Add new infra architecture 12

2026-01-21 16:21:24 +01:00
parent 2512de4173
commit 66dfd50fbc
20 changed files with 4082 additions and 480 deletions
--- a/infrastructure/cicd/gitea/setup-admin-secret.sh
+++ b/infrastructure/cicd/gitea/setup-admin-secret.sh
@@ -1,41 +1,86 @@
 #!/bin/bash
-# Setup Gitea Admin Secret
+# Setup Gitea Admin Secret and Initialize Gitea
 #
-# This script creates TWO Kubernetes secrets:
-# 1. gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials
-# 2. gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets
-#
-# Both secrets use the SAME credentials, ensuring consistency.
+# This script:
+# 1. Creates gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials
+# 2. Creates gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets
+# 3. Applies the gitea-init-job.yaml to create the initial repository
 #
 # Usage:
-#   ./setup-admin-secret.sh [password]
+#   Development:
+#     ./setup-admin-secret.sh                    # Uses default dev password
+#     ./setup-admin-secret.sh [password]         # Uses provided password
+#     ./setup-admin-secret.sh --secrets-only     # Only create secrets, skip init job
 #
-# If password is not provided, a random one will be generated.
+#   Production:
+#     export GITEA_ADMIN_PASSWORD=$(openssl rand -base64 32)
+#     ./setup-admin-secret.sh --production
+#     ./setup-admin-secret.sh --production --secrets-only
+#
+# Environment variables:
+#   GITEA_ADMIN_PASSWORD - Password to use (required for --production)

 set -e

+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 KUBECTL="kubectl"
 GITEA_NAMESPACE="gitea"
 BAKERY_NAMESPACE="bakery-ia"
 REGISTRY_HOST="registry.bakery-ia.local"
 ADMIN_USERNAME="bakery-admin"
-# Static password for consistent dev environment setup
-# This ensures the same credentials work across environment recreations
-STATIC_ADMIN_PASSWORD="pvYUkGWJijqc0QfIZEXw"
+# Default password for dev environment only
+# For PRODUCTION: Always set GITEA_ADMIN_PASSWORD environment variable
+# Generate secure password with: openssl rand -base64 32
+DEV_DEFAULT_PASSWORD="pvYUkGWJijqc0QfIZEXw"
+SECRETS_ONLY=false
+IS_PRODUCTION=false

 # Check if running in microk8s
 if command -v microk8s &> /dev/null; then
    KUBECTL="microk8s kubectl"
 fi

-# Get password from argument, environment variable, or use static default
-if [ -n "$1" ]; then
-    ADMIN_PASSWORD="$1"
-elif [ -n "$GITEA_ADMIN_PASSWORD" ]; then
-    ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
-else
-    ADMIN_PASSWORD="$STATIC_ADMIN_PASSWORD"
-    echo "Using static admin password for dev environment consistency"
+# Parse arguments
+for arg in "$@"; do
+    case $arg in
+        --secrets-only)
+            SECRETS_ONLY=true
+            ;;
+        --production)
+            IS_PRODUCTION=true
+            REGISTRY_HOST="registry.bakewise.ai"
+            ;;
+        *)
+            if [ -z "$ADMIN_PASSWORD" ] && [ "$arg" != "--secrets-only" ] && [ "$arg" != "--production" ]; then
+                ADMIN_PASSWORD="$arg"
+            fi
+            ;;
+    esac
+done
+
+# Get password from argument, environment variable, or use default (dev only)
+if [ -z "$ADMIN_PASSWORD" ]; then
+    if [ -n "$GITEA_ADMIN_PASSWORD" ]; then
+        ADMIN_PASSWORD="$GITEA_ADMIN_PASSWORD"
+        echo "Using password from GITEA_ADMIN_PASSWORD environment variable"
+    elif [ "$IS_PRODUCTION" = true ]; then
+        echo "ERROR: Production deployment requires GITEA_ADMIN_PASSWORD environment variable"
+        echo "Generate a secure password with: openssl rand -base64 32"
+        echo ""
+        echo "Usage for production:"
+        echo "  export GITEA_ADMIN_PASSWORD=\$(openssl rand -base64 32)"
+        echo "  ./setup-admin-secret.sh --production"
+        exit 1
+    else
+        ADMIN_PASSWORD="$DEV_DEFAULT_PASSWORD"
+        echo "WARNING: Using default dev password. For production, set GITEA_ADMIN_PASSWORD"
+    fi
+fi
+
+# Validate password strength for production
+if [ "$IS_PRODUCTION" = true ] && [ ${#ADMIN_PASSWORD} -lt 16 ]; then
+    echo "ERROR: Production password must be at least 16 characters"
+    exit 1
 fi

 # Create namespaces if they don't exist
@@ -103,9 +148,15 @@ echo "=========================================="
 echo "Gitea secrets created successfully!"
 echo "=========================================="
 echo ""
-echo "Credentials (same for both secrets):"
+echo "Environment: $([ "$IS_PRODUCTION" = true ] && echo "PRODUCTION" || echo "Development")"
+echo ""
+echo "Credentials:"
 echo "  Username: $ADMIN_USERNAME"
-echo "  Password: $ADMIN_PASSWORD"
+if [ "$IS_PRODUCTION" = true ]; then
+    echo "  Password: (stored in secret, not displayed for security)"
+else
+    echo "  Password: $ADMIN_PASSWORD"
+fi
 echo ""
 echo "Secrets created:"
 echo "  1. gitea-admin-secret      (namespace: $GITEA_NAMESPACE)  - For Gitea Helm chart"
@@ -115,5 +166,44 @@ echo "Registry URLs:"
 echo "  External: https://$REGISTRY_HOST"
 echo "  Internal: $INTERNAL_REGISTRY_HOST"
 echo ""
-echo "Now install Gitea with:"
-echo "  helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"
+
+# Apply the init job ConfigMap and Job (but Job won't run until Gitea is installed)
+if [ "$SECRETS_ONLY" = false ]; then
+    INIT_JOB_FILE="$SCRIPT_DIR/gitea-init-job.yaml"
+    if [ -f "$INIT_JOB_FILE" ]; then
+        echo "Applying Gitea initialization resources..."
+        $KUBECTL apply -f "$INIT_JOB_FILE"
+        echo ""
+        echo "Init job will create the 'bakery-ia' repository once Gitea is ready."
+    else
+        echo "Warning: gitea-init-job.yaml not found at $INIT_JOB_FILE"
+    fi
+    echo ""
+fi
+
+echo "Next steps:"
+if [ "$IS_PRODUCTION" = true ]; then
+    echo "  1. Install Gitea for production:"
+    echo "     helm upgrade --install gitea gitea/gitea -n gitea \\"
+    echo "       -f infrastructure/cicd/gitea/values.yaml \\"
+    echo "       -f infrastructure/cicd/gitea/values-prod.yaml"
+    echo ""
+    echo "  2. Install Tekton CI/CD for production:"
+    echo "     export TEKTON_WEBHOOK_TOKEN=\$(openssl rand -hex 32)"
+    echo "     helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \\"
+    echo "       -n tekton-pipelines \\"
+    echo "       -f infrastructure/cicd/tekton-helm/values.yaml \\"
+    echo "       -f infrastructure/cicd/tekton-helm/values-prod.yaml \\"
+    echo "       --set secrets.webhook.token=\$TEKTON_WEBHOOK_TOKEN \\"
+    echo "       --set secrets.registry.password=\$GITEA_ADMIN_PASSWORD \\"
+    echo "       --set secrets.git.password=\$GITEA_ADMIN_PASSWORD"
+else
+    echo "  1. Install Gitea (if not already installed):"
+    echo "     helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"
+fi
+echo ""
+echo "  $([ "$IS_PRODUCTION" = true ] && echo "3" || echo "2"). Wait for Gitea to be ready:"
+echo "     kubectl wait --for=condition=ready pod -n gitea -l app.kubernetes.io/name=gitea --timeout=300s"
+echo ""
+echo "  $([ "$IS_PRODUCTION" = true ] && echo "4" || echo "3"). Check init job status:"
+echo "     kubectl logs -n gitea -l app.kubernetes.io/component=init --tail=50"