diff --git a/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml index 10b4c9e8..39087b29 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml @@ -50,7 +50,7 @@ spec: if [ "$COMMIT_COUNT" -lt 2 ]; then echo "Not enough git history for change detection (need at least 2 commits)" echo "Building all services as fallback" - echo "all" > $(results.changed-services.path) + echo -n "all" > $(results.changed-services.path) exit 0 fi @@ -60,7 +60,7 @@ spec: if [ -z "$CHANGED_FILES" ]; then # Empty commit or something unusual - skip build echo "No file changes detected in last commit" - echo "infrastructure" > $(results.changed-services.path) + echo -n "infrastructure" > $(results.changed-services.path) exit 0 fi @@ -106,15 +106,17 @@ spec: # shared/ contains code used by services and gateway (NOT frontend), so rebuild them if echo "$CHANGED_FILES" | grep -q '^shared/'; then echo "Detected changes in shared/ - triggering rebuild of all services and gateway" - echo "services-and-gateway" > $(results.changed-services.path) + echo -n "services-and-gateway" > $(results.changed-services.path) exit 0 fi + # IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results + # Trailing newlines cause Tekton when expressions to fail matching if [ -z "$CHANGED_SERVICES" ]; then # Changes are in infrastructure or other non-service files echo "Detected: infrastructure changes only" - echo "infrastructure" > $(results.changed-services.path) + echo -n "infrastructure" > $(results.changed-services.path) else echo "Detected changed services: $CHANGED_SERVICES" - echo "$CHANGED_SERVICES" > $(results.changed-services.path) + echo -n "$CHANGED_SERVICES" > $(results.changed-services.path) fi \ No newline at end of file diff --git a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml index 1c48b89f..67634197 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml @@ -235,17 +235,19 @@ spec: echo "===================================================================" # Set result based on outcome + # IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results + # Trailing newlines cause Tekton when expressions to fail matching if [ "$FAILED_COUNT" -gt 0 ]; then if [ "$SUCCESS_COUNT" -gt 0 ]; then - echo "partial" > $(results.build-status.path) + echo -n "partial" > $(results.build-status.path) echo "Build completed with some failures" else - echo "failed" > $(results.build-status.path) + echo -n "failed" > $(results.build-status.path) echo "All builds failed!" exit 1 fi else - echo "success" > $(results.build-status.path) + echo -n "success" > $(results.build-status.path) echo "All builds completed successfully!" fi resources: diff --git a/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml b/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml index f8fddee6..abb5bc2d 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml @@ -79,8 +79,8 @@ spec: git config --global --add safe.directory "$(workspaces.source.path)" # Clone the main repository (not a separate gitops repo) - # Use internal cluster DNS which works in all environments - REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git" + # Use external HTTPS URL via ingress for reliable TLS connectivity + REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git" git clone "$REPO_URL" /tmp/gitops cd /tmp/gitops diff --git a/infrastructure/environments/prod/k8s-manifests/kustomization.yaml b/infrastructure/environments/prod/k8s-manifests/kustomization.yaml index ce1be2a0..7e6f9ecd 100644 --- a/infrastructure/environments/prod/k8s-manifests/kustomization.yaml +++ b/infrastructure/environments/prod/k8s-manifests/kustomization.yaml @@ -314,71 +314,10 @@ patches: value: "25m" images: - # Application services - - name: bakery/auth-service - newName: registry.bakewise.ai/bakery-admin/auth-service - newTag: latest - - name: bakery/tenant-service - newName: registry.bakewise.ai/bakery-admin/tenant-service - newTag: latest - - name: bakery/training-service - newName: registry.bakewise.ai/bakery-admin/training-service - newTag: latest - - name: bakery/forecasting-service - newName: registry.bakewise.ai/bakery-admin/forecasting-service - newTag: latest - - name: bakery/sales-service - newName: registry.bakewise.ai/bakery-admin/sales-service - newTag: latest - - name: bakery/external-service - newName: registry.bakewise.ai/bakery-admin/external-service - newTag: latest - - name: bakery/notification-service - newName: registry.bakewise.ai/bakery-admin/notification-service - newTag: latest - - name: bakery/inventory-service - newName: registry.bakewise.ai/bakery-admin/inventory-service - newTag: latest - - name: bakery/recipes-service - newName: registry.bakewise.ai/bakery-admin/recipes-service - newTag: latest - - name: bakery/suppliers-service - newName: registry.bakewise.ai/bakery-admin/suppliers-service - newTag: latest - - name: bakery/pos-service - newName: registry.bakewise.ai/bakery-admin/pos-service - newTag: latest - - name: bakery/orders-service - newName: registry.bakewise.ai/bakery-admin/orders-service - newTag: latest - - name: bakery/production-service - newName: registry.bakewise.ai/bakery-admin/production-service - newTag: latest - - name: bakery/alert-processor - newName: registry.bakewise.ai/bakery-admin/alert-processor - newTag: latest - - name: bakery/gateway - newName: registry.bakewise.ai/bakery-admin/gateway - newTag: latest - - name: bakery/dashboard - newName: registry.bakewise.ai/bakery-admin/dashboard - newTag: latest - # Missing services (added to fix ImagePullBackOff errors) - - name: bakery/ai-insights-service - newName: registry.bakewise.ai/bakery-admin/ai-insights-service - newTag: latest - - name: bakery/demo-session-service - newName: registry.bakewise.ai/bakery-admin/demo-session-service - newTag: latest - - name: bakery/distribution-service - newName: registry.bakewise.ai/bakery-admin/distribution-service - newTag: latest - - name: bakery/orchestrator-service - newName: registry.bakewise.ai/bakery-admin/orchestrator-service - newTag: latest - - name: bakery/procurement-service - newName: registry.bakewise.ai/bakery-admin/procurement-service - newTag: latest + # ============================================================================= + # NOTE: Application service images (bakery/*) are NOT overridden here. + # CI/CD pipeline (Tekton) updates base manifests directly with versioned tags. + # This ensures deployments use the exact git revision that was built. # ============================================================================= # Database images (cached in gitea registry for consistency) - name: postgres diff --git a/infrastructure/platform/mail/mailu-helm/prod/values.yaml b/infrastructure/platform/mail/mailu-helm/prod/values.yaml index e807afed..7a5671ba 100644 --- a/infrastructure/platform/mail/mailu-helm/prod/values.yaml +++ b/infrastructure/platform/mail/mailu-helm/prod/values.yaml @@ -21,6 +21,11 @@ domain: "bakewise.ai" hostnames: - "mail.bakewise.ai" +# Network configuration for MicroK8s +# This must match your cluster's pod CIDR +# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr +subnet: "10.1.0.0/16" + # Initial admin account for production environment # Password is stored in mailu-admin-credentials secret initialAccount: @@ -31,17 +36,13 @@ initialAccount: existingSecretPasswordKey: "password" mode: "ifmissing" -# External relay configuration for production (Mailgun) -# All outbound emails will be relayed through Mailgun SMTP -# To configure: -# 1. Register at mailgun.com and verify your domain (bakewise.ai) -# 2. Get your SMTP credentials from Mailgun dashboard -# 3. Update the secret in configs/mailgun-credentials-secret.yaml -# 4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia +# External relay configuration for production (MailerSend) +# All outbound emails will be relayed through MailerSend SMTP +# Secret already exists: mailu-mailersend-credentials externalRelay: - host: "[smtp.mailgun.org]:587" - # Credentials loaded from Kubernetes secret - secretName: "mailu-mailgun-credentials" + host: "[smtp.mailersend.net]:2525" + # Credentials loaded from existing Kubernetes secret + secretName: "mailu-mailersend-credentials" usernameKey: "RELAY_USERNAME" passwordKey: "RELAY_PASSWORD" @@ -136,12 +137,31 @@ antivirus: enabled: true flavor: "clamav" -# Production-specific settings +# Production-specific environment settings +# CRITICAL: These must be consistent with the ingress/proxy setup env: DEBUG: "false" - LOG_LEVEL: "WARNING" - TLS_FLAVOR: "cert" - REDIS_PASSWORD: "secure-redis-password" + LOG_LEVEL: "INFO" # Temporarily set to INFO for debugging + # TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination + # The ingress handles TLS and sends X-Forwarded-Proto: https + TLS_FLAVOR: "notls" + # Session cookie settings for reverse proxy setup + # SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress) + SESSION_COOKIE_SECURE: "true" + # Increase session timeout to prevent premature logouts + SESSION_TIMEOUT: "3600" + PERMANENT_SESSION_LIFETIME: "108000" + # CRITICAL: Tell Mailu it's behind a reverse proxy + # This ensures proper URL generation for redirects + PROXY_PROTOCOL: "false" + # Trust the ingress controller's IP for real IP headers + REAL_IP_HEADER: "X-Real-IP" + REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + # CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop + # Reference: https://github.com/Mailu/Mailu/issues/3094 + # The webmail can get rate-limited causing infinite redirect loops + AUTH_RATELIMIT_IP: "10000/minute" + AUTH_RATELIMIT_USER: "10000/day" # Enable monitoring in production monitoring: