Add new infra architecture 12

infrastructure/cicd/tekton-helm/README.md

@@ -18,10 +18,30 @@ kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/
 
 Then install the chart:
 
+### Development Installation
+
 ```bash
-helm repo add tekton-pipelines https://tekton.dev/charts
-helm repo update
-helm install tekton-cicd infrastructure/helm/tekton --namespace tekton-pipelines --create-namespace
+helm install tekton-cicd infrastructure/cicd/tekton-helm \
+  --namespace tekton-pipelines \
+  --create-namespace
+```
+
+### Production Installation
+
+**Important**: Never use default secrets in production. Always provide secure credentials.
+
+```bash
+# Generate secure webhook token
+export TEKTON_WEBHOOK_TOKEN=$(openssl rand -hex 32)
+
+# Use the same password as Gitea admin (from GITEA_ADMIN_PASSWORD)
+helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
+  -n tekton-pipelines \
+  -f infrastructure/cicd/tekton-helm/values.yaml \
+  -f infrastructure/cicd/tekton-helm/values-prod.yaml \
+  --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
+  --set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
+  --set secrets.git.password=$GITEA_ADMIN_PASSWORD
 ```
 
 ## Configuration

infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml

@@ -65,7 +65,8 @@ spec:
         git config --global user.name "bakery-ia-ci"
 
         # Clone the main repository (not a separate gitops repo)
-        REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakery-ia.local/bakery-admin/bakery-ia.git"
+        # Use internal cluster DNS which works in all environments
+        REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git"
         git clone "$REPO_URL" /tmp/gitops
 
         cd /tmp/gitops

infrastructure/cicd/tekton-helm/values-prod.yaml

@@ -0,0 +1,81 @@
+# Production values for tekton-cicd Helm chart
+# This file overrides values.yaml for production deployment
+#
+# Installation:
+#   helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
+#     -n tekton-pipelines \
+#     -f infrastructure/cicd/tekton-helm/values.yaml \
+#     -f infrastructure/cicd/tekton-helm/values-prod.yaml \
+#     --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
+#     --set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
+#     --set secrets.git.password=$GITEA_ADMIN_PASSWORD
+#
+# Required environment variables:
+#   TEKTON_WEBHOOK_TOKEN - Secure webhook token (generate with: openssl rand -hex 32)
+#   GITEA_ADMIN_PASSWORD - Gitea admin password (must match gitea-admin-secret)
+
+# Global settings for production
+global:
+  # Git configuration
+  git:
+    userEmail: "ci@bakewise.ai"
+
+# Pipeline configuration for production
+pipeline:
+  # Build configuration
+  build:
+    verbosity: "warn"  # Less verbose in production
+
+  # Test configuration
+  test:
+    skipTests: "false"
+    skipLint: "false"
+
+  # Workspace configuration - ensure storage class exists in production cluster
+  workspace:
+    size: "10Gi"
+    storageClass: "standard"  # Adjust to your production storage class
+
+# Tekton controller settings - increased resources for production
+controller:
+  replicas: 2
+  resources:
+    limits:
+      cpu: 2000m
+      memory: 2Gi
+    requests:
+      cpu: 200m
+      memory: 256Mi
+
+# Tekton webhook settings - increased resources for production
+webhook:
+  replicas: 2
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 128Mi
+
+# Secrets configuration
+# IMPORTANT: These MUST be overridden via --set flags during deployment
+# DO NOT commit actual secrets to this file
+secrets:
+  # Webhook secret for validating incoming webhooks
+  # Override with: --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN
+  webhook:
+    token: ""  # MUST be set via --set flag
+
+  # Registry credentials for pushing images
+  # Override with: --set secrets.registry.password=$GITEA_ADMIN_PASSWORD
+  registry:
+    username: "bakery-admin"
+    password: ""  # MUST be set via --set flag
+    registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
+
+  # Git credentials for GitOps updates
+  # Override with: --set secrets.git.password=$GITEA_ADMIN_PASSWORD
+  git:
+    username: "bakery-admin"
+    password: ""  # MUST be set via --set flag