Add new infra architecture 13

2026-01-21 23:16:19 +01:00
parent 66dfd50fbc
commit aeff6b1537
22 changed files with 552 additions and 151 deletions
--- a/PRODUCTION_DEPLOYMENT_GUIDE.md
+++ b/PRODUCTION_DEPLOYMENT_GUIDE.md
@@ -427,15 +427,41 @@ kubectl get namespaces
 # kubectl apply -f infrastructure/namespaces/tekton-pipelines.yaml
 ```

-### Step 3.2: Deploy Cert-Manager ClusterIssuers
+### Step 3.2: Install Cert-Manager and Deploy ClusterIssuers
+
+> **Note:** The MicroK8s `cert-manager` addon may only create the namespace without installing the actual components. Install cert-manager manually to ensure it works correctly.

 ```bash
-# Apply cert-manager configuration
-kubectl apply -k infrastructure/platform/cert-manager/
+# Check if cert-manager pods exist
+kubectl get pods -n cert-manager
+
+# If no pods are running, install cert-manager manually:
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.yaml
+
+# Wait for all cert-manager pods to be ready (this may take 1-2 minutes)
+kubectl wait --for=condition=ready pod --all -n cert-manager --timeout=300s
+
+# Verify all 3 components are running
+kubectl get pods -n cert-manager
+# Expected output:
+# NAME                                       READY   STATUS    RESTARTS   AGE
+# cert-manager-xxxxxxxxxx-xxxxx              1/1     Running   0          1m
+# cert-manager-cainjector-xxxxxxxxxx-xxxxx   1/1     Running   0          1m
+# cert-manager-webhook-xxxxxxxxxx-xxxxx      1/1     Running   0          1m
+```
+
+**Deploy ClusterIssuers:**
+
+```bash
+# Wait for webhook to be fully initialized
+sleep 10
+
+# Apply ClusterIssuers for Let's Encrypt
+kubectl apply -f infrastructure/platform/cert-manager/cluster-issuer-staging.yaml
+kubectl apply -f infrastructure/platform/cert-manager/cluster-issuer-production.yaml

 # Verify ClusterIssuers are ready
 kubectl get clusterissuer
-kubectl describe clusterissuer letsencrypt-production

 # Expected output:
 # NAME                     READY   AGE
@@ -443,6 +469,16 @@ kubectl describe clusterissuer letsencrypt-production
 # letsencrypt-staging      True    1m
 ```

+**If you get webhook errors:**
+
+```bash
+# The webhook may need more time to initialize
+# Wait and retry:
+sleep 30
+kubectl apply -f infrastructure/platform/cert-manager/cluster-issuer-staging.yaml
+kubectl apply -f infrastructure/platform/cert-manager/cluster-issuer-production.yaml
+```
+
 > **Note:** Common configs (secrets, configmaps) and TLS secrets are automatically included when you apply the prod kustomization in Phase 6. No manual application needed.

 ---
@@ -551,13 +587,17 @@ kubectl wait --for=condition=ready pod -l app.kubernetes.io/part-of=tekton-trigg
 # Verify Tekton is installed
 kubectl get pods -n tekton-pipelines

-# Step 3: Get Gitea password and generate webhook token
+# Step 3: Create flux-system namespace (required by Tekton helm chart)
+# The Tekton chart creates a secret for Flux in this namespace
+kubectl create namespace flux-system --dry-run=client -o yaml | kubectl apply -f -
+
+# Step 4: Get Gitea password and generate webhook token
 export GITEA_ADMIN_PASSWORD=$(kubectl get secret gitea-admin-secret -n gitea -o jsonpath='{.data.password}' | base64 -d)
 export TEKTON_WEBHOOK_TOKEN=$(openssl rand -hex 32)
 echo "Tekton Webhook Token: $TEKTON_WEBHOOK_TOKEN"
 echo "⚠️  SAVE THIS TOKEN - needed to configure Gitea webhook!"

-# Step 4: Deploy Bakery-IA CI/CD pipelines and tasks
+# Step 5: Deploy Bakery-IA CI/CD pipelines and tasks
 helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
  -n tekton-pipelines \
  -f infrastructure/cicd/tekton-helm/values.yaml \
@@ -617,13 +657,38 @@ flux get kustomizations -n flux-system

 ## Phase 5: Pre-Pull and Push Base Images to Gitea Registry

-> **Critical Step:** This phase must be completed after Gitea is configured (Phase 5) and before deploying application services (Phase 6). It ensures all required base images are available in the Gitea registry.
+> **Critical Step:** This phase must be completed after Gitea is configured (Phase 4) and before deploying application services (Phase 6). It ensures all required base images are available in the Gitea registry.

 ### Overview

 This phase involves two main steps:
-1. **Step 5.6.1-5.6.4:** Pre-pull base images from Docker Hub and push them to Gitea registry
-2. **Step 5.6.5:** Build and push all service images (first-time deployment only)
+1. **Step 5.1-5.4:** Pre-pull base images from Docker Hub and push them to Gitea registry
+2. **Step 5.5:** Build and push all service images (first-time deployment only)
+
+### Prerequisites: Install Docker and Create kubectl Symlink
+
+> **Important:** MicroK8s uses containerd, not Docker. You need to install Docker separately for building and pushing images. Also, scripts need `kubectl` to be available in PATH.
+
+```bash
+# Step 1: Install Docker
+apt-get update
+apt-get install -y docker.io
+
+# Start and enable Docker service
+systemctl enable docker
+systemctl start docker
+
+# Verify Docker installation
+docker --version
+# Expected: Docker version 28.x.x or similar
+
+# Step 2: Create kubectl symlink (required for scripts)
+# MicroK8s bundles its own kubectl, but scripts need it in PATH
+sudo ln -sf /snap/microk8s/current/microk8s-kubectl.wrapper /usr/local/bin/kubectl
+
+# Verify kubectl works
+kubectl version --client
+```

 ### Base Images Required

@@ -652,8 +717,8 @@ cd /root/bakery-ia/scripts
 chmod +x prepull-base-images-for-prod.sh

 # Run the prepull script in production mode WITH push enabled
-# IMPORTANT: Use --push-images flag to push to Gitea registry
-./prepull-base-images-for-prod.sh -e prod --push-images
+# IMPORTANT: Use -r flag to specify the external registry URL
+./prepull-base-images-for-prod.sh -e prod --push-images -r registry.bakewise.ai

 # The script will:
 #   1. Authenticate with Docker Hub (uses embedded credentials or env vars)
@@ -937,6 +1002,27 @@ kubectl wait --for=condition=available --timeout=900s deployment --all -n bakery

 # Monitor deployment progress
 kubectl get pods -n bakery-ia --watch
+
+# if fails
+# From your Mac
+rsync -avz --progress --delete \
+  --exclude='.git' \
+  --exclude='node_modules' \
+  --exclude='__pycache__' \
+  --exclude='.venv' \
+  /Users/urtzialfaro/Documents/bakery-ia/ \
+  bakery-vps:/root/bakery-ia/
+
+# On the VPS
+kubectl delete deployments --all -n bakery-ia
+kubectl delete jobs --all -n bakery-ia
+kubectl delete statefulsets --all -n bakery-ia
+sleep 30
+kubectl apply -k infrastructure/environments/prod/k8s-manifests
+kubectl get pods -n bakery-ia -w
+
+kubectl get pods -n bakery-ia
+kubectl describe node | grep -A 10 "Allocated resources"
 ```

 ### Step 6.3: Verify Application Health