Add new infra architecture 13

infrastructure/cicd/gitea/values-prod.yaml

@@ -11,36 +11,29 @@ ingress:
   className: nginx
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+    nginx.ingress.kubernetes.io/proxy-body-size: "2G"
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
     cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.bakewise.ai
       paths:
         - path: /
           pathType: Prefix
+    - host: registry.bakewise.ai
+      paths:
+        - path: /
+          pathType: Prefix
   tls:
     - secretName: gitea-tls-cert
       hosts:
         - gitea.bakewise.ai
-  apiIngress:
-    enabled: true
-    className: nginx
-    annotations:
-      nginx.ingress.kubernetes.io/ssl-redirect: "true"
-      nginx.ingress.kubernetes.io/proxy-body-size: "500m"
-      cert-manager.io/cluster-issuer: "letsencrypt-production"
-    hosts:
-      - host: registry.bakewise.ai
-        paths:
-          - path: /
-            pathType: Prefix
-    tls:
-      - secretName: registry-tls-cert
-        hosts:
-          - registry.bakewise.ai
+        - registry.bakewise.ai
+
+# NOTE: The Gitea Helm chart (v12.4.0) does not natively support separate registry ingress.
+# For registry access, we include registry.bakewise.ai in the main ingress above.
+# This works because Gitea serves both UI and registry on the same port (3000).
 
 gitea:
   admin:
@@ -62,4 +55,4 @@ resources:
 
 # Larger storage for production
 persistence:
-  size: 50Gi
+  size: 50Gi

infrastructure/cicd/gitea/values.yaml

@@ -32,7 +32,7 @@ ingress:
   className: nginx
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
+    nginx.ingress.kubernetes.io/proxy-body-size: "2G"
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "600"

infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml

@@ -29,7 +29,7 @@ spec:
     - name: base-registry
       type: string
       description: Base image registry URL (e.g., docker.io, ghcr.io/org)
-      default: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
+      default: "registry.bakewise.ai/bakery-admin"
     - name: python-image
       type: string
       description: Python base image name and tag

infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml

@@ -23,7 +23,7 @@ spec:
       default: "false"
   steps:
     - name: run-unit-tests
-      image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
+      image: registry.bakewise.ai/bakery-admin/python:3.11-slim
       workingDir: $(workspaces.source.path)
       script: |
         #!/bin/bash
@@ -57,7 +57,7 @@ spec:
           cpu: 200m
           memory: 512Mi
     - name: run-integration-tests
-      image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
+      image: registry.bakewise.ai/bakery-admin/python:3.11-slim
       workingDir: $(workspaces.source.path)
       script: |
         #!/bin/bash

infrastructure/cicd/tekton-helm/values-prod.yaml

@@ -16,6 +16,11 @@
 
 # Global settings for production
 global:
+  # Registry configuration - use external HTTPS URL for image references
+  # containerd/Docker requires HTTPS for authenticated registries
+  registry:
+    url: "registry.bakewise.ai/bakery-admin"
+
   # Git configuration
   git:
     userEmail: "ci@bakewise.ai"
@@ -25,6 +30,8 @@ pipeline:
   # Build configuration
   build:
     verbosity: "warn"  # Less verbose in production
+    # Use external registry URL for base images (HTTPS required)
+    baseRegistry: "registry.bakewise.ai/bakery-admin"
 
   # Test configuration
   test:
@@ -72,7 +79,9 @@ secrets:
   registry:
     username: "bakery-admin"
     password: ""  # MUST be set via --set flag
-    registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
+    # Use external HTTPS URL for image references (containerd requires HTTPS for auth)
+    # Kaniko can still push via HTTP internally, but image refs must use HTTPS
+    registryUrl: "registry.bakewise.ai"
 
   # Git credentials for GitOps updates
   # Override with: --set secrets.git.password=$GITEA_ADMIN_PASSWORD

infrastructure/cicd/tekton-helm/values.yaml

@@ -4,8 +4,9 @@
 # Global settings
 global:
   # Registry configuration
+  # NOTE: Use external HTTPS URL - containerd requires HTTPS for authenticated registries
   registry:
-    url: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
+    url: "registry.bakewise.ai/bakery-admin"
   
   # Git configuration
   git:
@@ -20,10 +21,9 @@ pipeline:
     cacheTTL: "24h"
     verbosity: "info"
     # Base image registry configuration
-    # For dev: localhost:5000 with python_3.11-slim
-    # For prod: gitea registry with python_3.11-slim
-    baseRegistry: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
-    pythonImage: "python_3.11-slim"
+    # NOTE: Use external HTTPS URL - containerd requires HTTPS for authenticated registries
+    baseRegistry: "registry.bakewise.ai/bakery-admin"
+    pythonImage: "python:3.11-slim"
   
   # Test configuration
   test:
@@ -74,10 +74,11 @@ secrets:
   
   # Registry credentials for pushing images
   # Uses the same credentials as Gitea admin for consistency
+  # NOTE: Use external HTTPS URL - containerd requires HTTPS for authenticated registries
   registry:
     username: "bakery-admin"
     password: ""  # Will be populated from gitea-admin-secret
-    registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
+    registryUrl: "registry.bakewise.ai"
   
   # Git credentials for GitOps updates
   # Uses the same credentials as Gitea admin for consistency