From bc00bab061a70ce0e93281d1d79ba1ce9d5fb5f2 Mon Sep 17 00:00:00 2001 From: Urtzi Alfaro Date: Tue, 20 Jan 2026 07:20:56 +0100 Subject: [PATCH] Add new infra architecture 9 --- CI_CD_IMPLEMENTATION_PLAN.md | 35 +++++++ MAILU_MIGRATION_SUMMARY.md | 42 -------- Tiltfile | 14 ++- coredns-dnssec-forward-patch.yaml | 26 ----- coredns-dnssec-patch.yaml | 28 ------ .../cicd/gitea/setup-admin-secret.sh | 79 ++++++++++++--- .../environments/common/configs/secrets.yaml | 6 ++ .../dev/k8s-manifests/kustomization.yaml | 95 ++++++++++++------ .../platform/mail/mailu-helm/dev/values.yaml | 5 +- .../platform/mail/mailu-helm/values.yaml | 3 +- .../dns/unbound-helm/templates/service.yaml | 3 + .../networking/dns/unbound-helm/values.yaml | 4 + .../networking/ingress/base/ingress.yaml | 2 +- privkey.pem | 28 ------ scripts/prepull-base-images.sh | 96 ++++++++++++++++--- secrets_test.yaml | 72 -------------- test_secrets.yaml | 22 ----- 17 files changed, 284 insertions(+), 276 deletions(-) delete mode 100644 MAILU_MIGRATION_SUMMARY.md delete mode 100644 coredns-dnssec-forward-patch.yaml delete mode 100644 coredns-dnssec-patch.yaml delete mode 100644 privkey.pem delete mode 100644 secrets_test.yaml delete mode 100644 test_secrets.yaml diff --git a/CI_CD_IMPLEMENTATION_PLAN.md b/CI_CD_IMPLEMENTATION_PLAN.md index 9dcb749c..c214d554 100644 --- a/CI_CD_IMPLEMENTATION_PLAN.md +++ b/CI_CD_IMPLEMENTATION_PLAN.md @@ -1,3 +1,38 @@ +cat << 'EOFCMD' | colima --profile k8s-local ssh +sudo tee /etc/docker/daemon.json << 'EOF' +{ + "exec-opts": [ + "native.cgroupdriver=cgroupfs" + ], + "features": { + "buildkit": true, + "containerd-snapshotter": true + }, + "insecure-registries": ["registry.bakery-ia.local"] +} +EOF +EOFCMD + +------- + +Kind cluster configuration: + +Added registry.bakery-ia.local to /etc/hosts inside Kind container +Configured containerd to trust the self-signed certificate via /etc/containerd/certs.d/registry.bakery-ia.local/hosts.toml + +docker exec bakery-ia-local-control-plane sh -c 'echo "127.0.0.1 registry.bakery-ia.local" >> /etc/hosts' 2>&1 + +kubectl get secret bakery-dev-tls-cert -n bakery-ia -o jsonpath='{.data.tls\.crt}' | base64 -d | docker exec -i bakery-ia-local-control-plane sh -c 'mkdir -p /etc/containerd/certs.d/registry.bakery-ia.local && cat > /etc/containerd/certs.d/registry.bakery-ia.local/ca.crt' 2>&1 + +docker exec bakery-ia-local-control-plane sh -c 'cat > /etc/containerd/certs.d/registry.bakery-ia.local/hosts.toml << EOF +server = "https://registry.bakery-ia.local" + +[host."https://registry.bakery-ia.local"] + capabilities = ["pull", "resolve"] + ca = "/etc/containerd/certs.d/registry.bakery-ia.local/ca.crt" +EOF' 2>&1 + + # Bakery-IA Production CI/CD Implementation Plan ## Document Overview diff --git a/MAILU_MIGRATION_SUMMARY.md b/MAILU_MIGRATION_SUMMARY.md deleted file mode 100644 index 3c02e676..00000000 --- a/MAILU_MIGRATION_SUMMARY.md +++ /dev/null @@ -1,42 +0,0 @@ -# Mailu Migration Summary - -This document summarizes the migration from the old Kustomize-based Mailu setup to the new Helm-based setup. - -## Files Removed - -- `infrastructure/platform/mail/mailu/` - Complete removal of old Kustomize-based Mailu configuration -- `infrastructure/security/certificates/mailu/` - Removal of old certificate generation scripts - -## Files Updated - -### Infrastructure Configuration -- `infrastructure/environments/dev/k8s-manifests/kustomization.yaml` - Removed Mailu resource reference and patches -- `infrastructure/environments/prod/k8s-manifests/kustomization.yaml` - Removed Mailu resource reference and patches -- `infrastructure/platform/networking/ingress/base/ingress.yaml` - Removed Mailu-specific ingress rules and TLS entries -- `infrastructure/monitoring/signoz/README.md` - Updated to reflect Helm-based Mailu deployment -- `infrastructure/environments/common/configs/secrets.yaml` - Updated comments to reflect new service name - -### Service Integration -- `infrastructure/environments/common/configs/configmap.yaml` - Updated SMTP_HOST to use new Helm service name -- `infrastructure/monitoring/signoz/signoz-values-prod.yaml` - Updated SMTP configuration to use new service name - -## New Files Created - -- `infrastructure/platform/mail/mailu-helm/` - New Helm-based Mailu configuration - - `values.yaml` - Base configuration values - - `dev/values.yaml` - Development-specific overrides - - `prod/values.yaml` - Production-specific overrides - - `mailu-ingress.yaml` - Sample ingress configuration for use with existing ingress - - `README.md` - Comprehensive documentation - - `MIGRATION_GUIDE.md` - Migration guide with rollback procedures - -## Key Changes - -1. **Service Names**: Changed from `mailu-smtp` to `mailu-postfix` (Helm chart service naming) -2. **Deployment Method**: Switched from Kustomize manifests to Helm chart -3. **Ingress Configuration**: Disabled built-in ingress to work with existing ingress controller -4. **Configuration**: All configurations now use Helm values files instead of individual YAML manifests - -## Verification - -The new configuration has been tested and verified to work with the existing ingress setup, maintaining all critical functionality while improving maintainability. \ No newline at end of file diff --git a/Tiltfile b/Tiltfile index 38b80632..afa47515 100644 --- a/Tiltfile +++ b/Tiltfile @@ -25,7 +25,7 @@ # Set USE_GITEA_REGISTRY=true environment variable to push images to Gitea registry # Otherwise, uses local registry for faster builds and deployments use_dockerhub = False # Default to False -use_gitea_registry = False # Default to False - Gitea registry not working currently +use_gitea_registry = True # Default to False - Gitea registry not working currently if 'USE_DOCKERHUB' in os.environ: use_dockerhub = os.environ['USE_DOCKERHUB'].lower() == 'true' if 'USE_GITEA_REGISTRY' in os.environ: @@ -1487,10 +1487,20 @@ else: echo "" echo "Gitea setup complete!" - echo "Access Gitea at: http://gitea.bakery-ia.local (for dev) or http://gitea.bakewise.ai (for prod)" + echo "Access Gitea at: https://gitea.bakery-ia.local (for dev) or https://gitea.bakewise.ai (for prod)" + echo "Registry URL: https://registry.bakery-ia.local" echo "Make sure to add the appropriate hostname to /etc/hosts or configure DNS" echo "Check status: kubectl get pods -n gitea" echo "To uninstall: helm uninstall gitea -n gitea" + + # Sync registry credentials to bakery-ia namespace for pod image pulls + echo "" + echo "Syncing registry credentials to bakery-ia namespace..." + chmod +x infrastructure/cicd/gitea/sync-registry-secret.sh + ./infrastructure/cicd/gitea/sync-registry-secret.sh + + echo "" + echo "Registry secret synced! Pods in bakery-ia namespace can now pull from registry.bakery-ia.local" ''', labels=['99-cicd'], auto_init=False, # Manual trigger only diff --git a/coredns-dnssec-forward-patch.yaml b/coredns-dnssec-forward-patch.yaml deleted file mode 100644 index cee58dc5..00000000 --- a/coredns-dnssec-forward-patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ -data: - Corefile: | - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . 8.8.8.8 8.8.4.4 { - force_tcp - max_concurrent 1000 - } - cache 30 { - disable success cluster.local - disable denial cluster.local - } - loop - reload - loadbalance - } \ No newline at end of file diff --git a/coredns-dnssec-patch.yaml b/coredns-dnssec-patch.yaml deleted file mode 100644 index cb7523fe..00000000 --- a/coredns-dnssec-patch.yaml +++ /dev/null @@ -1,28 +0,0 @@ -data: - Corefile: | - .:53 { - errors - health { - lameduck 5s - } - ready - kubernetes cluster.local in-addr.arpa ip6.arpa { - pods insecure - fallthrough in-addr.arpa ip6.arpa - ttl 30 - } - prometheus :9153 - forward . /etc/resolv.conf { - max_concurrent 1000 - } - dnssec { - enable - } - cache 30 { - disable success cluster.local - disable denial cluster.local - } - loop - reload - loadbalance - } \ No newline at end of file diff --git a/infrastructure/cicd/gitea/setup-admin-secret.sh b/infrastructure/cicd/gitea/setup-admin-secret.sh index 08f75cdf..d403dfdd 100755 --- a/infrastructure/cicd/gitea/setup-admin-secret.sh +++ b/infrastructure/cicd/gitea/setup-admin-secret.sh @@ -1,8 +1,11 @@ #!/bin/bash # Setup Gitea Admin Secret # -# This script creates the Kubernetes secret required for Gitea admin credentials. -# Run this BEFORE installing Gitea with Helm. +# This script creates TWO Kubernetes secrets: +# 1. gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials +# 2. gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets +# +# Both secrets use the SAME credentials, ensuring consistency. # # Usage: # ./setup-admin-secret.sh [password] @@ -12,7 +15,10 @@ set -e KUBECTL="kubectl" -NAMESPACE="gitea" +GITEA_NAMESPACE="gitea" +BAKERY_NAMESPACE="bakery-ia" +REGISTRY_HOST="registry.bakery-ia.local" +ADMIN_USERNAME="bakery-admin" # Check if running in microk8s if command -v microk8s &> /dev/null; then @@ -27,22 +33,73 @@ else echo "Generated admin password: $ADMIN_PASSWORD" fi -# Create namespace if it doesn't exist -$KUBECTL create namespace "$NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f - +# Create namespaces if they don't exist +$KUBECTL create namespace "$GITEA_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f - +$KUBECTL create namespace "$BAKERY_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f - -# Create the secret +# 1. Create gitea-admin-secret for Gitea Helm chart +echo "Creating gitea-admin-secret in $GITEA_NAMESPACE namespace..." $KUBECTL create secret generic gitea-admin-secret \ - --namespace "$NAMESPACE" \ - --from-literal=username=bakery-admin \ + --namespace "$GITEA_NAMESPACE" \ + --from-literal=username="$ADMIN_USERNAME" \ --from-literal=password="$ADMIN_PASSWORD" \ --dry-run=client -o yaml | $KUBECTL apply -f - +# 2. Create gitea-registry-secret for imagePullSecrets +echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..." + +# Create Docker config JSON for registry authentication +AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64) +DOCKER_CONFIG_JSON=$(cat <: images: # Database images - name: postgres - newName: localhost:5000/postgres_17-alpine - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/postgres + newTag: "17-alpine" - name: redis - newName: localhost:5000/redis_7.4-alpine - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/redis + newTag: "7.4-alpine" - name: rabbitmq - newName: localhost:5000/rabbitmq_4.1-management-alpine - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/rabbitmq + newTag: "4.1-management-alpine" # Utility images - name: busybox - newName: localhost:5000/busybox_1.36 - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/busybox + newTag: "1.36" - name: curlimages/curl - newName: localhost:5000/curlimages_curl_latest + newName: registry.bakery-ia.local/bakery-admin/curlimages-curl newTag: latest - name: bitnami/kubectl - newName: localhost:5000/bitnami_kubectl_latest + newName: registry.bakery-ia.local/bakery-admin/bitnami-kubectl newTag: latest # Alpine variants - name: alpine - newName: localhost:5000/alpine_3.19 - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/alpine + newTag: "3.19" - name: alpine/git - newName: localhost:5000/alpine_git_2.43.0 - newTag: latest - # CI/CD images (cached locally for consistency) + newName: registry.bakery-ia.local/bakery-admin/alpine-git + newTag: "2.43.0" + # CI/CD images (cached in Gitea registry for consistency) - name: gcr.io/kaniko-project/executor - newName: localhost:5000/gcr.io_kaniko-project_executor_v1.23.0 - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/gcr.io-kaniko-project-executor + newTag: v1.23.0 - name: gcr.io/go-containerregistry/crane - newName: localhost:5000/gcr.io_go-containerregistry_crane_latest + newName: registry.bakery-ia.local/bakery-admin/gcr.io-go-containerregistry-crane newTag: latest - name: registry.k8s.io/kustomize/kustomize - newName: localhost:5000/registry.k8s.io_kustomize_kustomize_v5.3.0 - newTag: latest - # Storage images (lowercase - RELEASE becomes release) + newName: registry.bakery-ia.local/bakery-admin/registry.k8s.io-kustomize-kustomize + newTag: v5.3.0 + # Storage images - name: minio/minio - newName: localhost:5000/minio_minio_release.2024-11-07t00-52-20z - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/minio-minio + newTag: RELEASE.2024-11-07T00-52-20Z - name: minio/mc - newName: localhost:5000/minio_mc_release.2024-11-17t19-35-25z - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/minio-mc + newTag: RELEASE.2024-11-17T19-35-25Z # NOTE: nominatim image override removed - nominatim is now deployed via Helm # Python base image - name: python - newName: localhost:5000/python_3.11-slim - newTag: latest + newName: registry.bakery-ia.local/bakery-admin/python + newTag: "3.11-slim" diff --git a/infrastructure/platform/mail/mailu-helm/dev/values.yaml b/infrastructure/platform/mail/mailu-helm/dev/values.yaml index a3637df9..9893e79a 100644 --- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml +++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml @@ -2,7 +2,8 @@ global: # Using Unbound DNS for DNSSEC validation (required by Mailu admin) # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local - custom_dns_servers: "10.98.197.120" # Unbound DNS service IP + # Static ClusterIP configured in unbound-helm/values.yaml + custom_dns_servers: "10.96.53.53" # Unbound DNS static ClusterIP # Redis configuration - use built-in Mailu Redis (no authentication needed) externalRedis: @@ -14,7 +15,7 @@ admin: dnsPolicy: "None" dnsConfig: nameservers: - - "10.98.197.120" # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns) + - "10.96.53.53" # Unbound DNS static ClusterIP (forwards cluster.local to kube-dns) searches: - "bakery-ia.svc.cluster.local" - "svc.cluster.local" diff --git a/infrastructure/platform/mail/mailu-helm/values.yaml b/infrastructure/platform/mail/mailu-helm/values.yaml index ef48cde2..62e8e757 100644 --- a/infrastructure/platform/mail/mailu-helm/values.yaml +++ b/infrastructure/platform/mail/mailu-helm/values.yaml @@ -5,7 +5,8 @@ global: # Using Unbound DNS resolver directly for DNSSEC validation # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local - custom_dns_servers: "10.104.127.213" # Unbound service IP + # Static ClusterIP configured in unbound-helm/values.yaml + custom_dns_servers: "10.96.53.53" # Unbound DNS static ClusterIP # Domain configuration domain: "DOMAIN_PLACEHOLDER" diff --git a/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml b/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml index 31a0d379..d945ac24 100644 --- a/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml +++ b/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml @@ -11,6 +11,9 @@ metadata: {{- end }} spec: type: {{ .Values.service.type }} + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} ports: - name: dns-udp port: {{ .Values.service.ports.dnsUdp }} diff --git a/infrastructure/platform/networking/dns/unbound-helm/values.yaml b/infrastructure/platform/networking/dns/unbound-helm/values.yaml index 55c4da6b..9cb534b9 100644 --- a/infrastructure/platform/networking/dns/unbound-helm/values.yaml +++ b/infrastructure/platform/networking/dns/unbound-helm/values.yaml @@ -34,6 +34,10 @@ securityContext: # Service configuration service: type: "ClusterIP" + # Static ClusterIP for predictable DNS configuration + # This allows other services (like Mailu) to reference a stable IP + # Must be within the cluster's service CIDR range (typically 10.96.0.0/12) + clusterIP: "10.96.53.53" ports: dnsUdp: 53 dnsTcp: 53 diff --git a/infrastructure/platform/networking/ingress/base/ingress.yaml b/infrastructure/platform/networking/ingress/base/ingress.yaml index e50655f0..c0892f07 100644 --- a/infrastructure/platform/networking/ingress/base/ingress.yaml +++ b/infrastructure/platform/networking/ingress/base/ingress.yaml @@ -10,7 +10,7 @@ metadata: # Nginx ingress controller annotations nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "100m" + nginx.ingress.kubernetes.io/proxy-body-size: "500m" nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" diff --git a/privkey.pem b/privkey.pem deleted file mode 100644 index 1c65efdb..00000000 --- a/privkey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWcDUo744vZK0u -YVHv1GDpLGXt749LwfFBL2K6ZL2Kiln3r5IAyrsFsKGLqDhnaI7oTOfiHdW83yHT -9AbnZojYimH00Hzss+Z8VmzQWUtNC6F8K3uMXnjzdIYIzKAX47qZOw8V/0e0csC5 -limyB5K/3Ln7eJyyPcHv3vWYl7wKpL2scw+g5AzHi70u68aGhtXsQOmL4IjzaHIi -xNyJVmiv8cd/JMUgUAvoSNekUSV8sSd/Tr7QSASXS+rFnCiFbAd2IiDGBdJJc9PM -M3uOzOiZnZlnU3yd+/xojAz9c9T8XGpb0VAlQofq81+MmbUH9tH7i38XDyu9yEkj -0Jmvr8fNAgMBAAECggEAG9I0gpWK3gjoXiNxW8ETCwxC7XXYMlJzo3J397CZvP1J -Fh1KCwty+uJnfcRmaflUNHHEkHSkCoHZZ7FBdZnoxOMSqovEDqJWhbgV95IL8vur -qaMA/jyacaui/g2ZrdFXuO7LI25KfHycV7YFj/8GjKTtYCw2DmCNdSbulIG7LNxy -ARBHbx3dKUn/t3ahylRsOyedRvF2j207ZTq9xkvcMLRzbSVFSrgYclQuqtQ6TjDL -F3WUXx59fxTSrwjV7QYzSPZuSfw5wBlBF5yiRzuJU4YN5wQvrLGG9qgimO8/+uds -6QbnIEUNe73oxw207zdywlMGyRd5vui6FtToF9YQoQKBgQDFgBoVGz+G2Ng4St9x -KujUKnloaxaa/Nmj0OoxcoCZljUAicA2gi5KeRMOMxrkVYLQBM13iA8uo7j3YPp9 -axqZHwadplsvUh2+vCZKLA/JTjGQzSihxnBpKk0He/+wFOQ6V9AKN7ffUYIyim6n -3zLupxZ3y9Rfgdp6HdCb9nm/hwKBgQDC/4U9cxy+jr13rgKs3hrpQ6Qt2loenBM5 -Ziu2ughH0pWoAIfSYK3whxtny2JrAhwQrABEpfGZVw1r9gvZnd0rGupbEUAaLCmd -vyjdfdI7iJrPYYQaMJIWiMi2EF5+7GHi898i95eMXQuxuDA0mIkK1UOp7n+C7qd+ -QwWXDehLCwKBgCSYyDyBABSMugQ0W5Ms0FgARt8CeP3fPLUOUVc4UHwlSU0AOY3g -MZO7O7y125XUAplpSmmL3MRXsj6kycXTwun8xc0QtnTeUoS1eKLl50b2JlkeqxjP -HKVgIUXxxD9sn53wB6zdBkVrZSTYYgjZYya174PjUUchWMqoG6/KzGShAoGARDU0 -2gXF7DHpvE81yFn4d9edOhzCoSpe3xkJ+WShON5EUvu8hq4iqZvYzjmqN1wJjRtd -DKYvGEAHBdiO1JQPpOBJUYl7Lqx78h3HoZI9U225GQk3OCH9N7yo2GZpZ2Qv6T78 -sjKA5Cw3xvZyhjNE3HE0teAi4h2woM24ytmmg3kCgYEAptN1OocgACqd8DaTDOWl -PYVWEyT2kUmjhaF6jxBxP6QnWBAEup7iWHPc12B3aVs/DKczxSfjSIia8uQac9A/ -eymSX05W+jP6sowZLmUq07cUdzx5AiC/eFz3xmZpftCsFgESLpuucu5CJ9uNKrkA -tgmk0sFQoyqY0TdXwDumIpU= ------END PRIVATE KEY----- diff --git a/scripts/prepull-base-images.sh b/scripts/prepull-base-images.sh index a026f170..e30a3e22 100755 --- a/scripts/prepull-base-images.sh +++ b/scripts/prepull-base-images.sh @@ -59,8 +59,8 @@ BASE_IMAGES=( # Read from environment variables (set by Tiltfile or manually) # USE_LOCAL_REGISTRY=true to push images to local registry after pulling # USE_GITEA_REGISTRY=true to push images to Gitea registry after pulling -USE_LOCAL_REGISTRY="${USE_LOCAL_REGISTRY:-true}" -USE_GITEA_REGISTRY="${USE_GITEA_REGISTRY:-false}" +USE_LOCAL_REGISTRY="${USE_LOCAL_REGISTRY:-false}" +USE_GITEA_REGISTRY="${USE_GITEA_REGISTRY:-true}" echo "Registry configuration:" echo " USE_LOCAL_REGISTRY=$USE_LOCAL_REGISTRY" @@ -76,13 +76,66 @@ if [ "$USE_GITEA_REGISTRY" = "true" ]; then echo "Testing Gitea registry accessibility at $REGISTRY..." # Test if Gitea registry is accessible (try HTTPS first, then HTTP) - if curl -sk https://$REGISTRY/v2/ >/dev/null 2>&1; then + # Note: Gitea registry might return 401 Unauthorized when not authenticated, which is expected + # We're just checking if the service is reachable + if curl -sk -o /dev/null -w "%{http_code}" https://$REGISTRY/v2/ | grep -q "^[234]"; then echo "✓ Gitea registry accessible via HTTPS" - elif curl -s http://$REGISTRY/v2/ >/dev/null 2>&1; then + + # Authenticate with Gitea registry if accessible + echo "Authenticating with Gitea registry..." + echo "Note: For self-signed certificates, you may need to configure Docker to trust the registry:" + echo " 1. Add to /etc/docker/daemon.json:" + echo " {\"insecure-registries\": [\"$REGISTRY\"]}" + echo " 2. Restart Docker: sudo systemctl restart docker" + echo " 3. Or use: docker --insecure-registry $REGISTRY login $REGISTRY" + + # Try to authenticate (this may fail due to certificate issues) + if ! docker login $REGISTRY; then + echo "Warning: Failed to authenticate with Gitea registry" + echo "This could be due to:" + echo " - Self-signed certificate issues (see above)" + echo " - Incorrect credentials" + echo " - Registry not properly configured" + echo "You may need to run: docker login $REGISTRY" + echo "Falling back to local registry" + REGISTRY="localhost:5000" + USE_GITEA_REGISTRY="false" + else + echo "✓ Gitea registry authentication successful" + fi + elif curl -s -o /dev/null -w "%{http_code}" http://$REGISTRY/v2/ | grep -q "^[234]"; then echo "✓ Gitea registry accessible via HTTP" + + # Authenticate with Gitea registry if accessible + echo "Authenticating with Gitea registry..." + echo "Note: For self-signed certificates, you may need to configure Docker to trust the registry:" + echo " 1. Add to /etc/docker/daemon.json:" + echo " {\"insecure-registries\": [\"$REGISTRY\"]}" + echo " 2. Restart Docker: sudo systemctl restart docker" + echo " 3. Or use: docker --insecure-registry $REGISTRY login $REGISTRY" + + # Try to authenticate (this may fail due to certificate issues) + if ! docker login $REGISTRY; then + echo "Warning: Failed to authenticate with Gitea registry" + echo "This could be due to:" + echo " - Self-signed certificate issues (see above)" + echo " - Incorrect credentials" + echo " - Registry not properly configured" + echo "You may need to run: docker login $REGISTRY" + echo "Falling back to local registry" + REGISTRY="localhost:5000" + USE_GITEA_REGISTRY="false" + else + echo "✓ Gitea registry authentication successful" + fi else echo "Warning: Gitea registry at $REGISTRY is not accessible, falling back to local registry" + echo "This could be because:" + echo " 1. Gitea is not running or not properly configured" + echo " 2. The ingress is not properly routing to Gitea" + echo " 3. The registry service is not exposed" REGISTRY="localhost:5000" + USE_GITEA_REGISTRY="false" fi else REGISTRY="localhost:5000" @@ -107,14 +160,26 @@ for image in "${BASE_IMAGES[@]}"; do # Tag for registry if enabled if [ "$USE_LOCAL_REGISTRY" = "true" ] || [ "$USE_GITEA_REGISTRY" = "true" ]; then - # Convert image name to registry format: - # - Replace / with _ - # - Replace : with _ - # - Convert to lowercase (Docker requires lowercase repository names) - # - Add :latest tag for Kustomize compatibility - # Example: gcr.io/kaniko-project/executor:v1.23.0 -> gcr.io_kaniko-project_executor_v1.23.0:latest - local_repo="$(echo $image | sed 's|/|_|g' | sed 's|:|_|g' | tr '[:upper:]' '[:lower:]')" - registry_image="$REGISTRY/${local_repo}:latest" + if [ "$USE_GITEA_REGISTRY" = "true" ]; then + # Gitea registry requires format: registry/owner/package:tag + # Convert image name to package name: + # - Replace / with - (e.g., gcr.io/kaniko-project/executor -> gcr.io-kaniko-project-executor) + # - Keep the tag if present, otherwise use original tag + # Example: gcr.io/kaniko-project/executor:v1.23.0 -> bakery-admin/gcr.io-kaniko-project-executor:v1.23.0 + image_name="${image%%:*}" # Remove tag + image_tag="${image#*:}" # Get tag + if [ "$image_name" = "$image_tag" ]; then + image_tag="latest" # No tag in original, use latest + fi + # Convert image name: replace / with - and lowercase + package_name="$(echo $image_name | sed 's|/|-|g' | tr '[:upper:]' '[:lower:]')" + registry_image="$REGISTRY/bakery-admin/${package_name}:${image_tag}" + else + # Local registry format: replace / and : with _ + local_repo="$(echo $image | sed 's|/|_|g' | sed 's|:|_|g' | tr '[:upper:]' '[:lower:]')" + registry_image="$REGISTRY/${local_repo}:latest" + fi + docker tag "$image" "$registry_image" echo " Tagged as: $registry_image" @@ -187,6 +252,13 @@ if [ "$USE_LOCAL_REGISTRY" = "true" ] || [ "$USE_GITEA_REGISTRY" = "true" ]; the "insecure-registries": ["registry.bakery-ia.local"] } EOF + echo "" + echo "IMPORTANT: For Gitea registry to work properly:" + echo " 1. Gitea must be running and accessible at gitea.bakery-ia.local" + echo " 2. The registry subdomain must be properly configured in your ingress" + echo " 3. You may need to authenticate with Docker:" + echo " docker login registry.bakery-ia.local" + echo " 4. Check that the Gitea registry service is exposed on port 3000" else echo "To configure Docker daemon to use local registry as mirror:" echo "" diff --git a/secrets_test.yaml b/secrets_test.yaml deleted file mode 100644 index 3ab28cbc..00000000 --- a/secrets_test.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Secret for Gitea webhook validation -# Used by EventListener to validate incoming webhooks -apiVersion: v1 -kind: Secret -metadata: - name: gitea-webhook-secret - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.labels.app.name }} - app.kubernetes.io/component: triggers - annotations: - note: "Webhook secret for validating incoming webhooks" -type: Opaque -stringData: - secretToken: {{ .Values.secrets.webhook.token | quote }} ---- -# Secret for Gitea container registry credentials -# Used by Kaniko to push images to Gitea registry -apiVersion: v1 -kind: Secret -metadata: - name: gitea-registry-credentials - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.labels.app.name }} - app.kubernetes.io/component: build - annotations: - note: "Registry credentials for pushing images" -type: kubernetes.io/dockerconfigjson -stringData: - .dockerconfigjson: | - { - "auths": { - {{ .Values.secrets.registry.registryUrl | quote }}: { - "username": {{ .Values.secrets.registry.username | quote }}, - "password": {{ .Values.secrets.registry.password | quote }} - } - } - } ---- -# Secret for Git credentials (used by pipeline to push GitOps updates) -apiVersion: v1 -kind: Secret -metadata: - name: gitea-git-credentials - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.labels.app.name }} - app.kubernetes.io/component: gitops - annotations: - note: "Git credentials for GitOps updates" -type: Opaque -stringData: - username: {{ .Values.secrets.git.username | quote }} - password: {{ .Values.secrets.git.password | quote }} ---- -# Secret for Flux GitRepository access -# Used by Flux to pull from Gitea repository -apiVersion: v1 -kind: Secret -metadata: - name: gitea-credentials - namespace: {{ .Values.pipeline.deployment.fluxNamespace }} - labels: - app.kubernetes.io/name: {{ .Values.labels.app.name }} - app.kubernetes.io/component: flux - annotations: - note: "Credentials for Flux GitRepository access" -type: Opaque -stringData: - username: {{ .Values.secrets.git.username | quote }} - password: {{ .Values.secrets.git.password | quote }} \ No newline at end of file diff --git a/test_secrets.yaml b/test_secrets.yaml deleted file mode 100644 index 659b6ad3..00000000 --- a/test_secrets.yaml +++ /dev/null @@ -1,22 +0,0 @@ -# Test version of the secrets file to isolate the issue -apiVersion: v1 -kind: Secret -metadata: - name: gitea-registry-credentials - namespace: {{ .Values.namespace }} - labels: - app.kubernetes.io/name: {{ .Values.labels.app.name }} - app.kubernetes.io/component: build - annotations: - note: "Registry credentials for pushing images" -type: kubernetes.io/dockerconfigjson -stringData: - .dockerconfigjson: | - { - "auths": { - {{ .Values.secrets.registry.registryUrl | quote }}: { - "username": {{ .Values.secrets.registry.username | quote }}, - "password": {{ .Values.secrets.registry.password | quote }} - } - } - } \ No newline at end of file