Add new infra architecture

2026-01-19 11:55:17 +01:00
parent 21d35ea92b
commit 35f164f0cd
311 changed files with 13241 additions and 3700 deletions
--- a/infrastructure/scripts/setup/create-dockerhub-secret.sh
+++ b/infrastructure/scripts/setup/create-dockerhub-secret.sh
@@ -0,0 +1,126 @@
+#!/bin/bash
+
+# =============================================================================
+# Create Docker Hub Image Pull Secret
+# =============================================================================
+# This script creates a Kubernetes secret for pulling images from Docker Hub.
+# The secret is used by both:
+# 1. bakery-ia namespace deployments (Tilt + Kustomize)
+# 2. Signoz Helm deployment
+#
+# Usage:
+#   ./create-dockerhub-secret.sh
+#
+# Prerequisites:
+#   - kubectl configured with access to the cluster
+#   - DOCKERHUB_USERNAME and DOCKERHUB_PASSWORD environment variables set
+#   - OR Docker CLI logged in (docker login)
+# =============================================================================
+
+set -e
+
+echo "🔐 Creating Docker Hub Image Pull Secret"
+echo "=========================================="
+echo ""
+
+# Check for required environment variables
+if [ -z "$DOCKERHUB_USERNAME" ] || [ -z "$DOCKERHUB_PASSWORD" ]; then
+    echo "⚠️  DOCKERHUB_USERNAME and DOCKERHUB_PASSWORD environment variables not set"
+    echo ""
+    echo "Checking if Docker CLI is logged in..."
+
+    # Try to extract credentials from Docker config
+    if [ -f "$HOME/.docker/config.json" ]; then
+        # Check if using credential store
+        if grep -q "credsStore" "$HOME/.docker/config.json"; then
+            echo "⚠️  Docker is using a credential store. Please set environment variables manually:"
+            echo ""
+            echo "  export DOCKERHUB_USERNAME='your-username'"
+            echo "  export DOCKERHUB_PASSWORD='your-password-or-token'"
+            echo ""
+            exit 1
+        fi
+
+        # Try to extract from base64 encoded auth
+        AUTH=$(cat "$HOME/.docker/config.json" | jq -r '.auths["https://index.docker.io/v1/"].auth // empty' 2>/dev/null)
+        if [ -n "$AUTH" ]; then
+            echo "✅ Found Docker Hub credentials in Docker config"
+            DOCKERHUB_USERNAME=$(echo "$AUTH" | base64 -d | cut -d: -f1)
+            DOCKERHUB_PASSWORD=$(echo "$AUTH" | base64 -d | cut -d: -f2-)
+        else
+            echo "❌ Could not find Docker Hub credentials"
+            echo ""
+            echo "Please either:"
+            echo "  1. Run 'docker login' first, OR"
+            echo "  2. Set environment variables:"
+            echo "     export DOCKERHUB_USERNAME='your-username'"
+            echo "     export DOCKERHUB_PASSWORD='your-password-or-token'"
+            echo ""
+            exit 1
+        fi
+    else
+        echo "❌ Docker config not found and environment variables not set"
+        echo ""
+        echo "Please set environment variables:"
+        echo "  export DOCKERHUB_USERNAME='your-username'"
+        echo "  export DOCKERHUB_PASSWORD='your-password-or-token'"
+        echo ""
+        exit 1
+    fi
+fi
+
+echo "Using Docker Hub username: $DOCKERHUB_USERNAME"
+echo ""
+
+# Function to create secret in a namespace
+create_secret_in_namespace() {
+    local NAMESPACE=$1
+
+    echo "📦 Creating secret in namespace: $NAMESPACE"
+
+    # Create namespace if it doesn't exist
+    if ! kubectl get namespace "$NAMESPACE" &>/dev/null; then
+        echo "  Creating namespace $NAMESPACE..."
+        kubectl create namespace "$NAMESPACE"
+    fi
+
+    # Delete existing secret if it exists
+    if kubectl get secret dockerhub-creds -n "$NAMESPACE" &>/dev/null; then
+        echo "  Deleting existing secret..."
+        kubectl delete secret dockerhub-creds -n "$NAMESPACE"
+    fi
+
+    # Create the secret
+    kubectl create secret docker-registry dockerhub-creds \
+        --docker-server=https://index.docker.io/v1/ \
+        --docker-username="$DOCKERHUB_USERNAME" \
+        --docker-password="$DOCKERHUB_PASSWORD" \
+        --docker-email="${DOCKERHUB_EMAIL:-noreply@bakery-ia.local}" \
+        -n "$NAMESPACE"
+
+    echo "  ✅ Secret created successfully"
+    echo ""
+}
+
+# Create secret in bakery-ia namespace (for Tilt deployments)
+create_secret_in_namespace "bakery-ia"
+
+# Create secret in signoz namespace (for Signoz Helm deployment - if namespace exists)
+if kubectl get namespace signoz &>/dev/null; then
+    create_secret_in_namespace "signoz"
+else
+    echo "ℹ️  Signoz namespace not found, skipping (will be created on Helm install)"
+    echo ""
+fi
+
+echo "✅ Docker Hub secrets created successfully!"
+echo ""
+echo "The secret 'dockerhub-creds' is now available in:"
+echo "  - bakery-ia namespace (for Tilt/Kustomize deployments)"
+if kubectl get namespace signoz &>/dev/null; then
+    echo "  - signoz namespace (for Signoz Helm deployment)"
+fi
+echo ""
+echo "All pods with imagePullSecrets: dockerhub-creds will now use these credentials"
+echo "to pull images from Docker Hub."
+echo ""
--- a/infrastructure/scripts/setup/generate-certificates.sh
+++ b/infrastructure/scripts/setup/generate-certificates.sh
@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+
+# Generate TLS certificates for PostgreSQL and Redis
+# Self-signed certificates for internal cluster use
+
+set -e
+
+TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_DIR="$TLS_DIR/ca"
+POSTGRES_DIR="$TLS_DIR/postgres"
+REDIS_DIR="$TLS_DIR/redis"
+
+echo "Generating TLS certificates for Bakery IA..."
+echo "Directory: $TLS_DIR"
+echo ""
+
+# Clean up old certificates
+echo "Cleaning up old certificates..."
+rm -rf "$CA_DIR"/* "$POSTGRES_DIR"/* "$REDIS_DIR"/* 2>/dev/null || true
+
+# =====================================
+# 1. Generate Certificate Authority (CA)
+# =====================================
+
+echo "Step 1: Generating Certificate Authority (CA)..."
+
+# Generate CA private key
+openssl genrsa -out "$CA_DIR/ca-key.pem" 4096
+
+# Generate CA certificate (valid for 10 years)
+openssl req -new -x509 -days 3650 -key "$CA_DIR/ca-key.pem" -out "$CA_DIR/ca-cert.pem" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Security/CN=BakeryIA-CA"
+
+echo "✓ CA certificate generated"
+echo ""
+
+# =====================================
+# 2. Generate PostgreSQL Server Certificates
+# =====================================
+
+echo "Step 2: Generating PostgreSQL server certificates..."
+
+# Generate PostgreSQL server private key
+openssl genrsa -out "$POSTGRES_DIR/server-key.pem" 4096
+
+# Create certificate signing request (CSR)
+openssl req -new -key "$POSTGRES_DIR/server-key.pem" -out "$POSTGRES_DIR/server.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Database/CN=*.bakery-ia.svc.cluster.local"
+
+# Create SAN (Subject Alternative Names) configuration
+cat > "$POSTGRES_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Database
+CN = *.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.bakery-ia.svc.cluster.local
+DNS.2 = *.bakery-ia
+DNS.3 = auth-db-service
+DNS.4 = tenant-db-service
+DNS.5 = training-db-service
+DNS.6 = forecasting-db-service
+DNS.7 = sales-db-service
+DNS.8 = external-db-service
+DNS.9 = notification-db-service
+DNS.10 = inventory-db-service
+DNS.11 = recipes-db-service
+DNS.12 = suppliers-db-service
+DNS.13 = pos-db-service
+DNS.14 = orders-db-service
+DNS.15 = production-db-service
+DNS.16 = alert-processor-db-service
+DNS.17 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+openssl x509 -req -in "$POSTGRES_DIR/server.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$POSTGRES_DIR/server-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$POSTGRES_DIR/san.cnf"
+
+# PostgreSQL requires specific permissions on key file
+chmod 600 "$POSTGRES_DIR/server-key.pem"
+chmod 644 "$POSTGRES_DIR/server-cert.pem"
+
+# Copy CA cert for PostgreSQL clients
+cp "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/ca-cert.pem"
+
+echo "✓ PostgreSQL certificates generated"
+echo ""
+
+# =====================================
+# 3. Generate Redis Server Certificates
+# =====================================
+
+echo "Step 3: Generating Redis server certificates..."
+
+# Generate Redis server private key
+openssl genrsa -out "$REDIS_DIR/redis-key.pem" 4096
+
+# Create certificate signing request (CSR)
+openssl req -new -key "$REDIS_DIR/redis-key.pem" -out "$REDIS_DIR/redis.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Cache/CN=redis-service.bakery-ia.svc.cluster.local"
+
+# Create SAN configuration for Redis
+cat > "$REDIS_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Cache
+CN = redis-service.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = redis-service.bakery-ia.svc.cluster.local
+DNS.2 = redis-service.bakery-ia
+DNS.3 = redis-service
+DNS.4 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+openssl x509 -req -in "$REDIS_DIR/redis.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$REDIS_DIR/redis-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$REDIS_DIR/san.cnf"
+
+# Redis requires specific permissions
+chmod 600 "$REDIS_DIR/redis-key.pem"
+chmod 644 "$REDIS_DIR/redis-cert.pem"
+
+# Copy CA cert for Redis clients
+cp "$CA_DIR/ca-cert.pem" "$REDIS_DIR/ca-cert.pem"
+
+echo "✓ Redis certificates generated"
+echo ""
+
+# =====================================
+# 4. Verify Certificates
+# =====================================
+
+echo "Step 4: Verifying certificates..."
+
+# Verify PostgreSQL certificate
+echo "PostgreSQL certificate details:"
+openssl x509 -in "$POSTGRES_DIR/server-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$POSTGRES_DIR/server-cert.pem"
+
+echo ""
+echo "Redis certificate details:"
+openssl x509 -in "$REDIS_DIR/redis-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$REDIS_DIR/redis-cert.pem"
+
+echo ""
+echo "===================="
+echo "✓ All certificates generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  CA:"
+echo "    - $CA_DIR/ca-cert.pem (Certificate Authority certificate)"
+echo "    - $CA_DIR/ca-key.pem (CA private key - keep secure!)"
+echo ""
+echo "  PostgreSQL:"
+echo "    - $POSTGRES_DIR/server-cert.pem (Server certificate)"
+echo "    - $POSTGRES_DIR/server-key.pem (Server private key)"
+echo "    - $POSTGRES_DIR/ca-cert.pem (CA certificate for clients)"
+echo ""
+echo "  Redis:"
+echo "    - $REDIS_DIR/redis-cert.pem (Server certificate)"
+echo "    - $REDIS_DIR/redis-key.pem (Server private key)"
+echo "    - $REDIS_DIR/ca-cert.pem (CA certificate for clients)"
+echo ""
+echo "Certificate validity: 3 years"
+echo "Next steps:"
+echo "  1. Create Kubernetes secrets from these certificates"
+echo "  2. Mount secrets in database pods"
+echo "  3. Configure PostgreSQL and Redis to use TLS"
+echo "  4. Update client connection strings to require SSL"
--- a/infrastructure/scripts/setup/generate-minio-certificates.sh
+++ b/infrastructure/scripts/setup/generate-minio-certificates.sh
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+
+# Generate MinIO TLS certificates using existing CA
+# This script generates certificates for MinIO server
+
+set -e
+
+TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+CA_DIR="$TLS_DIR/ca"
+MINIO_DIR="$TLS_DIR/minio"
+
+mkdir -p "$MINIO_DIR"
+
+echo "Generating MinIO TLS certificates using existing CA..."
+echo "CA Directory: $CA_DIR"
+echo "MinIO Directory: $MINIO_DIR"
+echo ""
+
+# Check if CA exists
+if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
+    echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
+    exit 1
+fi
+
+# Generate MinIO server private key
+echo "Step 1: Generating MinIO server private key..."
+openssl genrsa -out "$MINIO_DIR/minio-key.pem" 4096
+
+# Convert to traditional RSA format (required by MinIO)
+echo "Step 1b: Converting private key to traditional RSA format..."
+openssl rsa -in "$MINIO_DIR/minio-key.pem" -traditional -out "$MINIO_DIR/minio-key.pem"
+
+# Create certificate signing request (CSR)
+echo "Step 2: Creating MinIO certificate signing request..."
+openssl req -new -key "$MINIO_DIR/minio-key.pem" -out "$MINIO_DIR/minio.csr" \
+  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Storage/CN=minio.bakery-ia.svc.cluster.local"
+
+# Create SAN (Subject Alternative Names) configuration for MinIO
+cat > "$MINIO_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = US
+ST = California
+L = SanFrancisco
+O = BakeryIA
+OU = Storage
+CN = minio.bakery-ia.svc.cluster.local
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = minio.bakery-ia.svc.cluster.local
+DNS.2 = minio.bakery-ia
+DNS.3 = minio-console.bakery-ia.svc.cluster.local
+DNS.4 = minio-console.bakery-ia
+DNS.5 = minio
+DNS.6 = minio-console
+DNS.7 = localhost
+IP.1 = 127.0.0.1
+EOF
+
+# Sign the certificate with CA (valid for 3 years)
+echo "Step 3: Signing MinIO certificate with CA..."
+openssl x509 -req -in "$MINIO_DIR/minio.csr" \
+  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
+  -out "$MINIO_DIR/minio-cert.pem" -days 1095 \
+  -extensions v3_req -extfile "$MINIO_DIR/san.cnf"
+
+# Set proper permissions
+chmod 600 "$MINIO_DIR/minio-key.pem"
+chmod 644 "$MINIO_DIR/minio-cert.pem"
+
+# Copy CA cert for MinIO
+cp "$CA_DIR/ca-cert.pem" "$MINIO_DIR/ca-cert.pem"
+
+echo ""
+echo "Step 4: Verifying MinIO certificates..."
+
+# Verify MinIO certificate
+echo "MinIO certificate details:"
+openssl x509 -in "$MINIO_DIR/minio-cert.pem" -noout -subject -issuer -dates
+openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MINIO_DIR/minio-cert.pem"
+
+echo ""
+echo "==================="
+echo "✓ MinIO certificates generated successfully!"
+echo ""
+echo "Generated files:"
+echo "  MinIO:"
+echo "    - $MINIO_DIR/minio-cert.pem (Server certificate)"
+echo "    - $MINIO_DIR/minio-key.pem (Server private key - traditional RSA format)"
+echo "    - $MINIO_DIR/ca-cert.pem (CA certificate)"
+echo ""
+echo "Important Notes:"
+echo "  • Private key is in traditional RSA format (BEGIN RSA PRIVATE KEY)"
+echo "  • This format is required by MinIO to avoid 'The private key contains additional data' error"
+echo "  • Certificates follow the standardized Opaque secret structure"
+echo ""
+echo "Next steps:"
+echo "  1. Update Kubernetes minio-tls secret with these certificates"
+echo "  2. Apply the updated secret to your cluster"
+echo "  3. Restart MinIO pods if necessary"
+echo ""
+echo "For more details, see: docs/MINIO_TLS_FIX_SUMMARY.md"
--- a/infrastructure/scripts/setup/setup-dockerhub-secrets.sh
+++ b/infrastructure/scripts/setup/setup-dockerhub-secrets.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+# Setup Docker Hub image pull secrets for all namespaces
+# This script creates docker-registry secrets for pulling images from Docker Hub
+
+set -e
+
+# Docker Hub credentials
+DOCKER_SERVER="docker.io"
+DOCKER_USERNAME="uals"
+DOCKER_PASSWORD="dckr_pat_zzEY5Q58x1S0puraIoKEtbpue3A"
+DOCKER_EMAIL="ualfaro@gmail.com"
+SECRET_NAME="dockerhub-creds"
+
+# List of namespaces used in the project
+NAMESPACES=(
+  "bakery-ia"
+  "bakery-ia-dev"
+  "bakery-ia-prod"
+  "default"
+)
+
+echo "Setting up Docker Hub image pull secrets..."
+echo "==========================================="
+echo ""
+
+for namespace in "${NAMESPACES[@]}"; do
+  echo "Processing namespace: $namespace"
+
+  # Create namespace if it doesn't exist
+  if ! kubectl get namespace "$namespace" >/dev/null 2>&1; then
+    echo "  Creating namespace: $namespace"
+    kubectl create namespace "$namespace"
+  fi
+
+  # Delete existing secret if it exists
+  if kubectl get secret "$SECRET_NAME" -n "$namespace" >/dev/null 2>&1; then
+    echo "  Deleting existing secret in namespace: $namespace"
+    kubectl delete secret "$SECRET_NAME" -n "$namespace"
+  fi
+
+  # Create the docker-registry secret
+  echo "  Creating Docker Hub secret in namespace: $namespace"
+  kubectl create secret docker-registry "$SECRET_NAME" \
+    --docker-server="$DOCKER_SERVER" \
+    --docker-username="$DOCKER_USERNAME" \
+    --docker-password="$DOCKER_PASSWORD" \
+    --docker-email="$DOCKER_EMAIL" \
+    -n "$namespace"
+
+  echo "  ✓ Secret created successfully in namespace: $namespace"
+  echo ""
+done
+
+echo "==========================================="
+echo "Docker Hub secrets setup completed!"
+echo ""
+echo "The secret '$SECRET_NAME' has been created in all namespaces:"
+for namespace in "${NAMESPACES[@]}"; do
+  echo "  - $namespace"
+done
+echo ""
+echo "Next steps:"
+echo "1. Apply Kubernetes manifests with imagePullSecrets configured"
+echo "2. Verify pods can pull images: kubectl get pods -A"
--- a/infrastructure/scripts/setup/setup-ghcr-secrets.sh
+++ b/infrastructure/scripts/setup/setup-ghcr-secrets.sh
@@ -0,0 +1,67 @@
+#!/bin/bash
+
+# Setup GitHub Container Registry (GHCR) image pull secrets for all namespaces
+# This script creates docker-registry secrets for pulling images from GHCR
+
+set -e
+
+# GitHub Container Registry credentials
+# Note: Use a GitHub Personal Access Token with 'read:packages' scope
+GHCR_SERVER="ghcr.io"
+GHCR_USERNAME="uals"  # GitHub username
+GHCR_PASSWORD="ghp_zzEY5Q58x1S0puraIoKEtbpue3A"  # GitHub Personal Access Token
+GHCR_EMAIL="ualfaro@gmail.com"
+SECRET_NAME="ghcr-creds"
+
+# List of namespaces used in the project
+NAMESPACES=(
+  "bakery-ia"
+  "bakery-ia-dev"
+  "bakery-ia-prod"
+  "default"
+)
+
+echo "Setting up GitHub Container Registry image pull secrets..."
+echo "=========================================================="
+echo ""
+
+for namespace in "${NAMESPACES[@]}"; do
+  echo "Processing namespace: $namespace"
+
+  # Create namespace if it doesn't exist
+  if ! kubectl get namespace "$namespace" >/dev/null 2>&1; then
+    echo "  Creating namespace: $namespace"
+    kubectl create namespace "$namespace"
+  fi
+
+  # Delete existing secret if it exists
+  if kubectl get secret "$SECRET_NAME" -n "$namespace" >/dev/null 2>&1; then
+    echo "  Deleting existing secret in namespace: $namespace"
+    kubectl delete secret "$SECRET_NAME" -n "$namespace"
+  fi
+
+  # Create the docker-registry secret for GHCR
+  echo "  Creating GHCR secret in namespace: $namespace"
+  kubectl create secret docker-registry "$SECRET_NAME" \
+    --docker-server="$GHCR_SERVER" \
+    --docker-username="$GHCR_USERNAME" \
+    --docker-password="$GHCR_PASSWORD" \
+    --docker-email="$GHCR_EMAIL" \
+    -n "$namespace"
+
+  echo "  ✓ Secret created successfully in namespace: $namespace"
+  echo ""
+done
+
+echo "=========================================================="
+echo "GitHub Container Registry secrets setup completed!"
+echo ""
+echo "The secret '$SECRET_NAME' has been created in all namespaces:"
+for namespace in "${NAMESPACES[@]}"; do
+  echo "  - $namespace"
+done
+echo ""
+echo "Next steps:"
+echo "1. Update your Kubernetes manifests to include the GHCR imagePullSecrets"
+echo "2. Verify pods can pull images from GHCR: kubectl get pods -A"
+echo "3. Consider updating your CI/CD pipelines to push images to GHCR"