Remove service image overrides from kustomization - use base manifest tags [skip ci]

infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml

@@ -50,7 +50,7 @@ spec:
         if [ "$COMMIT_COUNT" -lt 2 ]; then
           echo "Not enough git history for change detection (need at least 2 commits)"
           echo "Building all services as fallback"
-          echo "all" > $(results.changed-services.path)
+          echo -n "all" > $(results.changed-services.path)
           exit 0
         fi
 
@@ -60,7 +60,7 @@ spec:
         if [ -z "$CHANGED_FILES" ]; then
           # Empty commit or something unusual - skip build
           echo "No file changes detected in last commit"
-          echo "infrastructure" > $(results.changed-services.path)
+          echo -n "infrastructure" > $(results.changed-services.path)
           exit 0
         fi
 
@@ -106,15 +106,17 @@ spec:
         # shared/ contains code used by services and gateway (NOT frontend), so rebuild them
         if echo "$CHANGED_FILES" | grep -q '^shared/'; then
           echo "Detected changes in shared/ - triggering rebuild of all services and gateway"
-          echo "services-and-gateway" > $(results.changed-services.path)
+          echo -n "services-and-gateway" > $(results.changed-services.path)
           exit 0
         fi
 
+        # IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results
+        # Trailing newlines cause Tekton when expressions to fail matching
         if [ -z "$CHANGED_SERVICES" ]; then
           # Changes are in infrastructure or other non-service files
           echo "Detected: infrastructure changes only"
-          echo "infrastructure" > $(results.changed-services.path)
+          echo -n "infrastructure" > $(results.changed-services.path)
         else
           echo "Detected changed services: $CHANGED_SERVICES"
-          echo "$CHANGED_SERVICES" > $(results.changed-services.path)
+          echo -n "$CHANGED_SERVICES" > $(results.changed-services.path)
         fi

infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml

@@ -235,17 +235,19 @@ spec:
         echo "==================================================================="
 
         # Set result based on outcome
+        # IMPORTANT: Use echo -n (no newline) to avoid trailing newline in results
+        # Trailing newlines cause Tekton when expressions to fail matching
         if [ "$FAILED_COUNT" -gt 0 ]; then
           if [ "$SUCCESS_COUNT" -gt 0 ]; then
-            echo "partial" > $(results.build-status.path)
+            echo -n "partial" > $(results.build-status.path)
             echo "Build completed with some failures"
           else
-            echo "failed" > $(results.build-status.path)
+            echo -n "failed" > $(results.build-status.path)
             echo "All builds failed!"
             exit 1
           fi
         else
-          echo "success" > $(results.build-status.path)
+          echo -n "success" > $(results.build-status.path)
           echo "All builds completed successfully!"
         fi
       resources:

infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml

@@ -79,8 +79,8 @@ spec:
         git config --global --add safe.directory "$(workspaces.source.path)"
 
         # Clone the main repository (not a separate gitops repo)
-        # Use internal cluster DNS which works in all environments
+        # Use external HTTPS URL via ingress for reliable TLS connectivity
-        REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git"
+        REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git"
         git clone "$REPO_URL" /tmp/gitops
 
         cd /tmp/gitops

infrastructure/environments/prod/k8s-manifests/kustomization.yaml

@@ -314,71 +314,10 @@ patches:
         value: "25m"
 
 images:
-  # Application services
+  # =============================================================================
-  - name: bakery/auth-service
+  # NOTE: Application service images (bakery/*) are NOT overridden here.
-    newName: registry.bakewise.ai/bakery-admin/auth-service
+  # CI/CD pipeline (Tekton) updates base manifests directly with versioned tags.
-    newTag: latest
+  # This ensures deployments use the exact git revision that was built.
-  - name: bakery/tenant-service
-    newName: registry.bakewise.ai/bakery-admin/tenant-service
-    newTag: latest
-  - name: bakery/training-service
-    newName: registry.bakewise.ai/bakery-admin/training-service
-    newTag: latest
-  - name: bakery/forecasting-service
-    newName: registry.bakewise.ai/bakery-admin/forecasting-service
-    newTag: latest
-  - name: bakery/sales-service
-    newName: registry.bakewise.ai/bakery-admin/sales-service
-    newTag: latest
-  - name: bakery/external-service
-    newName: registry.bakewise.ai/bakery-admin/external-service
-    newTag: latest
-  - name: bakery/notification-service
-    newName: registry.bakewise.ai/bakery-admin/notification-service
-    newTag: latest
-  - name: bakery/inventory-service
-    newName: registry.bakewise.ai/bakery-admin/inventory-service
-    newTag: latest
-  - name: bakery/recipes-service
-    newName: registry.bakewise.ai/bakery-admin/recipes-service
-    newTag: latest
-  - name: bakery/suppliers-service
-    newName: registry.bakewise.ai/bakery-admin/suppliers-service
-    newTag: latest
-  - name: bakery/pos-service
-    newName: registry.bakewise.ai/bakery-admin/pos-service
-    newTag: latest
-  - name: bakery/orders-service
-    newName: registry.bakewise.ai/bakery-admin/orders-service
-    newTag: latest
-  - name: bakery/production-service
-    newName: registry.bakewise.ai/bakery-admin/production-service
-    newTag: latest
-  - name: bakery/alert-processor
-    newName: registry.bakewise.ai/bakery-admin/alert-processor
-    newTag: latest
-  - name: bakery/gateway
-    newName: registry.bakewise.ai/bakery-admin/gateway
-    newTag: latest
-  - name: bakery/dashboard
-    newName: registry.bakewise.ai/bakery-admin/dashboard
-    newTag: latest
-  # Missing services (added to fix ImagePullBackOff errors)
-  - name: bakery/ai-insights-service
-    newName: registry.bakewise.ai/bakery-admin/ai-insights-service
-    newTag: latest
-  - name: bakery/demo-session-service
-    newName: registry.bakewise.ai/bakery-admin/demo-session-service
-    newTag: latest
-  - name: bakery/distribution-service
-    newName: registry.bakewise.ai/bakery-admin/distribution-service
-    newTag: latest
-  - name: bakery/orchestrator-service
-    newName: registry.bakewise.ai/bakery-admin/orchestrator-service
-    newTag: latest
-  - name: bakery/procurement-service
-    newName: registry.bakewise.ai/bakery-admin/procurement-service
-    newTag: latest
   # =============================================================================
   # Database images (cached in gitea registry for consistency)
   - name: postgres

infrastructure/platform/mail/mailu-helm/prod/values.yaml

@@ -21,6 +21,11 @@ domain: "bakewise.ai"
 hostnames:
   - "mail.bakewise.ai"
 
+# Network configuration for MicroK8s
+# This must match your cluster's pod CIDR
+# MicroK8s default is 10.1.0.0/16, but check with: kubectl cluster-info dump | grep -m 1 cluster-cidr
+subnet: "10.1.0.0/16"
+
 # Initial admin account for production environment
 # Password is stored in mailu-admin-credentials secret
 initialAccount:
@@ -31,17 +36,13 @@ initialAccount:
   existingSecretPasswordKey: "password"
   mode: "ifmissing"
 
-# External relay configuration for production (Mailgun)
+# External relay configuration for production (MailerSend)
-# All outbound emails will be relayed through Mailgun SMTP
+# All outbound emails will be relayed through MailerSend SMTP
-# To configure:
+# Secret already exists: mailu-mailersend-credentials
-#   1. Register at mailgun.com and verify your domain (bakewise.ai)
-#   2. Get your SMTP credentials from Mailgun dashboard
-#   3. Update the secret in configs/mailgun-credentials-secret.yaml
-#   4. Apply the secret: kubectl apply -f configs/mailgun-credentials-secret.yaml -n bakery-ia
 externalRelay:
-  host: "[smtp.mailgun.org]:587"
+  host: "[smtp.mailersend.net]:2525"
-  # Credentials loaded from Kubernetes secret
+  # Credentials loaded from existing Kubernetes secret
-  secretName: "mailu-mailgun-credentials"
+  secretName: "mailu-mailersend-credentials"
   usernameKey: "RELAY_USERNAME"
   passwordKey: "RELAY_PASSWORD"
 
@@ -136,12 +137,31 @@ antivirus:
   enabled: true
   flavor: "clamav"
 
-# Production-specific settings
+# Production-specific environment settings
+# CRITICAL: These must be consistent with the ingress/proxy setup
 env:
   DEBUG: "false"
-  LOG_LEVEL: "WARNING"
+  LOG_LEVEL: "INFO"  # Temporarily set to INFO for debugging
-  TLS_FLAVOR: "cert"
+  # TLS_FLAVOR must be "notls" when using external reverse proxy for TLS termination
-  REDIS_PASSWORD: "secure-redis-password"
+  # The ingress handles TLS and sends X-Forwarded-Proto: https
+  TLS_FLAVOR: "notls"
+  # Session cookie settings for reverse proxy setup
+  # SESSION_COOKIE_SECURE must be True since we're serving over HTTPS (via ingress)
+  SESSION_COOKIE_SECURE: "true"
+  # Increase session timeout to prevent premature logouts
+  SESSION_TIMEOUT: "3600"
+  PERMANENT_SESSION_LIFETIME: "108000"
+  # CRITICAL: Tell Mailu it's behind a reverse proxy
+  # This ensures proper URL generation for redirects
+  PROXY_PROTOCOL: "false"
+  # Trust the ingress controller's IP for real IP headers
+  REAL_IP_HEADER: "X-Real-IP"
+  REAL_IP_FROM: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
+  # CRITICAL: Disable rate limiting temporarily to debug the sso.php redirect loop
+  # Reference: https://github.com/Mailu/Mailu/issues/3094
+  # The webmail can get rate-limited causing infinite redirect loops
+  AUTH_RATELIMIT_IP: "10000/minute"
+  AUTH_RATELIMIT_USER: "10000/day"
 
 # Enable monitoring in production
 monitoring: