Add new infra architecture

infrastructure/cicd/tekton/triggers/event-listener.yaml

@@ -0,0 +1,35 @@
+# Tekton EventListener for Bakery-IA CI/CD
+# This listener receives webhook events and triggers pipelines
+
+apiVersion: triggers.tekton.dev/v1beta1
+kind: EventListener
+metadata:
+  name: bakery-ia-listener
+  namespace: tekton-pipelines
+spec:
+  serviceAccountName: tekton-triggers-sa
+  triggers:
+    - name: bakery-ia-gitea-trigger
+      bindings:
+        - ref: bakery-ia-trigger-binding
+      template:
+        ref: bakery-ia-trigger-template
+      # Using CEL interceptor for local development (no TLS/CA bundle required)
+      # The CEL interceptor is built-in and doesn't need external services
+      interceptors:
+        - name: "filter-push-events"
+          ref:
+            name: "cel"
+          params:
+            # Filter for push events from Gitea or GitHub
+            - name: "filter"
+              value: "header.match('X-Gitea-Event', 'push') || header.match('X-GitHub-Event', 'push')"
+            # Add overlays to standardize the payload
+            - name: "overlays"
+              value:
+                - key: "git_url"
+                  expression: "body.repository.clone_url"
+                - key: "git_revision"
+                  expression: "body.after"
+                - key: "git_branch"
+                  expression: "body.ref.split('/')[2]"

infrastructure/cicd/tekton/triggers/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  # NOTE: gitlab-interceptor.yaml removed - uses built-in Tekton Triggers interceptor
+  # The gitlab ClusterInterceptor is provided by Tekton Triggers installation
+  - event-listener.yaml
+  - trigger-template.yaml
+  - trigger-binding.yaml

infrastructure/cicd/tekton/triggers/trigger-binding.yaml

@@ -0,0 +1,31 @@
+# Tekton TriggerBinding for Bakery-IA CI/CD
+# This binding extracts parameters from Gitea webhook events
+#
+# Note: We use CEL overlay extensions for consistent field access
+# The EventListener's CEL interceptor creates these extensions:
+#   - extensions.git_url: Repository clone URL
+#   - extensions.git_revision: Commit SHA (from body.after)
+#   - extensions.git_branch: Branch name (extracted from ref)
+
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerBinding
+metadata:
+  name: bakery-ia-trigger-binding
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: triggers
+spec:
+  params:
+    # Use CEL overlay extensions for consistent access across Git providers
+    - name: git-repo-url
+      value: $(extensions.git_url)
+    - name: git-revision
+      value: $(extensions.git_revision)
+    - name: git-branch
+      value: $(extensions.git_branch)
+    # Direct body access for fields not in overlays
+    - name: git-repo-name
+      value: $(body.repository.name)
+    - name: git-repo-full-name
+      value: $(body.repository.full_name)

infrastructure/cicd/tekton/triggers/trigger-template.yaml

@@ -0,0 +1,86 @@
+# Tekton TriggerTemplate for Bakery-IA CI/CD
+# This template defines how PipelineRuns are created when triggers fire
+#
+# Registry URL Configuration:
+#   The registry URL is configured via the 'registry' parameter.
+#   Default value should match pipeline-config ConfigMap's REGISTRY_URL.
+#   To change the registry, update BOTH:
+#   1. This template's default value
+#   2. The pipeline-config ConfigMap
+
+apiVersion: triggers.tekton.dev/v1beta1
+kind: TriggerTemplate
+metadata:
+  name: bakery-ia-trigger-template
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/name: bakery-ia-cicd
+    app.kubernetes.io/component: triggers
+spec:
+  params:
+    - name: git-repo-url
+      description: The git repository URL
+    - name: git-revision
+      description: The git revision/commit hash
+    - name: git-branch
+      description: The git branch name
+      default: "main"
+    - name: git-repo-name
+      description: The git repository name
+      default: "bakery-ia"
+    - name: git-repo-full-name
+      description: The full repository name (org/repo)
+      default: "bakery/bakery-ia"
+    # Registry URL - keep in sync with pipeline-config ConfigMap
+    - name: registry-url
+      description: Container registry URL
+      default: "gitea.bakery-ia.local:5000"
+  resourcetemplates:
+    - apiVersion: tekton.dev/v1beta1
+      kind: PipelineRun
+      metadata:
+        generateName: bakery-ia-ci-run-
+        labels:
+          app.kubernetes.io/name: bakery-ia-cicd
+          tekton.dev/pipeline: bakery-ia-ci
+          triggers.tekton.dev/trigger: bakery-ia-gitea-trigger
+        annotations:
+          # Track the source commit
+          bakery-ia.io/git-revision: $(tt.params.git-revision)
+          bakery-ia.io/git-branch: $(tt.params.git-branch)
+      spec:
+        pipelineRef:
+          name: bakery-ia-ci
+        serviceAccountName: tekton-pipeline-sa
+        workspaces:
+          - name: shared-workspace
+            volumeClaimTemplate:
+              spec:
+                accessModes: ["ReadWriteOnce"]
+                resources:
+                  requests:
+                    storage: 5Gi
+          - name: docker-credentials
+            secret:
+              secretName: gitea-registry-credentials
+          - name: git-credentials
+            secret:
+              secretName: gitea-git-credentials
+        params:
+          - name: git-url
+            value: $(tt.params.git-repo-url)
+          - name: git-revision
+            value: $(tt.params.git-revision)
+          - name: git-branch
+            value: $(tt.params.git-branch)
+          # Use template parameter for registry URL
+          - name: registry
+            value: $(tt.params.registry-url)
+          - name: skip-tests
+            value: "false"
+          - name: dry-run
+            value: "false"
+        # Timeout for the entire pipeline run
+        timeouts:
+          pipeline: "1h0m0s"
+          tasks: "45m0s"