentials \
+    --namespace tekton-pipelines \
+    --docker-server='$REGISTRY_URL' \
+    --docker-username='$GITEA_USERNAME' \
+    --docker-password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 3. Git Credentials for Tekton
+echo "  Creating gitea-git-credentials..."
+create_secret "$KUBECTL create secret generic gitea-git-credentials \
+    --namespace tekton-pipelines \
+    --from-literal=username='$GITEA_USERNAME' \
+    --from-literal=password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# 4. Flux Git Credentials
+echo "  Creating gitea-credentials for Flux..."
+create_secret "$KUBECTL create secret generic gitea-credentials \
+    --namespace flux-system \
+    --from-literal=username='$GITEA_USERNAME' \
+    --from-literal=password='$GITEA_PASSWORD' \
+    --dry-run=client -o yaml | $KUBECTL apply -f -"
+
+# Label all secrets
+echo ""
+echo -e "${GREEN}Adding labels to secrets...${NC}"
+for ns in tekton-pipelines flux-system; do
+    for secret in gitea-webhook-secret gitea-registry-credentials gitea-git-credentials gitea-credentials; do
+        if $KUBECTL get secret "$secret" -n "$ns" &> /dev/null; then
+            create_secret "$KUBECTL label secret $secret -n $ns app.kubernetes.io/name=bakery-ia-cicd --overwrite 2>/dev/null || true"
+        fi
+    done
+done
+
+echo ""
+echo "=========================================="
+echo -e "${GREEN}Secrets created successfully!${NC}"
+echo "=========================================="
+echo ""
+echo -e "${YELLOW}IMPORTANT:${NC} Save this webhook secret for Gitea webhook configuration:"
+echo ""
+echo "  Webhook Secret: $WEBHOOK_SECRET"
+echo ""
+echo "Configure this in Gitea:"
+echo "  1. Go to Repository Settings > Webhooks"
+echo "  2. Add webhook with URL: http://el-bakery-ia-listener.tekton-pipelines.svc.cluster.local:8080"
+echo "  3. Set Secret to the webhook secret above"
+echo "  4. Select events: Push"
+echo ""
+
+# Save webhook secret to a file for reference (gitignored)
+if [ "$DRY_RUN" = false ]; then
+    echo "$WEBHOOK_SECRET" > "$(dirname "$0")/.webhook-secret"
+    chmod 600 "$(dirname "$0")/.webhook-secret"
+    echo "Webhook secret saved to .webhook-secret (gitignored)"
+fi