bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture 10

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-20 10:39:40 +01:00
parent bc00bab061
commit 3b81b5f77e
22 changed files with 1054 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CI_CD_IMPLEMENTATION_PLAN.md
View File

@@ -321,7 +321,7 @@ metadata:
namespace: flux-system namespace: flux-system
spec: spec:
interval: 1m interval: 1m
url: https://gitea.bakery-ia.local/bakery/bakery-ia.git url: https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
ref: ref:
branch: main branch: main
secretRef: secretRef:

14
Tiltfile
View File

@@ -52,8 +52,11 @@ if use_dockerhub:
# For Gitea registry mode # For Gitea registry mode
# Gitea registry is accessed via the registry subdomain (TLS terminated at ingress) # Gitea registry is accessed via the registry subdomain (TLS terminated at ingress)
# However, for internal cluster builds (like Kaniko), we need to use the internal service name
if use_gitea_registry: if use_gitea_registry:
base_registry = 'registry.bakery-ia.local' # For external access (ingress): registry.bakery-ia.local
# For internal cluster access: gitea-http.gitea.svc.cluster.local:3000
base_registry = 'gitea-http.gitea.svc.cluster.local:3000'
python_image = 'python:3.11-slim' python_image = 'python:3.11-slim'
# Add fallback to local registry if Gitea registry is not available # Add fallback to local registry if Gitea registry is not available
fallback_registry = 'localhost:5001' fallback_registry = 'localhost:5001'
@@ -299,7 +302,7 @@ elif use_gitea_registry:
print(""" print("""
GITEA REGISTRY MODE ENABLED GITEA REGISTRY MODE ENABLED
Images will be pushed to Gitea registry: registry.bakery-ia.local Images will be pushed to Gitea registry: registry.bakery-ia.local
Base images will be pulled from: %s/%s Base images will be pulled from internal cluster registry: %s/%s
Make sure Gitea is running and accessible Make sure Gitea is running and accessible
To disable: unset USE_GITEA_REGISTRY or set USE_GITEA_REGISTRY=false To disable: unset USE_GITEA_REGISTRY or set USE_GITEA_REGISTRY=false
To use Docker Hub: export USE_DOCKERHUB=true To use Docker Hub: export USE_DOCKERHUB=true
@@ -315,6 +318,7 @@ else:
To use Gitea registry: export USE_GITEA_REGISTRY=true To use Gitea registry: export USE_GITEA_REGISTRY=true
To change base registry: export BASE_REGISTRY=<registry-url> To change base registry: export BASE_REGISTRY=<registry-url>
To change Python image: export PYTHON_IMAGE=<image:tag> To change Python image: export PYTHON_IMAGE=<image:tag>
Note: When using Gitea registry, base images use internal cluster registry: gitea-http.gitea.svc.cluster.local:3000
""" % (base_registry, python_image)) """ % (base_registry, python_image))
default_registry('localhost:5001') default_registry('localhost:5001')
@@ -1331,14 +1335,16 @@ local_resource(
-n tekton-pipelines \ -n tekton-pipelines \
--create-namespace \ --create-namespace \
--timeout 10m \ --timeout 10m \
--wait --wait \
--set pipeline.build.baseRegistry="${base_registry}"
else else
echo " Installing new Tekton CICD deployment..." echo " Installing new Tekton CICD deployment..."
helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \ helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
-n tekton-pipelines \ -n tekton-pipelines \
--create-namespace \ --create-namespace \
--timeout 10m \ --timeout 10m \
--wait --wait \
--set pipeline.build.baseRegistry="${base_registry}"
fi fi
echo "" echo ""

2
docs/PILOT_LAUNCH_GUIDE.md
View File

@@ -1616,7 +1616,7 @@ spec:
secretName: gitea-registry-credentials secretName: gitea-registry-credentials
params: params:
- name: git-url - name: git-url
value: "http://gitea.bakery-ia.local/bakery/bakery-ia.git" value: "http://gitea.bakery-ia.local/bakery-admin/bakery-ia.git"
- name: git-revision - name: git-revision
value: "main" value: "main"
EOF EOF

2
infrastructure/cicd/README.md
View File

@@ -155,7 +155,7 @@ microk8s kubectl apply -f infrastructure/ci-cd/monitoring/otel-collector.yaml
secretName: gitea-registry-credentials secretName: gitea-registry-credentials
params: params:
- name: git-url - name: git-url
value: "http://gitea.bakery-ia.local/bakery/bakery-ia.git" value: "http://gitea.bakery-ia.local/bakery-admin/bakery-ia.git"
- name: git-revision - name: git-revision
value: "main" value: "main"
EOF EOF

2
infrastructure/cicd/flux/values.yaml
View File

@@ -6,7 +6,7 @@ gitRepository:
name: bakery-ia name: bakery-ia
namespace: flux-system namespace: flux-system
interval: 1m interval: 1m
url: http://gitea.bakery-ia.local/bakery/bakery-ia.git url: http://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
ref: ref:
branch: main branch: main
secretRef: secretRef:

151
infrastructure/cicd/gitea/IMPLEMENTATION_SUMMARY.md Normal file
View File

@@ -0,0 +1,151 @@
# Gitea Automatic Repository Creation - Implementation Summary
## Overview
This implementation adds automatic repository creation to the Gitea Helm chart configuration for the Bakery-IA project. When Gitea is installed or upgraded via Helm, it will automatically create a `bakery-ia` repository with the specified configuration.
## Changes Made
### 1. Updated Helm Values (`values.yaml`)
Added the `initialRepositories` configuration under the `gitea:` section:
```yaml
# Initial repositories to create automatically after Gitea installation
# These will be created with the admin user as owner
gitea:
initialRepositories:
- name: bakery-ia
description: "Main repository for Bakery IA project - Automatically created by Helm"
private: false
auto_init: true
default_branch: main
owner: "{{ .Values.gitea.admin.username }}"
# Enable issues, wiki, and other features
enable_issues: true
enable_wiki: true
enable_pull_requests: true
enable_projects: true
```
### 2. Created Setup Script (`setup-gitea-repository.sh`)
A comprehensive bash script that:
- Checks if Gitea is accessible
- Verifies if the repository exists (creates it if not)
- Configures the local Git repository
- Pushes the existing code to the new Gitea repository
### 3. Created Test Script (`test-repository-creation.sh`)
A test script that verifies:
- Gitea accessibility
- Repository existence
- Repository configuration (issues, wiki, pull requests)
- Provides detailed repository information
### 4. Created Documentation
- **README.md**: Complete guide on installation, usage, and troubleshooting
- **IMPLEMENTATION_SUMMARY.md**: This file, summarizing the implementation
## How It Works
### Automatic Repository Creation Flow
1. **Helm Installation**: When `helm install` or `helm upgrade` is executed with the updated values
2. **Gitea Initialization**: Gitea starts and creates the admin user
3. **Repository Creation**: Gitea processes the `initialRepositories` configuration and creates the specified repositories
4. **Completion**: The repository is ready for use immediately after Gitea is fully initialized
### Key Features
- **Automatic**: No manual intervention required after Helm installation
- **Idempotent**: Safe to run multiple times (won't duplicate repositories)
- **Configurable**: All repository settings are defined in Helm values
- **Integrated**: Uses native Gitea Helm chart features
## Usage
### Installation
```bash
# Install Gitea with automatic repository creation
helm install gitea gitea/gitea -n gitea \
-f infrastructure/cicd/gitea/values.yaml \
--set gitea.admin.password=your-secure-password
```
### Push Existing Code
```bash
export GITEA_ADMIN_PASSWORD="your-secure-password"
./infrastructure/cicd/gitea/setup-gitea-repository.sh
```
### Verify Repository
```bash
export GITEA_ADMIN_PASSWORD="your-secure-password"
./infrastructure/cicd/gitea/test-repository-creation.sh
```
## Repository Configuration
The automatically created repository includes:
| Feature | Enabled | Description |
|---------|---------|-------------|
| Name | bakery-ia | Main project repository |
| Description | Main repository for Bakery IA project | Clear identification |
| Visibility | Public | Accessible without authentication |
| Auto Init | Yes | Creates initial README.md |
| Default Branch | main | Standard branch naming |
| Issues | Yes | Bug and feature tracking |
| Wiki | Yes | Project documentation |
| Pull Requests | Yes | Code review workflow |
| Projects | Yes | Project management |
## CI/CD Integration
The repository is ready for immediate CI/CD integration:
- **Repository URL**: `https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git`
- **Clone URL**: `https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git`
- **SSH URL**: `git@gitea.bakery-ia.local:bakery-admin/bakery-ia.git`
## Benefits
1. **Automation**: Eliminates manual repository creation step
2. **Consistency**: Ensures all environments have the same repository structure
3. **Reliability**: Uses Helm's declarative configuration management
4. **Documentation**: Clear repository purpose and features
5. **CI/CD Ready**: Repository is immediately available for pipeline configuration
## Troubleshooting
### Repository Not Created
1. **Check Helm Values**: Ensure the `initialRepositories` section is correctly formatted
2. **Verify Gitea Logs**: `kubectl logs -n gitea -l app.kubernetes.io/name=gitea`
3. **Manual Creation**: Use the setup script to create the repository manually
### Authentication Issues
1. **Verify Password**: Ensure `GITEA_ADMIN_PASSWORD` is correct
2. **Check Accessibility**: Confirm Gitea service is running and accessible
3. **Network Configuration**: Verify ingress and DNS settings
## Future Enhancements
Potential improvements for future iterations:
1. **Multiple Repositories**: Add more repositories for different components
2. **Webhooks**: Automatically configure webhooks for CI/CD triggers
3. **Teams and Permissions**: Set up teams and access controls
4. **Template Repositories**: Create repository templates with standard files
5. **Backup Configuration**: Add automatic backup configuration
## Conclusion
This implementation provides a robust, automated solution for Gitea repository creation in the Bakery-IA project. It leverages Helm's native capabilities to ensure consistent, reliable repository setup across all environments.

127
infrastructure/cicd/gitea/README.md Normal file
View File

@@ -0,0 +1,127 @@
# Gitea Configuration for Bakery-IA CI/CD
This directory contains the Helm values and scripts for setting up Gitea as the Git server for the Bakery-IA project.
## Features
- **Automatic Repository Creation**: When Gitea is installed via Helm, it automatically creates a `bakery-ia` repository owned by the admin user.
- **Pre-configured Settings**: The repository comes with issues, wiki, pull requests, and projects enabled.
- **Easy Setup Script**: A script to push your existing code to the new Gitea repository.
## Installation
### 1. Install Gitea with Helm
```bash
# Add Gitea Helm repository
helm repo add gitea https://dl.gitea.io/charts
helm repo update
# Create namespace
kubectl create namespace gitea
# Install Gitea with automatic repository creation
helm install gitea gitea/gitea -n gitea \
-f infrastructure/cicd/gitea/values.yaml \
--set gitea.admin.password=your-secure-password
```
### 2. Wait for Gitea to be ready
```bash
kubectl wait --for=condition=ready pod -n gitea -l app.kubernetes.io/name=gitea --timeout=300s
```
### 3. Push your code to the new repository
```bash
# Set the admin password as environment variable
export GITEA_ADMIN_PASSWORD="your-secure-password"
# Run the setup script
./infrastructure/cicd/gitea/setup-gitea-repository.sh
```
## Configuration Details
### Automatic Repository Creation
The `values.yaml` file includes the following configuration to automatically create the `bakery-ia` repository:
```yaml
gitea:
initialRepositories:
- name: bakery-ia
description: "Main repository for Bakery IA project - Automatically created by Helm"
private: false
auto_init: true
default_branch: main
owner: "{{ .Values.gitea.admin.username }}"
enable_issues: true
enable_wiki: true
enable_pull_requests: true
enable_projects: true
```
### Repository Features
The automatically created repository includes:
- **Issues**: For tracking bugs and feature requests
- **Wiki**: For project documentation
- **Pull Requests**: For code review workflow
- **Projects**: For project management
- **Auto Initialization**: Creates an initial README.md file
## CI/CD Integration
Once the repository is created and your code is pushed, you can configure your CI/CD pipelines to use this repository. The repository URL will be:
```
https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
```
### Example Tekton Pipeline Configuration
```yaml
# In your Tekton PipelineRun or Task
spec:
params:
- name: git-url
value: "https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git"
- name: git-revision
value: "main"
```
## Troubleshooting
### Repository not created
If the repository is not automatically created:
1. Check Gitea logs: `kubectl logs -n gitea -l app.kubernetes.io/name=gitea`
2. Verify the Helm values were applied correctly
3. Manually create the repository using the setup script
### Authentication issues
If you have authentication problems when pushing:
1. Verify the admin password is correct
2. Check that the Gitea service is accessible
3. Ensure your kubeconfig has access to the Gitea namespace
## Security Notes
- Always use a strong password for the Gitea admin user
- Consider using Kubernetes secrets for sensitive data
- The setup script uses basic authentication - for production, consider using SSH keys or tokens
## Upgrading
To upgrade Gitea while preserving your repositories:
```bash
helm upgrade gitea gitea/gitea -n gitea \
-f infrastructure/cicd/gitea/values.yaml \
--set gitea.admin.password=your-secure-password
```
The existing repositories and their contents will be preserved during upgrades.

11
infrastructure/cicd/gitea/setup-admin-secret.sh
View File

@@ -49,7 +49,9 @@ $KUBECTL create secret generic gitea-admin-secret \
echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..." echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..."
# Create Docker config JSON for registry authentication # Create Docker config JSON for registry authentication
# Include both external (ingress) and internal (cluster) registry URLs
AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64) AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64)
INTERNAL_REGISTRY_HOST="gitea-http.gitea.svc.cluster.local:3000"
DOCKER_CONFIG_JSON=$(cat <<EOF DOCKER_CONFIG_JSON=$(cat <<EOF
{ {
"auths": { "auths": {
@@ -57,6 +59,11 @@ DOCKER_CONFIG_JSON=$(cat <<EOF
"username": "${ADMIN_USERNAME}", "username": "${ADMIN_USERNAME}",
"password": "${ADMIN_PASSWORD}", "password": "${ADMIN_PASSWORD}",
"auth": "${AUTH_BASE64}" "auth": "${AUTH_BASE64}"
},
"${INTERNAL_REGISTRY_HOST}": {
"username": "${ADMIN_USERNAME}",
"password": "${ADMIN_PASSWORD}",
"auth": "${AUTH_BASE64}"
} }
} }
} }
@@ -99,7 +106,9 @@ echo "Secrets created:"
echo " 1. gitea-admin-secret (namespace: $GITEA_NAMESPACE) - For Gitea Helm chart" echo " 1. gitea-admin-secret (namespace: $GITEA_NAMESPACE) - For Gitea Helm chart"
echo " 2. gitea-registry-secret (namespace: $BAKERY_NAMESPACE) - For imagePullSecrets" echo " 2. gitea-registry-secret (namespace: $BAKERY_NAMESPACE) - For imagePullSecrets"
echo "" echo ""
echo "Registry URL: https://$REGISTRY_HOST" echo "Registry URLs:"
echo " External: https://$REGISTRY_HOST"
echo " Internal: $INTERNAL_REGISTRY_HOST"
echo "" echo ""
echo "Now install Gitea with:" echo "Now install Gitea with:"
echo " helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml" echo " helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"

119
infrastructure/cicd/gitea/setup-gitea-repository.sh Executable file
View File

@@ -0,0 +1,119 @@
#!/bin/bash
# Script to setup and push code to the automatically created Gitea repository
# This script should be run after Gitea is installed and the repository is created
set -e
echo "=== Gitea Repository Setup Script ==="
echo "This script will configure the bakery-ia repository in Gitea"
echo
# Configuration - update these values as needed
GITEA_URL="https://gitea.bakery-ia.local"
GITEA_ADMIN_USER="bakery-admin"
REPO_NAME="bakery-ia"
LOCAL_DIR="/Users/urtzialfaro/Documents/bakery-ia"
# Check if Gitea admin password is set
if [ -z "$GITEA_ADMIN_PASSWORD" ]; then
echo "Error: GITEA_ADMIN_PASSWORD environment variable is not set"
echo "Please set it to the admin password you used during Gitea installation"
exit 1
fi
echo "Checking if Gitea is accessible..."
if ! curl -s -o /dev/null -w "%{http_code}" "$GITEA_URL" | grep -q "200"; then
echo "Error: Cannot access Gitea at $GITEA_URL"
echo "Please ensure Gitea is running and accessible"
exit 1
fi
echo "✓ Gitea is accessible"
echo "Checking if repository $REPO_NAME exists..."
REPO_CHECK=$(curl -s -w "%{http_code}" -u "$GITEA_ADMIN_USER:$GITEA_ADMIN_PASSWORD" \
"$GITEA_URL/api/v1/repos/$GITEA_ADMIN_USER/$REPO_NAME" | tail -1)
if [ "$REPO_CHECK" != "200" ]; then
echo "Repository $REPO_NAME does not exist or is not accessible"
echo "Attempting to create it..."
CREATE_RESPONSE=$(curl -s -w "%{http_code}" -u "$GITEA_ADMIN_USER:$GITEA_ADMIN_PASSWORD" \
-X POST "$GITEA_URL/api/v1/user/repos" \
-H "Content-Type: application/json" \
-d '{
"name": "'"$REPO_NAME"'",
"description": "Main repository for Bakery IA project",
"private": false,
"auto_init": true,
"default_branch": "main"
}')
HTTP_CODE=$(echo "$CREATE_RESPONSE" | tail -1)
RESPONSE_BODY=$(echo "$CREATE_RESPONSE" | sed '$d')
if [ "$HTTP_CODE" != "201" ]; then
echo "Error creating repository: HTTP $HTTP_CODE"
echo "Response: $RESPONSE_BODY"
exit 1
fi
echo "✓ Repository $REPO_NAME created successfully"
else
echo "✓ Repository $REPO_NAME already exists"
fi
echo "Configuring Git repository..."
cd "$LOCAL_DIR"
# Check if this is already a git repository
if [ ! -d ".git" ]; then
echo "Initializing Git repository..."
git init
git branch -M main
else
echo "Git repository already initialized"
fi
# Configure Git user if not already set
if [ -z "$(git config user.name)" ]; then
git config user.name "$GITEA_ADMIN_USER"
git config user.email "admin@bakery-ia.local"
echo "✓ Configured Git user: $GITEA_ADMIN_USER"
fi
# Set the remote URL
GIT_REMOTE_URL="$GITEA_URL/$GITEA_ADMIN_USER/$REPO_NAME.git"
if git remote | grep -q "origin"; then
CURRENT_REMOTE=$(git remote get-url origin)
if [ "$CURRENT_REMOTE" != "$GIT_REMOTE_URL" ]; then
echo "Updating remote origin to: $GIT_REMOTE_URL"
git remote set-url origin "$GIT_REMOTE_URL"
else
echo "Remote origin is already set correctly"
fi
else
echo "Setting remote origin to: $GIT_REMOTE_URL"
git remote add origin "$GIT_REMOTE_URL"
fi
echo "Checking if there are changes to commit..."
if [ -n "$(git status --porcelain)" ]; then
echo "Committing changes..."
git add .
git commit -m "Initial commit - Bakery IA project setup"
echo "✓ Changes committed"
else
echo "No changes to commit"
fi
echo "Pushing to Gitea repository..."
git push --set-upstream origin main
echo "✓ Code pushed successfully to Gitea!"
echo "Repository URL: $GIT_REMOTE_URL"
echo "You can now configure your CI/CD pipelines to use this repository."
echo "=== Setup Complete ==="

84
infrastructure/cicd/gitea/test-repository-creation.sh Executable file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
# Test script to verify that the Gitea repository was created successfully
set -e
echo "=== Gitea Repository Creation Test ==="
echo
# Configuration - update these values as needed
GITEA_URL="https://gitea.bakery-ia.local"
GITEA_ADMIN_USER="bakery-admin"
REPO_NAME="bakery-ia"
# Check if Gitea admin password is set
if [ -z "$GITEA_ADMIN_PASSWORD" ]; then
echo "Error: GITEA_ADMIN_PASSWORD environment variable is not set"
echo "Please set it to the admin password you used during Gitea installation"
exit 1
fi
echo "Testing Gitea accessibility..."
if ! curl -s -o /dev/null -w "%{http_code}" "$GITEA_URL" | grep -q "200"; then
echo "❌ Error: Cannot access Gitea at $GITEA_URL"
echo "Please ensure Gitea is running and accessible"
exit 1
fi
echo "✅ Gitea is accessible"
echo "Testing repository existence..."
REPO_CHECK=$(curl -s -w "%{http_code}" -u "$GITEA_ADMIN_USER:$GITEA_ADMIN_PASSWORD" \
"$GITEA_URL/api/v1/repos/$GITEA_ADMIN_USER/$REPO_NAME" | tail -1)
if [ "$REPO_CHECK" == "200" ]; then
echo "✅ Repository '$REPO_NAME' exists"
# Get repository details
REPO_DETAILS=$(curl -s -u "$GITEA_ADMIN_USER:$GITEA_ADMIN_PASSWORD" \
"$GITEA_URL/api/v1/repos/$GITEA_ADMIN_USER/$REPO_NAME")
REPO_DESCRIPTION=$(echo "$REPO_DETAILS" | jq -r '.description')
REPO_PRIVATE=$(echo "$REPO_DETAILS" | jq -r '.private')
REPO_DEFAULT_BRANCH=$(echo "$REPO_DETAILS" | jq -r '.default_branch')
echo "Repository Details:"
echo " - Name: $REPO_NAME"
echo " - Description: $REPO_DESCRIPTION"
echo " - Private: $REPO_PRIVATE"
echo " - Default Branch: $REPO_DEFAULT_BRANCH"
echo " - URL: $GITEA_URL/$GITEA_ADMIN_USER/$REPO_NAME"
echo " - Clone URL: $GITEA_URL/$GITEA_ADMIN_USER/$REPO_NAME.git"
# Test if repository has issues enabled
if echo "$REPO_DETAILS" | jq -e '.has_issues == true' > /dev/null; then
echo "✅ Issues are enabled"
else
echo "❌ Issues are not enabled"
fi
# Test if repository has wiki enabled
if echo "$REPO_DETAILS" | jq -e '.has_wiki == true' > /dev/null; then
echo "✅ Wiki is enabled"
else
echo "❌ Wiki is not enabled"
fi
# Test if repository has pull requests enabled
if echo "$REPO_DETAILS" | jq -e '.has_pull_requests == true' > /dev/null; then
echo "✅ Pull requests are enabled"
else
echo "❌ Pull requests are not enabled"
fi
echo
echo "✅ All tests passed! Repository is ready for use."
else
echo "❌ Repository '$REPO_NAME' does not exist"
echo "Expected HTTP 200, got: $REPO_CHECK"
exit 1
fi
echo
echo "=== Test Complete ==="

17
infrastructure/cicd/gitea/values.yaml
View File

@@ -76,6 +76,21 @@ gitea:
DISABLE_REGISTRATION: false DISABLE_REGISTRATION: false
REQUIRE_SIGNIN_VIEW: false REQUIRE_SIGNIN_VIEW: false
# Initial repositories to create automatically after Gitea installation
# These will be created with the admin user as owner
initialRepositories:
- name: bakery-ia
description: "Main repository for Bakery IA project - Automatically created by Helm"
private: false
auto_init: true
default_branch: main
owner: "{{ .Values.gitea.admin.username }}"
# Enable issues, wiki, and other features
enable_issues: true
enable_wiki: true
enable_pull_requests: true
enable_projects: true
# Use embedded SQLite for simpler local development # Use embedded SQLite for simpler local development
# For production, enable postgresql # For production, enable postgresql
postgresql: postgresql:
@@ -103,3 +118,5 @@ initContainers:
requests: requests:
cpu: 50m cpu: 50m
memory: 64Mi memory: 64Mi

145
infrastructure/cicd/tekton-helm/GITEA_SECRET_INTEGRATION.md Normal file
View File

@@ -0,0 +1,145 @@
# Gitea Admin Secret Integration for Tekton
This document explains how Tekton CI/CD integrates with the existing Gitea admin secret to ensure credential consistency across the system.
## Architecture Overview
```mermaid
graph TD
A[Gitea Admin Secret] --> B[Tekton Registry Credentials]
A --> C[Tekton Git Credentials]
A --> D[Flux Git Credentials]
B --> E[Kaniko Build Task]
C --> F[GitOps Update Task]
D --> G[Flux GitRepository]
```
## How It Works
The system uses Helm's `lookup` function to reference the existing `gitea-admin-secret` from the Gitea namespace, ensuring that:
1. **Single Source of Truth**: All CI/CD components use the same credentials as Gitea
2. **Automatic Synchronization**: When Gitea admin password changes, all CI/CD components automatically use the new credentials
3. **Reduced Maintenance**: No need to manually update credentials in multiple places
## Secret Reference Flow
```
Gitea Namespace: gitea-admin-secret
└── username: bakery-admin
└── password: [secure-password]
Tekton Namespace:
├── gitea-registry-credentials (dockerconfigjson)
│ └── references gitea-admin-secret.password
├── gitea-git-credentials (opaque)
│ └── references gitea-admin-secret.password
└── gitea-credentials (opaque) [flux-system namespace]
└── references gitea-admin-secret.password
```
## Deployment Requirements
### Prerequisites
1. **Gitea must be installed first**: The `gitea-admin-secret` must exist before deploying Tekton
2. **Same username**: All components use `bakery-admin` as the username
3. **Namespace access**: Tekton service account needs read access to Gitea namespace secrets
### Installation Steps
1. **Install Gitea with admin secret**:
```bash
# Run the setup script to create gitea-admin-secret
./infrastructure/cicd/gitea/setup-admin-secret.sh your-secure-password
# Install Gitea Helm chart
helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml
```
2. **Install Tekton with secret references**:
```bash
# Install Tekton - it will automatically reference the Gitea admin secret
helm install tekton-cicd infrastructure/cicd/tekton-helm \
--namespace tekton-pipelines \
--set secrets.webhook.token="your-webhook-token"
```
## Troubleshooting
### Common Issues
1. **Secret not found error**:
- Ensure Gitea is installed before Tekton
- Verify the `gitea-admin-secret` exists in the `gitea` namespace
- Check that Tekton service account has RBAC permissions to read Gitea secrets
2. **Authentication failures**:
- Verify the Gitea admin password is correct
- Ensure the username is `bakery-admin` (matching the Gitea admin)
- Check that the password hasn't been manually changed in Gitea UI
### Debugging Commands
```bash
# Check if gitea-admin-secret exists
kubectl get secret gitea-admin-secret -n gitea
# Verify Tekton secrets were created correctly
kubectl get secret gitea-registry-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-git-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-credentials -n flux-system -o yaml
# Check RBAC permissions
kubectl get role,rolebinding,clusterrole,clusterrolebinding -n tekton-pipelines
```
## Security Considerations
### Benefits
1. **Reduced attack surface**: Fewer secrets to manage and rotate
2. **Automatic rotation**: Changing Gitea admin password automatically updates all CI/CD components
3. **Consistent access control**: Single point for credential management
### Best Practices
1. **Use strong passwords**: Generate secure random passwords for Gitea admin
2. **Rotate regularly**: Change the Gitea admin password periodically
3. **Limit access**: Restrict who can read the `gitea-admin-secret`
4. **Audit logs**: Monitor access to the admin secret
## Manual Override
If you need to use different credentials for specific components, you can override the values:
```bash
helm install tekton-cicd infrastructure/cicd/tekton-helm \
--namespace tekton-pipelines \
--set secrets.webhook.token="your-webhook-token" \
--set secrets.registry.password="custom-registry-password" \
--set secrets.git.password="custom-git-password"
```
However, this is **not recommended** as it breaks the single source of truth principle.
## Helm Template Details
The integration uses Helm's `lookup` function with `b64dec` to decode the base64-encoded password:
```yaml
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
```
This means:
1. Look up the `gitea-admin-secret` in the `gitea` namespace
2. Get the `password` field from the secret's `data` section
3. Base64 decode it (Kubernetes stores secret data as base64)
4. Use it as the password value
5. If `.Values.secrets.git.password` is provided, use that instead (for manual override)
## Conclusion
This integration provides a robust, secure way to manage credentials across the CI/CD pipeline while maintaining consistency with Gitea's admin credentials.

17
infrastructure/cicd/tekton-helm/templates/secrets.yaml
View File

@@ -16,6 +16,7 @@ stringData:
--- ---
# Secret for Gitea container registry credentials # Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry # Used by Kaniko to push images to Gitea registry
# References the existing gitea-admin-secret for consistency
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@@ -25,16 +26,16 @@ metadata:
app.kubernetes.io/name: {{ .Values.labels.app.name }} app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build app.kubernetes.io/component: build
annotations: annotations:
note: "Registry credentials for pushing images" note: "Registry credentials for pushing images - references gitea-admin-secret"
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
stringData: stringData:
{{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username .Values.secrets.registry.password }} {{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username }}
.dockerconfigjson: | .dockerconfigjson: |
{ {
"auths": { "auths": {
{{ .Values.secrets.registry.registryUrl | quote }}: { {{ .Values.secrets.registry.registryUrl | quote }}: {
"username": {{ .Values.secrets.registry.username | quote }}, "username": {{ .Values.secrets.registry.username | quote }},
"password": {{ .Values.secrets.registry.password | quote }} "password": {{ .Values.secrets.registry.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
} }
} }
} }
@@ -43,6 +44,7 @@ stringData:
{{- end }} {{- end }}
--- ---
# Secret for Git credentials (used by pipeline to push GitOps updates) # Secret for Git credentials (used by pipeline to push GitOps updates)
# References the existing gitea-admin-secret for consistency
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@@ -52,14 +54,15 @@ metadata:
app.kubernetes.io/name: {{ .Values.labels.app.name }} app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops app.kubernetes.io/component: gitops
annotations: annotations:
note: "Git credentials for GitOps updates" note: "Git credentials for GitOps updates - references gitea-admin-secret"
type: Opaque type: Opaque
stringData: stringData:
username: {{ .Values.secrets.git.username | quote }} username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | quote }} password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
--- ---
# Secret for Flux GitRepository access # Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository # Used by Flux to pull from Gitea repository
# References the existing gitea-admin-secret for consistency
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@@ -69,8 +72,8 @@ metadata:
app.kubernetes.io/name: {{ .Values.labels.app.name }} app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: flux app.kubernetes.io/component: flux
annotations: annotations:
note: "Credentials for Flux GitRepository access" note: "Credentials for Flux GitRepository access - references gitea-admin-secret"
type: Opaque type: Opaque
stringData: stringData:
username: {{ .Values.secrets.git.username | quote }} username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | quote }} password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}

55
infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml
View File

@@ -22,22 +22,63 @@ spec:
script: | script: |
#!/bin/bash #!/bin/bash
set -e set -e
cd $(workspaces.source.path) cd $(workspaces.source.path)
# Get the list of changed files # Get the list of changed files
CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only $(git rev-parse --abbrev-ref HEAD)@{upstream} HEAD 2>/dev/null || echo "") CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only $(git rev-parse --abbrev-ref HEAD)@{upstream} HEAD 2>/dev/null || echo "")
if [ -z "$CHANGED_FILES" ]; then if [ -z "$CHANGED_FILES" ]; then
# No changes detected, assume all services need building # No changes detected, assume all services need building
echo "No git changes detected, building all services" echo "No git changes detected, building all services"
echo "all" > $(results.changed-services.path) echo "all" > $(results.changed-services.path)
exit 0 exit 0
fi fi
# Extract service names from changed file paths # Initialize an array to collect changed services
CHANGED_SERVICES=$(echo "$CHANGED_FILES" | grep -o 'services/[^/]*' | sed 's/services\/\//' | sort -u | tr '\n' ',' | sed 's/,$//') declare -a changed_services=()
# Check for changes in services/ directory
while IFS= read -r service_dir; do
if [ -n "$service_dir" ]; then
service_name=$(basename "$service_dir")
if [[ ! " ${changed_services[@]} " =~ " ${service_name} " ]]; then
changed_services+=("$service_name")
fi
fi
done < <(echo "$CHANGED_FILES" | grep '^services/' | cut -d'/' -f2 | sort -u)
# Check for changes in gateway/ directory
if echo "$CHANGED_FILES" | grep -q '^gateway/'; then
if [[ ! " ${changed_services[@]} " =~ " gateway " ]]; then
changed_services+=("gateway")
fi
fi
# Check for changes in frontend/ directory
if echo "$CHANGED_FILES" | grep -q '^frontend/'; then
if [[ ! " ${changed_services[@]} " =~ " frontend " ]]; then
changed_services+=("frontend")
fi
fi
# Check for changes in shared/ directory (might affect multiple services)
if echo "$CHANGED_FILES" | grep -q '^shared/'; then
if [[ ! " ${changed_services[@]} " =~ " shared " ]]; then
changed_services+=("shared")
fi
fi
# Convert array to comma-separated string
CHANGED_SERVICES=""
for service in "${changed_services[@]}"; do
if [ -z "$CHANGED_SERVICES" ]; then
CHANGED_SERVICES="$service"
else
CHANGED_SERVICES="$CHANGED_SERVICES,$service"
fi
done
if [ -z "$CHANGED_SERVICES" ]; then if [ -z "$CHANGED_SERVICES" ]; then
# Changes are in infrastructure or other non-service files # Changes are in infrastructure or other non-service files
echo "infrastructure" > $(results.changed-services.path) echo "infrastructure" > $(results.changed-services.path)

4
infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
View File

@@ -67,9 +67,11 @@ spec:
echo "Building service: $service" echo "Building service: $service"
echo "-------------------------------------------------------------------" echo "-------------------------------------------------------------------"
# Determine Dockerfile path (services vs gateway) # Determine Dockerfile path (services vs gateway vs frontend)
if [ "$service" = "gateway" ]; then if [ "$service" = "gateway" ]; then
DOCKERFILE_PATH="$(workspaces.source.path)/gateway/Dockerfile" DOCKERFILE_PATH="$(workspaces.source.path)/gateway/Dockerfile"
elif [ "$service" = "frontend" ]; then
DOCKERFILE_PATH="$(workspaces.source.path)/frontend/Dockerfile.kubernetes"
else else
DOCKERFILE_PATH="$(workspaces.source.path)/services/$service/Dockerfile" DOCKERFILE_PATH="$(workspaces.source.path)/services/$service/Dockerfile"
fi fi

84
infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml
View File

@@ -50,7 +50,7 @@ spec:
script: | script: |
#!/bin/bash #!/bin/bash
set -e set -e
echo "============================================" echo "============================================"
echo "Updating GitOps Manifests" echo "Updating GitOps Manifests"
echo "Services: $(params.services)" echo "Services: $(params.services)"
@@ -59,37 +59,85 @@ spec:
echo "Branch: $(params.git-branch)" echo "Branch: $(params.git-branch)"
echo "Dry run: $(params.dry-run)" echo "Dry run: $(params.dry-run)"
echo "============================================" echo "============================================"
# Configure git # Configure git
git config --global user.email "ci@bakery-ia.local" git config --global user.email "ci@bakery-ia.local"
git config --global user.name "bakery-ia-ci" git config --global user.name "bakery-ia-ci"
# Clone the GitOps repository # Clone the main repository (not a separate gitops repo)
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakery-ia.local/bakery/bakery-ia-gitops.git" REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakery-ia.local/bakery-admin/bakery-ia.git"
git clone "$REPO_URL" /tmp/gitops git clone "$REPO_URL" /tmp/gitops
cd /tmp/gitops cd /tmp/gitops
# Switch to target branch # Switch to target branch
git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)" git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)"
# Update image tags in Kubernetes manifests # Update image tags in Kubernetes manifests
for service in $(echo "$(params.services)" | tr ',' '\n'); do for service in $(echo "$(params.services)" | tr ',' '\n'); do
echo "Updating manifest for service: $service" service=$(echo "$service" | xargs) # Trim whitespace
if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
# Find and update the image tag in the deployment YAML echo "Updating manifest for service: $service"
if [ -f "deployments/${service}-deployment.yaml" ]; then
sed -i "s|image: bakery/${service}:.*|image: $(params.registry)/bakery/${service}:$(params.git-revision)|g" "deployments/${service}-deployment.yaml" # Format service name for directory (convert from kebab-case to snake_case if needed)
# Handle special cases like demo-session -> demo_session, alert-processor -> alert_processor, etc.
formatted_service=$(echo "$service" | sed 's/-/_/g')
# For gateway and frontend, they have different directory structures
if [ "$service" = "gateway" ]; then
MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml"
IMAGE_NAME="gateway" # gateway image name is just "gateway"
elif [ "$service" = "frontend" ]; then
MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml"
IMAGE_NAME="dashboard" # frontend service uses "dashboard" as image name
else
# For microservices, look in the microservices directory
# Convert service name to directory format (kebab-case)
service_dir=$(echo "$service" | sed 's/_/-/g')
# Check for different possible manifest file names
if [ -f "infrastructure/services/microservices/$service_dir/deployment.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/deployment.yaml"
elif [ -f "infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml"
elif [ -f "infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
else
# Default to the standard naming pattern
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml"
fi
# For most services, the image name follows the pattern service-name-service
IMAGE_NAME="${service_dir}-service"
fi
# Update the image tag in the deployment YAML
if [ -f "$MANIFEST_PATH" ]; then
# Update image reference from bakery/image_name:tag to registry/image_name:git_revision
# Handle various image name formats that might exist in the manifests
sed -i "s|image: bakery/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH"
# Also handle the case where the image name might be formatted differently
sed -i "s|image: bakery/${service}:.*|image: $(params.registry)/${service}:$(params.git-revision)|g" "$MANIFEST_PATH"
sed -i "s|image: bakery/${formatted_service}:.*|image: $(params.registry)/${formatted_service}:$(params.git-revision)|g" "$MANIFEST_PATH"
echo "Updated image in: $MANIFEST_PATH for image: bakery/${IMAGE_NAME}:* -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
else
echo "Warning: Manifest file not found: $MANIFEST_PATH"
fi
fi fi
done done
# Commit and push changes (unless dry-run) # Commit and push changes (unless dry-run)
if [ "$(params.dry-run)" != "true" ]; then if [ "$(params.dry-run)" != "true" ]; then
git add . git add .
git commit -m "Update images for services: $(params.services) [skip ci]" git status
git push origin "$(params.git-branch)" if ! git diff --cached --quiet; then
git commit -m "Update images for services: $(params.services) [skip ci]"
echo "GitOps manifests updated successfully" git push origin "$(params.git-branch)"
echo "GitOps manifests updated successfully"
else
echo "No changes to commit"
fi
else else
echo "Dry run mode - changes not pushed" echo "Dry run mode - changes not pushed"
git status git status

2
infrastructure/cicd/tekton-helm/templates/trigger-template.yaml
View File

@@ -23,7 +23,7 @@ spec:
default: "bakery-ia" default: "bakery-ia"
- name: git-repo-full-name - name: git-repo-full-name
description: The full repository name (org/repo) description: The full repository name (org/repo)
default: "bakery/bakery-ia" default: "bakery-admin/bakery-ia"
# Registry URL - keep in sync with pipeline-config ConfigMap # Registry URL - keep in sync with pipeline-config ConfigMap
- name: registry-url - name: registry-url
description: Container registry URL description: Container registry URL

12
infrastructure/cicd/tekton-helm/values.yaml
View File

@@ -69,18 +69,20 @@ namespace: "tekton-pipelines"
secrets: secrets:
# Webhook secret for validating incoming webhooks # Webhook secret for validating incoming webhooks
webhook: webhook:
token: "example-webhook-token-do-not-use-in-production" token: "secure-webhook-token-replace-with-actual-value"
# Registry credentials for pushing images # Registry credentials for pushing images
# Uses the same credentials as Gitea admin for consistency
registry: registry:
username: "example-user" username: "bakery-admin"
password: "example-password" password: "" # Will be populated from gitea-admin-secret
registryUrl: "gitea.bakery-ia.local:5000" registryUrl: "gitea.bakery-ia.local:5000"
# Git credentials for GitOps updates # Git credentials for GitOps updates
# Uses the same credentials as Gitea admin for consistency
git: git:
username: "example-user" username: "bakery-admin"
password: "example-password" password: "" # Will be populated from gitea-admin-secret
# Service accounts # Service accounts
serviceAccounts: serviceAccounts:

31
infrastructure/environments/dev/k8s-manifests/kustomization.yaml
View File

@@ -85,55 +85,56 @@ labels:
# Dev image overrides - use Gitea registry to avoid Docker Hub rate limits # Dev image overrides - use Gitea registry to avoid Docker Hub rate limits
# IMPORTANT: All image names must be lowercase (Docker requirement) # IMPORTANT: All image names must be lowercase (Docker requirement)
# The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/ # The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/
# Format: registry.bakery-ia.local/bakery-admin/<package-name>:<original-tag> # For internal cluster access, use the Gitea service directly
# Format: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/<package-name>:<original-tag>
images: images:
# Database images # Database images
- name: postgres - name: postgres
newName: registry.bakery-ia.local/bakery-admin/postgres newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/postgres
newTag: "17-alpine" newTag: "17-alpine"
- name: redis - name: redis
newName: registry.bakery-ia.local/bakery-admin/redis newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/redis
newTag: "7.4-alpine" newTag: "7.4-alpine"
- name: rabbitmq - name: rabbitmq
newName: registry.bakery-ia.local/bakery-admin/rabbitmq newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/rabbitmq
newTag: "4.1-management-alpine" newTag: "4.1-management-alpine"
# Utility images # Utility images
- name: busybox - name: busybox
newName: registry.bakery-ia.local/bakery-admin/busybox newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/busybox
newTag: "1.36" newTag: "1.36"
- name: curlimages/curl - name: curlimages/curl
newName: registry.bakery-ia.local/bakery-admin/curlimages-curl newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/curlimages-curl
newTag: latest newTag: latest
- name: bitnami/kubectl - name: bitnami/kubectl
newName: registry.bakery-ia.local/bakery-admin/bitnami-kubectl newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bitnami-kubectl
newTag: latest newTag: latest
# Alpine variants # Alpine variants
- name: alpine - name: alpine
newName: registry.bakery-ia.local/bakery-admin/alpine newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine
newTag: "3.19" newTag: "3.19"
- name: alpine/git - name: alpine/git
newName: registry.bakery-ia.local/bakery-admin/alpine-git newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine-git
newTag: "2.43.0" newTag: "2.43.0"
# CI/CD images (cached in Gitea registry for consistency) # CI/CD images (cached in Gitea registry for consistency)
- name: gcr.io/kaniko-project/executor - name: gcr.io/kaniko-project/executor
newName: registry.bakery-ia.local/bakery-admin/gcr.io-kaniko-project-executor newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-kaniko-project-executor
newTag: v1.23.0 newTag: v1.23.0
- name: gcr.io/go-containerregistry/crane - name: gcr.io/go-containerregistry/crane
newName: registry.bakery-ia.local/bakery-admin/gcr.io-go-containerregistry-crane newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-go-containerregistry-crane
newTag: latest newTag: latest
- name: registry.k8s.io/kustomize/kustomize - name: registry.k8s.io/kustomize/kustomize
newName: registry.bakery-ia.local/bakery-admin/registry.k8s.io-kustomize-kustomize newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/registry.k8s.io-kustomize-kustomize
newTag: v5.3.0 newTag: v5.3.0
# Storage images # Storage images
- name: minio/minio - name: minio/minio
newName: registry.bakery-ia.local/bakery-admin/minio-minio newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-minio
newTag: RELEASE.2024-11-07T00-52-20Z newTag: RELEASE.2024-11-07T00-52-20Z
- name: minio/mc - name: minio/mc
newName: registry.bakery-ia.local/bakery-admin/minio-mc newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-mc
newTag: RELEASE.2024-11-17T19-35-25Z newTag: RELEASE.2024-11-17T19-35-25Z
# NOTE: nominatim image override removed - nominatim is now deployed via Helm # NOTE: nominatim image override removed - nominatim is now deployed via Helm
# Python base image # Python base image
- name: python - name: python
newName: registry.bakery-ia.local/bakery-admin/python newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python
newTag: "3.11-slim" newTag: "3.11-slim"

70
kubernetes_restart.sh
View File

@@ -399,12 +399,45 @@ setup() {
# 1. Start Colima with adequate resources # 1. Start Colima with adequate resources
print_status "Starting Colima with ${COLIMA_CPU} CPU, ${COLIMA_MEMORY}GB memory, ${COLIMA_DISK}GB disk..." print_status "Starting Colima with ${COLIMA_CPU} CPU, ${COLIMA_MEMORY}GB memory, ${COLIMA_DISK}GB disk..."
if ! is_colima_running; then if ! is_colima_running; then
colima start --cpu "$COLIMA_CPU" --memory "$COLIMA_MEMORY" --disk "$COLIMA_DISK" --runtime docker --profile "$COLIMA_PROFILE" colima start --cpu "$COLIMA_CPU" --memory "$COLIMA_MEMORY" --disk "$COLIMA_DISK" --runtime docker --profile "$COLIMA_PROFILE"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
print_success "Colima started successfully" print_success "Colima started successfully"
# Configure Docker daemon with cgroup driver and insecure registries
print_status "Configuring Docker daemon with cgroup driver and insecure registries..."
cat << 'EOFCMD' | colima --profile k8s-local ssh
sudo tee /etc/docker/daemon.json << 'EOF'
{
"exec-opts": [
"native.cgroupdriver=cgroupfs"
],
"features": {
"buildkit": true,
"containerd-snapshotter": true
},
"insecure-registries": ["registry.bakery-ia.local"]
}
EOF
EOFCMD
if [ $? -eq 0 ]; then
print_success "Docker daemon configured successfully"
# Restart Docker service to apply the configuration
print_status "Restarting Docker service to apply configuration..."
colima --profile k8s-local ssh sudo systemctl restart docker
if [ $? -eq 0 ]; then
print_success "Docker service restarted successfully"
else
print_error "Failed to restart Docker service"
fi
else
print_error "Failed to configure Docker daemon"
fi
else else
print_error "Failed to start Colima" print_error "Failed to start Colima"
print_status "Checking Colima status..." print_status "Checking Colima status..."
@@ -413,6 +446,39 @@ setup() {
fi fi
else else
print_success "Colima is already running" print_success "Colima is already running"
# Configure Docker daemon with cgroup driver and insecure registries even if Colima was already running
print_status "Configuring Docker daemon with cgroup driver and insecure registries..."
cat << 'EOFCMD' | colima --profile k8s-local ssh
sudo tee /etc/docker/daemon.json << 'EOF'
{
"exec-opts": [
"native.cgroupdriver=cgroupfs"
],
"features": {
"buildkit": true,
"containerd-snapshotter": true
},
"insecure-registries": ["registry.bakery-ia.local"]
}
EOF
EOFCMD
if [ $? -eq 0 ]; then
print_success "Docker daemon configured successfully"
# Restart Docker service to apply the configuration
print_status "Restarting Docker service to apply configuration..."
colima --profile k8s-local ssh sudo systemctl restart docker
if [ $? -eq 0 ]; then
print_success "Docker service restarted successfully"
else
print_error "Failed to restart Docker service"
fi
else
print_error "Failed to configure Docker daemon"
fi
fi fi
# 2. Create local registry before Kind cluster # 2. Create local registry before Kind cluster

2
scripts/prepull-base-images.sh
View File

@@ -100,6 +100,7 @@ if [ "$USE_GITEA_REGISTRY" = "true" ]; then
echo "Falling back to local registry" echo "Falling back to local registry"
REGISTRY="localhost:5000" REGISTRY="localhost:5000"
USE_GITEA_REGISTRY="false" USE_GITEA_REGISTRY="false"
USE_LOCAL_REGISTRY="true"
else else
echo "✓ Gitea registry authentication successful" echo "✓ Gitea registry authentication successful"
fi fi
@@ -125,6 +126,7 @@ if [ "$USE_GITEA_REGISTRY" = "true" ]; then
echo "Falling back to local registry" echo "Falling back to local registry"
REGISTRY="localhost:5000" REGISTRY="localhost:5000"
USE_GITEA_REGISTRY="false" USE_GITEA_REGISTRY="false"
USE_LOCAL_REGISTRY="true"
else else
echo "✓ Gitea registry authentication successful" echo "✓ Gitea registry authentication successful"
fi fi

166
skaffold.yaml
View File

@@ -17,6 +17,7 @@ metadata:
# skaffold dev # Uses dev settings (local registry) # skaffold dev # Uses dev settings (local registry)
# skaffold dev -p debug # Dev with port forwarding # skaffold dev -p debug # Dev with port forwarding
# skaffold run -p prod # Production build with Docker Hub # skaffold run -p prod # Production build with Docker Hub
# skaffold run -p gitea # Gitea registry mode (internal cluster)
# BASE_REGISTRY=ghcr.io/myorg skaffold run -p prod # Production with custom registry # BASE_REGISTRY=ghcr.io/myorg skaffold run -p prod # Production with custom registry
# ============================================================================= # =============================================================================
@@ -453,3 +454,168 @@ profiles:
kustomize: kustomize:
paths: paths:
- infrastructure/environments/prod/k8s-manifests - infrastructure/environments/prod/k8s-manifests
# ---------------------------------------------------------------------------
# GITEA PROFILE - Development with Gitea registry for base images
# Uses internal cluster service name for base image registry
# ---------------------------------------------------------------------------
# Usage:
# skaffold run -p gitea # Gitea registry mode
# skaffold dev -p gitea # Dev with Gitea registry
# ---------------------------------------------------------------------------
- name: gitea
build:
local:
push: true
tagPolicy:
envTemplate:
template: "gitea"
artifacts:
# Gateway - Gitea registry base images
- image: bakery/gateway
context: .
docker:
dockerfile: gateway/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
# Frontend
- image: bakery/dashboard
context: ./frontend
docker:
dockerfile: Dockerfile.kubernetes
# Microservices - Gitea registry base images
- image: bakery/auth-service
context: .
docker:
dockerfile: services/auth/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/tenant-service
context: .
docker:
dockerfile: services/tenant/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/training-service
context: .
docker:
dockerfile: services/training/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/forecasting-service
context: .
docker:
dockerfile: services/forecasting/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/sales-service
context: .
docker:
dockerfile: services/sales/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/external-service
context: .
docker:
dockerfile: services/external/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/notification-service
context: .
docker:
dockerfile: services/notification/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/inventory-service
context: .
docker:
dockerfile: services/inventory/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/recipes-service
context: .
docker:
dockerfile: services/recipes/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/procurement-service
context: .
docker:
dockerfile: services/procurement/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/distribution-service
context: .
docker:
dockerfile: services/distribution/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/production-service
context: .
docker:
dockerfile: services/production/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/pos-service
context: .
docker:
dockerfile: services/pos/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/orders-service
context: .
docker:
dockerfile: services/orders/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/alert-processor
context: .
docker:
dockerfile: services/alert_processor/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
- image: bakery/demo-session-service
context: .
docker:
dockerfile: services/demo_session/Dockerfile
buildArgs:
BASE_REGISTRY: gitea-http.gitea.svc.cluster.local:3000
PYTHON_IMAGE: "python:3.11-slim"
deploy:
kustomize:
paths:
- infrastructure/environments/dev/k8s-manifests