bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove service image overrides from kustomization - use base manifest tags [skip ci]

Browse Source
This commit is contained in:
Bakery Admin
2026-01-23 15:13:54 +01:00
parent 6f282eff4c
commit 4c38352e18
5 changed files with 52 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml
View File

@@ -50,7 +50,7 @@ spec:
if [ "$COMMIT_COUNT" -lt 2 ]; then
echo "Not enough git history for change detection (need at least 2 commits)"
echo "Building all services as fallback"
echo "all" > $(results.changed-services.path)
echo -n "all" > $(results.changed-services.path)
exit 0
fi
@@ -60,7 +60,7 @@ spec:
if [ -z "$CHANGED_FILES" ]; then
# Empty commit or something unusual - skip build
echo "No file changes detected in last commit"
echo "infrastructure" > $(results.changed-services.path)
echo -n "infrastructure" > $(results.changed-services.path)
exit 0
fi
@@ -106,15 +106,17 @@ spec:
# shared/ contains code used by services and gateway (NOT frontend), so rebuild them
if echo "$CHANGED_FILES" | grep -q '^shared/'; then
echo "Detected changes in shared/ - triggering rebuild of all services and gateway"
echo "services-and-gateway" > $(results.changed-services.path)
echo -n "services-and-gateway" > $(results.changed-services.path)
exit 0
fi
# IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results
# Trailing newlines cause Tekton when expressions to fail matching
if [ -z "$CHANGED_SERVICES" ]; then
# Changes are in infrastructure or other non-service files
echo "Detected: infrastructure changes only"
echo "infrastructure" > $(results.changed-services.path)
echo -n "infrastructure" > $(results.changed-services.path)
else
echo "Detected changed services: $CHANGED_SERVICES"
echo "$CHANGED_SERVICES" > $(results.changed-services.path)
echo -n "$CHANGED_SERVICES" > $(results.changed-services.path)
fi

8
infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
View File

@@ -235,17 +235,19 @@ spec:
echo "==================================================================="
# Set result based on outcome
# IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results
# Trailing newlines cause Tekton when expressions to fail matching
if [ "$FAILED_COUNT" -gt 0 ]; then
if [ "$SUCCESS_COUNT" -gt 0 ]; then
echo "partial" > $(results.build-status.path)
echo -n "partial" > $(results.build-status.path)
echo "Build completed with some failures"
else
echo "failed" > $(results.build-status.path)
echo -n "failed" > $(results.build-status.path)
echo "All builds failed!"
exit 1
fi
else
echo "success" > $(results.build-status.path)
echo -n "success" > $(results.build-status.path)
echo "All builds completed successfully!"
fi
resources:

4
infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml
View File

@@ -79,8 +79,8 @@ spec:
git config --global --add safe.directory "$(workspaces.source.path)"
# Clone the main repository (not a separate gitops repo)
# Use internal cluster DNS which works in all environments
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git"
# Use external HTTPS URL via ingress for reliable TLS connectivity
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git"
git clone "$REPO_URL" /tmp/gitops
cd /tmp/gitops

69
infrastructure/environments/prod/k8s-manifests/kustomization.yaml
View File

@@ -314,71 +314,10 @@ patches:
value: "25m"
images:
# Application services
- name: bakery/auth-service
newName: registry.bakewise.ai/bakery-admin/auth-service
newTag: latest
- name: bakery/tenant-service
newName: registry.bakewise.ai/bakery-admin/tenant-service
newTag: latest
- name: bakery/training-service
newName: registry.bakewise.ai/bakery-admin/training-service
newTag: latest
- name: bakery/forecasting-service
newName: registry.bakewise.ai/bakery-admin/forecasting-service
newTag: latest
- name: bakery/sales-service
newName: registry.bakewise.ai/bakery-admin/sales-service
newTag: latest
- name: bakery/external-service
newName: registry.bakewise.ai/bakery-admin/external-service
newTag: latest
- name: bakery/notification-service
newName: registry.bakewise.ai/bakery-admin/notification-service
newTag: latest
- name: bakery/inventory-service
newName: registry.bakewise.ai/bakery-admin/inventory-service
newTag: latest
- name: bakery/recipes-service
newName: registry.bakewise.ai/bakery-admin/recipes-service
newTag: latest
- name: bakery/suppliers-service
newName: registry.bakewise.ai/bakery-admin/suppliers-service
newTag: latest
- name: bakery/pos-service
newName: registry.bakewise.ai/bakery-admin/pos-service
newTag: latest
- name: bakery/orders-service
newName: registry.bakewise.ai/bakery-admin/orders-service
newTag: latest
- name: bakery/production-service
newName: registry.bakewise.ai/bakery-admin/production-service
newTag: latest
- name: bakery/alert-processor
newName: registry.bakewise.ai/bakery-admin/alert-processor
newTag: latest
- name: bakery/gateway
newName: registry.bakewise.ai/bakery-admin/gateway
newTag: latest
- name: bakery/dashboard
newName: registry.bakewise.ai/bakery-admin/dashboard
newTag: latest
# Missing services (added to fix ImagePullBackOff errors)
- name: bakery/ai-insights-service
newName: registry.bakewise.ai/bakery-admin/ai-insights-service
newTag: latest
- name: bakery/demo-session-service
newName: registry.bakewise.ai/bakery-admin/demo-session-service
newTag: latest
- name: bakery/distribution-service
newName: registry.bakewise.ai/bakery-admin/distribution-service
newTag: latest
- name: bakery/orchestrator-service
newName: registry.bakewise.ai/bakery-admin/orchestrator-service
newTag: latest
- name: bakery/procurement-service
newName: registry.bakewise.ai/bakery-admin/procurement-service
newTag: latest
# =============================================================================
# NOTE: Application service images (bakery/*) are NOT overridden here.
# CI/CD pipeline (Tekton) updates base manifests directly with versioned tags.
# This ensures deployments use the exact git revision that was built.
# =============================================================================
# Database images (cached in gitea registry for consistency)
- name: postgres

48
infrastructure/platform/mail/mailu-helm/prod/values.yaml
View File

@@ -21,6 +21,11 @@ domain: "bakewise.ai"
hostnames:
- "mail.bakewise.ai"
# Network configuration for MicroK8s
# This must match your cluster's pod CIDR
# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr
subnet: "10.1.0.0/16"
# Initial admin account for production environment
# Password is stored in mailu-admin-credentials secret
initialAccount:
@@ -31,17 +36,13 @@ initialAccount:
existingSecretPasswordKey: "password"
mode: "ifmissing"
# External relay configuration for production (Mailgun)
# All outbound emails will be relayed through Mailgun SMTP
# To configure:
# 1. Register at mailgun.com and verify your domain (bakewise.ai)
# 2. Get your SMTP credentials from Mailgun dashboard
# 3. Update the secret in configs/mailgun-credentials-secret.yaml
# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
# External relay configuration for production (MailerSend)
# All outbound emails will be relayed through MailerSend SMTP
# Secret already exists: mailu-mailersend-credentials
externalRelay:
host: "[smtp.mailgun.org]:587"
# Credentials loaded from Kubernetes secret
secretName: "mailu-mailgun-credentials"
host: "[smtp.mailersend.net]:2525"
# Credentials loaded from existing Kubernetes secret
secretName: "mailu-mailersend-credentials"
usernameKey: "RELAY_USERNAME"
passwordKey: "RELAY_PASSWORD"
@@ -136,12 +137,31 @@ antivirus:
enabled: true
flavor: "clamav"
# Production-specific settings
# Production-specific environment settings
# CRITICAL: These must be consistent with the ingress/proxy setup
env:
DEBUG: "false"
LOG_LEVEL: "WARNING"
TLS_FLAVOR: "cert"
REDIS_PASSWORD: "secure-redis-password"
LOG_LEVEL: "INFO" # Temporarily set to INFO for debugging
# TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination
# The ingress handles TLS and sends X-Forwarded-Proto: https
TLS_FLAVOR: "notls"
# Session cookie settings for reverse proxy setup
# SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress)
SESSION_COOKIE_SECURE: "true"
# Increase session timeout to prevent premature logouts
SESSION_TIMEOUT: "3600"
PERMANENT_SESSION_LIFETIME: "108000"
# CRITICAL: Tell Mailu it's behind a reverse proxy
# This ensures proper URL generation for redirects
PROXY_PROTOCOL: "false"
# Trust the ingress controller's IP for real IP headers
REAL_IP_HEADER: "X-Real-IP"
REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
# CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop
# Reference: https://github.com/Mailu/Mailu/issues/3094
# The webmail can get rate-limited causing infinite redirect loops
AUTH_RATELIMIT_IP: "10000/minute"
AUTH_RATELIMIT_USER: "10000/day"
# Enable monitoring in production
monitoring: