From b91979b840d79e8f093a0ed8c4919d5d628b389d Mon Sep 17 00:00:00 2001
From: Urtzi Alfaro <urtzialfaro@MacBook-Pro-de-Urtzi.local>
Date: Fri, 2 Jan 2026 21:33:23 +0100
Subject: [PATCH] Imporve the infra

---
 Tiltfile                                      |  38 +++++
 .../overlays/dev/cluster-issuer-staging.yaml  |  29 ++++
 .../overlays/dev/kustomization.yaml           |   2 +-
 kubernetes_restart.sh                         | 138 ++++++++++++++--
 verify-registry.sh                            | 152 ++++++++++++++++++
 5 files changed, 343 insertions(+), 16 deletions(-)
 create mode 100644 infrastructure/kubernetes/overlays/dev/cluster-issuer-staging.yaml
 create mode 100755 verify-registry.sh

diff --git a/Tiltfile b/Tiltfile
index 55136f24..eaa6018e 100644
--- a/Tiltfile
+++ b/Tiltfile
@@ -6,8 +6,20 @@
 #   - Strong 32-character passwords with PersistentVolumeClaims
 #   - PostgreSQL pgcrypto extension and audit logging
 #   - Organized resource dependencies and live-reload capabilities
+#   - Local registry for faster image builds and deployments
 # =============================================================================
 
+# =============================================================================
+# TILT CONFIGURATION
+# =============================================================================
+
+# Ensure we're running in the correct context
+allow_k8s_contexts('kind-bakery-ia-local')
+
+# Use local registry for faster builds and deployments
+# This registry is created by kubernetes_restart.sh script
+default_registry('localhost:5001')
+
 # =============================================================================
 # SECURITY & INITIAL SETUP
 # =============================================================================
@@ -94,6 +106,32 @@ local_resource(
     labels=['00-security']
 )
 
+# Install and verify cert-manager
+local_resource(
+    'cert-manager-install',
+    cmd='''
+        echo "📦 Installing cert-manager..."
+
+        # Check if cert-manager CRDs already exist
+        if kubectl get crd certificates.cert-manager.io >/dev/null 2>&1; then
+            echo "  ✅ cert-manager CRDs already installed"
+        else
+            echo "  Installing cert-manager v1.13.2..."
+            kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+
+            echo "  Waiting for cert-manager to be ready..."
+            kubectl wait --for=condition=available --timeout=120s deployment/cert-manager -n cert-manager
+            kubectl wait --for=condition=available --timeout=120s deployment/cert-manager-webhook -n cert-manager
+
+            echo "  ✅ cert-manager installed and ready"
+        fi
+
+        echo "✅ cert-manager verification complete"
+    ''',
+    labels=['00-security'],
+    auto_init=True
+)
+
 # =============================================================================
 # LOAD KUBERNETES MANIFESTS
 # =============================================================================
diff --git a/infrastructure/kubernetes/overlays/dev/cluster-issuer-staging.yaml b/infrastructure/kubernetes/overlays/dev/cluster-issuer-staging.yaml
new file mode 100644
index 00000000..f2e3e6d5
--- /dev/null
+++ b/infrastructure/kubernetes/overlays/dev/cluster-issuer-staging.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL (Let's Encrypt staging)
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: admin@bakery-ia.local  # Change this to your email
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+          podTemplate:
+            spec:
+              nodeSelector:
+                "kubernetes.io/os": linux
diff --git a/infrastructure/kubernetes/overlays/dev/kustomization.yaml b/infrastructure/kubernetes/overlays/dev/kustomization.yaml
index 15f62096..b568a6f2 100644
--- a/infrastructure/kubernetes/overlays/dev/kustomization.yaml
+++ b/infrastructure/kubernetes/overlays/dev/kustomization.yaml
@@ -14,7 +14,7 @@ resources:
   - dev-ingress.yaml
   # Dev-Prod Parity: Enable HTTPS with self-signed certificates
   - dev-certificate.yaml
-  - ../../base/components/cert-manager/cluster-issuer-staging.yaml
+  - cluster-issuer-staging.yaml
 
 # Exclude nominatim from dev to save resources
 # Using scale to 0 for StatefulSet to prevent pod creation
diff --git a/kubernetes_restart.sh b/kubernetes_restart.sh
index 8cd1c55f..94c10bba 100755
--- a/kubernetes_restart.sh
+++ b/kubernetes_restart.sh
@@ -59,7 +59,7 @@ wait_for_pods() {
 # Function to handle cleanup
 cleanup() {
     print_status "Starting cleanup process..."
-    
+
     # Delete Kubernetes namespace with timeout
     print_status "Deleting namespace bakery-ia..."
     if kubectl get namespace bakery-ia &>/dev/null; then
@@ -74,7 +74,7 @@ cleanup() {
     else
         print_status "Namespace bakery-ia not found"
     fi
-    
+
     # Delete Kind cluster
     print_status "Deleting Kind cluster..."
     if kind get clusters | grep -q "bakery-ia-local"; then
@@ -83,7 +83,17 @@ cleanup() {
     else
         print_status "Kind cluster bakery-ia-local not found"
     fi
-    
+
+    # Stop local registry
+    print_status "Stopping local registry..."
+    if docker ps -a | grep -q "kind-registry"; then
+        docker stop kind-registry 2>/dev/null || true
+        docker rm kind-registry 2>/dev/null || true
+        print_success "Local registry removed"
+    else
+        print_status "Local registry not found"
+    fi
+
     # Stop Colima
     print_status "Stopping Colima..."
     if colima list | grep -q "k8s-local"; then
@@ -92,7 +102,7 @@ cleanup() {
     else
         print_status "Colima profile k8s-local not found"
     fi
-    
+
     print_success "Cleanup completed!"
     echo "----------------------------------------"
 }
@@ -119,36 +129,125 @@ check_config_files() {
     print_success "Configuration files check completed"
 }
 
+# Function to create local registry
+create_local_registry() {
+    local reg_name='kind-registry'
+    local reg_port='5001'
+
+    print_status "Setting up local Docker registry..."
+
+    # Create registry container unless it already exists
+    if [ "$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)" != 'true' ]; then
+        print_status "Creating registry container on port ${reg_port}..."
+        docker run \
+            -d --restart=always \
+            -p "127.0.0.1:${reg_port}:5000" \
+            --name "${reg_name}" \
+            registry:2
+
+        if [ $? -eq 0 ]; then
+            print_success "Local registry created at localhost:${reg_port}"
+        else
+            print_error "Failed to create local registry"
+            exit 1
+        fi
+    else
+        print_success "Local registry already running at localhost:${reg_port}"
+    fi
+
+    # Store registry info for later use
+    echo "${reg_name}:${reg_port}"
+}
+
+# Function to connect registry to Kind
+connect_registry_to_kind() {
+    local reg_name='kind-registry'
+    local reg_port='5001'
+
+    print_status "Connecting registry to Kind network..."
+
+    # Connect the registry to the cluster network if not already connected
+    if [ "$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' "${reg_name}")" = 'null' ]; then
+        docker network connect "kind" "${reg_name}"
+        print_success "Registry connected to Kind network"
+    else
+        print_success "Registry already connected to Kind network"
+    fi
+
+    # Configure containerd in the Kind node to use the registry
+    print_status "Configuring containerd to use local registry..."
+
+    # Create the registry config directory
+    docker exec bakery-ia-local-control-plane mkdir -p /etc/containerd/certs.d/localhost:${reg_port}
+
+    # Add registry configuration
+    docker exec bakery-ia-local-control-plane sh -c "cat > /etc/containerd/certs.d/localhost:${reg_port}/hosts.toml <<EOF
+server = \"http://localhost:${reg_port}\"
+
+[host.\"http://${reg_name}:5000\"]
+  capabilities = [\"pull\", \"resolve\", \"push\"]
+  skip_verify = true
+EOF"
+
+    # Restart containerd to pick up new configuration
+    docker exec bakery-ia-local-control-plane systemctl restart containerd
+
+    print_success "Containerd configured for local registry"
+
+    # Document the local registry
+    print_status "Documenting local registry in cluster..."
+    kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+
+    if [ $? -eq 0 ]; then
+        print_success "Registry documented in cluster"
+    else
+        print_warning "Failed to document registry (non-critical)"
+    fi
+}
+
 # Function to handle setup
 setup() {
     print_status "Starting setup process..."
-    
+
     # Check for required config files
     check_config_files
-    
+
     # 1. Start Colima with adequate resources
     print_status "Starting Colima with 6 CPU, 12GB memory, 120GB disk..."
     colima start --cpu 6 --memory 12 --disk 120 --runtime docker --profile k8s-local
-    
+
     if [ $? -eq 0 ]; then
         print_success "Colima started successfully"
     else
         print_error "Failed to start Colima"
         exit 1
     fi
-    
-    # 2. Create Kind cluster using existing configuration
-    print_status "Creating Kind cluster with existing configuration..."
-    
+
+    # 2. Create local registry before Kind cluster
+    create_local_registry
+
+    # 3. Create Kind cluster using existing configuration with registry support
+    print_status "Creating Kind cluster with registry configuration..."
+
     if [ -f kind-config.yaml ]; then
-        print_status "Using existing kind-config.yaml file"
-        
+        print_status "Using kind-config.yaml with local registry support"
+
         # Extract cluster name from config for verification
         CLUSTER_NAME=$(grep -E "name:\s*" kind-config.yaml | head -1 | sed 's/name:\s*//' | tr -d '[:space:]' || echo "bakery-ia-local")
-        
+
         print_status "Creating cluster: $CLUSTER_NAME"
         kind create cluster --config kind-config.yaml
-        
+
         if [ $? -eq 0 ]; then
             print_success "Kind cluster created successfully"
         else
@@ -159,6 +258,9 @@ setup() {
         print_error "kind-config.yaml file not found!"
         exit 1
     fi
+
+    # 4. Connect registry to Kind network
+    connect_registry_to_kind
     
     # 3. Install NGINX Ingress Controller
     print_status "Installing NGINX Ingress Controller..."
@@ -220,6 +322,7 @@ setup() {
     print_status "Cluster Information:"
     echo "  - Colima profile: k8s-local"
     echo "  - Kind cluster: $CLUSTER_NAME"
+    echo "  - Local registry: localhost:5001"
     echo "  - Direct port mappings (from kind-config.yaml):"
     echo "      Frontend: localhost:3000 -> container:30300"
     echo "      Gateway: localhost:8000 -> container:30800"
@@ -234,6 +337,11 @@ setup() {
     echo "  - Use Ingress via: http://localhost:${HTTP_HOST_PORT}"
     echo "  - Direct NodePort: http://localhost:30080"
     echo "----------------------------------------"
+    print_status "Local Registry Information:"
+    echo "  - Registry URL: localhost:5001"
+    echo "  - Images will be pushed to: localhost:5001/bakery/<service>"
+    echo "  - Update your Tiltfile with: default_registry('localhost:5001')"
+    echo "----------------------------------------"
 }
 
 # Function to show usage
diff --git a/verify-registry.sh b/verify-registry.sh
new file mode 100755
index 00000000..9eeec6d8
--- /dev/null
+++ b/verify-registry.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Function to print colored output
+print_status() {
+    echo -e "${BLUE}[INFO]${NC} $1"
+}
+
+print_success() {
+    echo -e "${GREEN}[SUCCESS]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+echo "======================================="
+echo "Registry Verification Script"
+echo "======================================="
+echo ""
+
+# 1. Check if registry container is running
+print_status "Checking if kind-registry container is running..."
+if docker ps | grep -q "kind-registry"; then
+    print_success "Registry container is running"
+    REGISTRY_STATUS=$(docker ps --filter "name=kind-registry" --format "{{.Status}}")
+    echo "  Status: $REGISTRY_STATUS"
+else
+    print_error "Registry container is not running!"
+    echo "  Run: ./kubernetes_restart.sh setup"
+    exit 1
+fi
+
+# 2. Check if registry is accessible on localhost:5001
+print_status "Checking if registry is accessible on localhost:5001..."
+if curl -s http://localhost:5001/v2/_catalog > /dev/null 2>&1; then
+    print_success "Registry is accessible"
+    CATALOG=$(curl -s http://localhost:5001/v2/_catalog)
+    echo "  Catalog: $CATALOG"
+else
+    print_error "Registry is not accessible on localhost:5001"
+    exit 1
+fi
+
+# 3. Check if registry is connected to Kind network
+print_status "Checking if registry is connected to Kind network..."
+NETWORK_CHECK=$(docker inspect -f='{{json .NetworkSettings.Networks.kind}}' kind-registry 2>/dev/null)
+if [ "$NETWORK_CHECK" != "null" ] && [ -n "$NETWORK_CHECK" ]; then
+    print_success "Registry is connected to Kind network"
+else
+    print_warning "Registry is not connected to Kind network"
+    print_status "Connecting registry to Kind network..."
+    docker network connect "kind" "kind-registry"
+    if [ $? -eq 0 ]; then
+        print_success "Registry connected successfully"
+    else
+        print_error "Failed to connect registry to Kind network"
+        exit 1
+    fi
+fi
+
+# 4. Check if Kind cluster exists
+print_status "Checking if Kind cluster exists..."
+if kind get clusters | grep -q "bakery-ia-local"; then
+    print_success "Kind cluster 'bakery-ia-local' exists"
+else
+    print_error "Kind cluster 'bakery-ia-local' not found"
+    echo "  Run: ./kubernetes_restart.sh setup"
+    exit 1
+fi
+
+# 5. Check if registry is documented in cluster
+print_status "Checking if registry is documented in cluster..."
+if kubectl get configmap -n kube-public local-registry-hosting &>/dev/null; then
+    print_success "Registry is documented in cluster"
+    REG_HOST=$(kubectl get configmap -n kube-public local-registry-hosting -o jsonpath='{.data.localRegistryHosting\.v1}' 2>/dev/null | grep -o 'host: "[^"]*"' | cut -d'"' -f2)
+    echo "  Registry host: $REG_HOST"
+else
+    print_warning "Registry ConfigMap not found in cluster"
+    print_status "Creating ConfigMap..."
+    kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:5001"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+    if [ $? -eq 0 ]; then
+        print_success "ConfigMap created successfully"
+    fi
+fi
+
+# 6. Test pushing a test image
+print_status "Testing image push to registry..."
+print_status "Pulling busybox image..."
+docker pull busybox:latest > /dev/null 2>&1
+
+print_status "Tagging image for local registry..."
+docker tag busybox:latest localhost:5001/test/busybox:latest
+
+print_status "Pushing image to local registry..."
+if docker push localhost:5001/test/busybox:latest > /dev/null 2>&1; then
+    print_success "Successfully pushed test image to registry"
+else
+    print_error "Failed to push image to registry"
+    exit 1
+fi
+
+print_status "Verifying image in registry catalog..."
+CATALOG=$(curl -s http://localhost:5001/v2/_catalog)
+if echo "$CATALOG" | grep -q "test/busybox"; then
+    print_success "Test image found in registry catalog"
+else
+    print_warning "Test image not found in catalog, but push succeeded"
+fi
+
+# 7. Clean up test image
+print_status "Cleaning up test images..."
+docker rmi localhost:5001/test/busybox:latest > /dev/null 2>&1
+docker rmi busybox:latest > /dev/null 2>&1
+
+echo ""
+echo "======================================="
+print_success "Registry verification completed!"
+echo "======================================="
+echo ""
+print_status "Summary:"
+echo "  - Registry URL: localhost:5001"
+echo "  - Registry container: kind-registry"
+echo "  - Connected to Kind network: Yes"
+echo "  - Accessible from host: Yes"
+echo "  - Test push: Successful"
+echo ""
+print_status "Next steps:"
+echo "  1. Ensure your Tiltfile has: default_registry('localhost:5001')"
+echo "  2. Run: tilt up"
+echo "  3. Images will be automatically pushed to localhost:5001/bakery/<service>"
+echo ""