bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture 6

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 16:31:11 +01:00
parent b78399da2c
commit 7d6845574c
58 changed files with 2360 additions and 492 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
Tiltfile
View File

@@ -186,21 +186,40 @@ dockerhub_username = 'uals' # Default username
if 'DOCKERHUB_USERNAME' in os.environ:
dockerhub_username = os.environ['DOCKERHUB_USERNAME']
# Base image registry configuration for Dockerfile ARGs
# This controls where the base Python image is pulled from during builds
base_registry = 'localhost:5000' # Default for local dev
python_image = 'python_3.11-slim' # Local registry uses underscores
if 'BASE_REGISTRY' in os.environ:
base_registry = os.environ['BASE_REGISTRY']
if 'PYTHON_IMAGE' in os.environ:
python_image = os.environ['PYTHON_IMAGE']
# For Docker Hub mode, use canonical image names
if use_dockerhub:
base_registry = 'docker.io'
python_image = 'python:3.11-slim'
if use_dockerhub:
print("""
DOCKER HUB MODE ENABLED
Images will be pushed to Docker Hub: docker.io/%s
Base images will be pulled from: %s/%s
Make sure you're logged in: docker login
To disable: unset USE_DOCKERHUB or set USE_DOCKERHUB=false
""" % dockerhub_username)
""" % (dockerhub_username, base_registry, python_image))
default_registry('docker.io/%s' % dockerhub_username)
else:
print("""
LOCAL REGISTRY MODE
Using local registry for faster builds: localhost:5001
Base images will be pulled from: %s/%s
This registry is created by kubernetes_restart.sh script
To use Docker Hub: export USE_DOCKERHUB=true
""")
To change base registry: export BASE_REGISTRY=<registry-url>
To change Python image: export PYTHON_IMAGE=<image:tag>
""" % (base_registry, python_image))
default_registry('localhost:5001')
# =============================================================================
@@ -301,6 +320,11 @@ def build_python_service(service_name, service_path):
'bakery/' + service_name,
context='.',
dockerfile='./services/' + service_path + '/Dockerfile',
# Build arguments for environment-configurable base images
build_args={
'BASE_REGISTRY': base_registry,
'PYTHON_IMAGE': python_image,
},
# Only watch files relevant to this specific service + shared code
only=[
'./services/' + service_path,
@@ -398,6 +422,11 @@ docker_build(
'bakery/gateway',
context='.',
dockerfile='./gateway/Dockerfile',
# Build arguments for environment-configurable base images
build_args={
'BASE_REGISTRY': base_registry,
'PYTHON_IMAGE': python_image,
},
# Only watch gateway-specific files and shared code
only=[
'./gateway',
@@ -474,14 +503,68 @@ k8s_image_json_path(
# Redis & RabbitMQ
k8s_resource('redis', resource_deps=['security-setup'], labels=['01-infrastructure'])
k8s_resource('rabbitmq', resource_deps=['security-setup'], labels=['01-infrastructure'])
k8s_resource('nominatim', labels=['01-infrastructure'])
# MinIO Storage
k8s_resource('minio', resource_deps=['security-setup'], labels=['01-infrastructure'])
k8s_resource('minio-bucket-init', resource_deps=['minio'], labels=['01-infrastructure'])
# Unbound DNSSEC Resolver - Infrastructure component for Mailu DNS validation
k8s_resource('unbound-resolver', resource_deps=['security-setup'], labels=['01-infrastructure'])
local_resource(
'unbound-helm',
cmd='''
echo "Deploying Unbound DNS resolver via Helm..."
echo ""
# Check if Unbound is already deployed
if helm list -n bakery-ia | grep -q unbound; then
echo "Unbound already deployed, checking status..."
helm status unbound -n bakery-ia
else
echo "Installing Unbound..."
# Determine environment (dev or prod) based on context
ENVIRONMENT="dev"
if [[ "$(kubectl config current-context)" == *"prod"* ]]; then
ENVIRONMENT="prod"
fi
echo "Environment detected: $ENVIRONMENT"
# Install Unbound with appropriate values
if [ "$ENVIRONMENT" = "dev" ]; then
helm upgrade --install unbound infrastructure/platform/infrastructure/unbound-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-f infrastructure/platform/networking/dns/unbound-helm/dev/values.yaml \
--timeout 5m \
--wait
else
helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
-f infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml \
--timeout 5m \
--wait
fi
echo ""
echo "Unbound deployment completed"
fi
echo ""
echo "Unbound DNS Service Information:"
echo " Service Name: unbound-dns.bakery-ia.svc.cluster.local"
echo " Ports: UDP/TCP 53"
echo " Used by: Mailu for DNS validation"
echo ""
echo "To check pod status: kubectl get pods -n bakery-ia | grep unbound"
''',
resource_deps=['security-setup'],
labels=['01-infrastructure'],
auto_init=True # Auto-deploy with Tilt startup
)
# Mail Infrastructure (Mailu) - Manual trigger for Helm deployment
local_resource(
@@ -490,6 +573,80 @@ local_resource(
echo "Deploying Mailu via Helm..."
echo ""
# =====================================================
# Step 1: Ensure Unbound is deployed and get its IP
# =====================================================
echo "Checking Unbound DNS resolver..."
if ! kubectl get svc unbound-dns -n bakery-ia &>/dev/null; then
echo "ERROR: Unbound DNS service not found!"
echo "Please deploy Unbound first by triggering 'unbound-helm' resource"
exit 1
fi
UNBOUND_IP=$(kubectl get svc unbound-dns -n bakery-ia -o jsonpath='{.spec.clusterIP}')
echo "Unbound DNS service IP: $UNBOUND_IP"
# =====================================================
# Step 2: Configure CoreDNS to forward to Unbound
# =====================================================
echo ""
echo "Configuring CoreDNS to forward external queries to Unbound for DNSSEC validation..."
# Check current CoreDNS forward configuration
CURRENT_FORWARD=$(kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -o 'forward \. [0-9.]*' | awk '{print $3}')
if [ "$CURRENT_FORWARD" != "$UNBOUND_IP" ]; then
echo "Updating CoreDNS to forward to Unbound ($UNBOUND_IP)..."
# Patch CoreDNS ConfigMap
kubectl patch configmap coredns -n kube-system --type merge -p "{
\"data\": {
\"Corefile\": \".:53 {\\n errors\\n health {\\n lameduck 5s\\n }\\n ready\\n kubernetes cluster.local in-addr.arpa ip6.arpa {\\n pods insecure\\n fallthrough in-addr.arpa ip6.arpa\\n ttl 30\\n }\\n prometheus :9153\\n forward . $UNBOUND_IP {\\n max_concurrent 1000\\n }\\n cache 30 {\\n disable success cluster.local\\n disable denial cluster.local\\n }\\n loop\\n reload\\n loadbalance\\n}\\n\"
}
}"
# Restart CoreDNS
kubectl rollout restart deployment coredns -n kube-system
echo "Waiting for CoreDNS to restart..."
kubectl rollout status deployment coredns -n kube-system --timeout=60s
echo "CoreDNS configured successfully"
else
echo "CoreDNS already configured to forward to Unbound"
fi
# =====================================================
# Step 3: Create self-signed TLS certificate for Mailu Front
# =====================================================
echo ""
echo "Checking Mailu TLS certificates..."
if ! kubectl get secret mailu-certificates -n bakery-ia &>/dev/null; then
echo "Creating self-signed TLS certificate for Mailu Front..."
# Generate certificate in temp directory
TEMP_DIR=$(mktemp -d)
cd "$TEMP_DIR"
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout tls.key -out tls.crt \
-subj "/CN=mail.bakery-ia.local/O=bakery-ia" 2>/dev/null
kubectl create secret tls mailu-certificates \
--cert=tls.crt \
--key=tls.key \
-n bakery-ia
rm -rf "$TEMP_DIR"
echo "TLS certificate created"
else
echo "Mailu TLS certificate already exists"
fi
# =====================================================
# Step 4: Deploy Mailu via Helm
# =====================================================
echo ""
# Check if Mailu is already deployed
if helm list -n bakery-ia | grep -q mailu; then
echo "Mailu already deployed, checking status..."
@@ -516,31 +673,102 @@ local_resource(
--create-namespace \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/dev/values.yaml \
--timeout 10m \
--wait
--timeout 10m
else
helm upgrade --install mailu mailu/mailu \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/mail/mailu-helm/values.yaml \
-f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
--timeout 10m \
--wait
--timeout 10m
fi
echo ""
echo "Mailu deployment completed"
fi
# =====================================================
# Step 5: Wait for pods and show status
# =====================================================
echo ""
echo "Waiting for Mailu pods to be ready..."
sleep 10
echo ""
echo "Mailu Pod Status:"
kubectl get pods -n bakery-ia | grep mailu
echo ""
echo "Mailu Access Information:"
echo " Admin Panel: https://mail.[domain]/admin"
echo " Webmail: https://mail.[domain]/webmail"
echo " SMTP: mail.[domain]:587 (STARTTLS)"
echo " IMAP: mail.[domain]:993 (SSL/TLS)"
echo " Admin Panel: https://mail.bakery-ia.local/admin"
echo " Webmail: https://mail.bakery-ia.local/webmail"
echo " SMTP: mail.bakery-ia.local:587 (STARTTLS)"
echo " IMAP: mail.bakery-ia.local:993 (SSL/TLS)"
echo ""
echo "To create admin user:"
echo " kubectl exec -it -n bakery-ia deployment/mailu-admin -- flask mailu admin admin bakery-ia.local 'YourPassword123!'"
echo ""
echo "To check pod status: kubectl get pods -n bakery-ia | grep mailu"
''',
resource_deps=['unbound-helm'], # Ensure Unbound is deployed first
labels=['01-infrastructure'],
auto_init=False, # Manual trigger only
)
# Nominatim Geocoding - Manual trigger for Helm deployment
local_resource(
'nominatim-helm',
cmd='''
echo "Deploying Nominatim geocoding service via Helm..."
echo ""
# Check if Nominatim is already deployed
if helm list -n bakery-ia | grep -q nominatim; then
echo "Nominatim already deployed, checking status..."
helm status nominatim -n bakery-ia
else
echo "Installing Nominatim..."
# Determine environment (dev or prod) based on context
ENVIRONMENT="dev"
if [[ "$(kubectl config current-context)" == *"prod"* ]]; then
ENVIRONMENT="prod"
fi
echo "Environment detected: $ENVIRONMENT"
# Install Nominatim with appropriate values
if [ "$ENVIRONMENT" = "dev" ]; then
helm upgrade --install nominatim infrastructure/platform/nominatim/nominatim-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/nominatim/nominatim-helm/values.yaml \
-f infrastructure/platform/nominatim/nominatim-helm/dev/values.yaml \
--timeout 10m \
--wait
else
helm upgrade --install nominatim infrastructure/platform/nominatim/nominatim-helm \
-n bakery-ia \
--create-namespace \
-f infrastructure/platform/nominatim/nominatim-helm/values.yaml \
-f infrastructure/platform/nominatim/nominatim-helm/prod/values.yaml \
--timeout 10m \
--wait
fi
echo ""
echo "Nominatim deployment completed"
fi
echo ""
echo "Nominatim Service Information:"
echo " Service Name: nominatim-service.bakery-ia.svc.cluster.local"
echo " Port: 8080"
echo " Health Check: http://nominatim-service:8080/status"
echo ""
echo "To check pod status: kubectl get pods -n bakery-ia | grep nominatim"
echo "To check Helm release: helm status nominatim -n bakery-ia"
''',
labels=['01-infrastructure'],
auto_init=False, # Manual trigger only
)
@@ -723,7 +951,6 @@ k8s_resource('demo-session-migration', resource_deps=['demo-session-db'], labels
# =============================================================================
k8s_resource('external-data-init', resource_deps=['external-migration', 'redis'], labels=['08-data-init'])
k8s_resource('nominatim-init', labels=['08-data-init'])
# =============================================================================
# APPLICATION SERVICES