Add new infra architecture 9

2026-01-20 07:20:56 +01:00
parent 52b8abdc0e
commit bc00bab061
17 changed files with 284 additions and 276 deletions
--- a/infrastructure/cicd/gitea/setup-admin-secret.sh
+++ b/infrastructure/cicd/gitea/setup-admin-secret.sh
@@ -1,8 +1,11 @@
 #!/bin/bash
 # Setup Gitea Admin Secret
 #
-# This script creates the Kubernetes secret required for Gitea admin credentials.
-# Run this BEFORE installing Gitea with Helm.
+# This script creates TWO Kubernetes secrets:
+# 1. gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials
+# 2. gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets
+#
+# Both secrets use the SAME credentials, ensuring consistency.
 #
 # Usage:
 #   ./setup-admin-secret.sh [password]
@@ -12,7 +15,10 @@
 set -e

 KUBECTL="kubectl"
-NAMESPACE="gitea"
+GITEA_NAMESPACE="gitea"
+BAKERY_NAMESPACE="bakery-ia"
+REGISTRY_HOST="registry.bakery-ia.local"
+ADMIN_USERNAME="bakery-admin"

 # Check if running in microk8s
 if command -v microk8s &> /dev/null; then
@@ -27,22 +33,73 @@ else
    echo "Generated admin password: $ADMIN_PASSWORD"
 fi

-# Create namespace if it doesn't exist
-$KUBECTL create namespace "$NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
+# Create namespaces if they don't exist
+$KUBECTL create namespace "$GITEA_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
+$KUBECTL create namespace "$BAKERY_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -

-# Create the secret
+# 1. Create gitea-admin-secret for Gitea Helm chart
+echo "Creating gitea-admin-secret in $GITEA_NAMESPACE namespace..."
 $KUBECTL create secret generic gitea-admin-secret \
-    --namespace "$NAMESPACE" \
-    --from-literal=username=bakery-admin \
+    --namespace "$GITEA_NAMESPACE" \
+    --from-literal=username="$ADMIN_USERNAME" \
    --from-literal=password="$ADMIN_PASSWORD" \
    --dry-run=client -o yaml | $KUBECTL apply -f -

+# 2. Create gitea-registry-secret for imagePullSecrets
+echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..."
+
+# Create Docker config JSON for registry authentication
+AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64)
+DOCKER_CONFIG_JSON=$(cat <<EOF
+{
+  "auths": {
+    "${REGISTRY_HOST}": {
+      "username": "${ADMIN_USERNAME}",
+      "password": "${ADMIN_PASSWORD}",
+      "auth": "${AUTH_BASE64}"
+    }
+  }
+}
+EOF
+)
+
+# Base64 encode the entire config (use -w0 on Linux, no flag needed on macOS)
+if [[ "$OSTYPE" == "darwin"* ]]; then
+    DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64)
+else
+    DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64 -w0)
+fi
+
+# Create the registry secret
+cat <<EOF | $KUBECTL apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-registry-secret
+  namespace: ${BAKERY_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: bakery-ia
+    app.kubernetes.io/component: registry
+    app.kubernetes.io/managed-by: setup-admin-secret
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: ${DOCKER_CONFIG_BASE64}
+EOF
+
 echo ""
-echo "Gitea admin secret created successfully!"
+echo "=========================================="
+echo "Gitea secrets created successfully!"
+echo "=========================================="
 echo ""
-echo "Admin credentials:"
-echo "  Username: bakery-admin"
+echo "Credentials (same for both secrets):"
+echo "  Username: $ADMIN_USERNAME"
 echo "  Password: $ADMIN_PASSWORD"
 echo ""
+echo "Secrets created:"
+echo "  1. gitea-admin-secret      (namespace: $GITEA_NAMESPACE)  - For Gitea Helm chart"
+echo "  2. gitea-registry-secret   (namespace: $BAKERY_NAMESPACE) - For imagePullSecrets"
+echo ""
+echo "Registry URL: https://$REGISTRY_HOST"
+echo ""
 echo "Now install Gitea with:"
 echo "  helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"
--- a/infrastructure/environments/common/configs/secrets.yaml
+++ b/infrastructure/environments/common/configs/secrets.yaml
@@ -1,3 +1,9 @@
+# NOTE: gitea-registry-secret is dynamically created by:
+#   infrastructure/cicd/gitea/sync-registry-secret.sh
+# This script is automatically run by Tiltfile after Gitea setup.
+# The secret uses the same credentials as gitea-admin-secret in the gitea namespace.
+# DO NOT define gitea-registry-secret here to avoid credential sync issues.
+---
 apiVersion: v1
 kind: Secret
 metadata:
--- a/infrastructure/environments/dev/k8s-manifests/kustomization.yaml
+++ b/infrastructure/environments/dev/k8s-manifests/kustomization.yaml
@@ -40,63 +40,100 @@ patches:
        value: "true"
  # NOTE: nominatim patches removed - nominatim is now deployed via Helm (tilt trigger nominatim-helm)

+  # Add imagePullSecrets to all Deployments for Gitea registry authentication
+  - target:
+      kind: Deployment
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all StatefulSets for Gitea registry authentication
+  - target:
+      kind: StatefulSet
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all Jobs for Gitea registry authentication
+  - target:
+      kind: Job
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all CronJobs for Gitea registry authentication
+  - target:
+      kind: CronJob
+    patch: |-
+      - op: add
+        path: /spec/jobTemplate/spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
 labels:
  - includeSelectors: true
    pairs:
      environment: development
      tier: local

-# Dev image overrides - use local registry to avoid Docker Hub rate limits
+# Dev image overrides - use Gitea registry to avoid Docker Hub rate limits
 # IMPORTANT: All image names must be lowercase (Docker requirement)
-# The prepull-base-images.sh script converts names to lowercase when pushing to local registry
+# The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/
+# Format: registry.bakery-ia.local/bakery-admin/<package-name>:<original-tag>
 images:
  # Database images
  - name: postgres
-    newName: localhost:5000/postgres_17-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/postgres
+    newTag: "17-alpine"
  - name: redis
-    newName: localhost:5000/redis_7.4-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/redis
+    newTag: "7.4-alpine"
  - name: rabbitmq
-    newName: localhost:5000/rabbitmq_4.1-management-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/rabbitmq
+    newTag: "4.1-management-alpine"
  # Utility images
  - name: busybox
-    newName: localhost:5000/busybox_1.36
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/busybox
+    newTag: "1.36"
  - name: curlimages/curl
-    newName: localhost:5000/curlimages_curl_latest
+    newName: registry.bakery-ia.local/bakery-admin/curlimages-curl
    newTag: latest
  - name: bitnami/kubectl
-    newName: localhost:5000/bitnami_kubectl_latest
+    newName: registry.bakery-ia.local/bakery-admin/bitnami-kubectl
    newTag: latest

  # Alpine variants
  - name: alpine
-    newName: localhost:5000/alpine_3.19
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/alpine
+    newTag: "3.19"
  - name: alpine/git
-    newName: localhost:5000/alpine_git_2.43.0
-    newTag: latest
-  # CI/CD images (cached locally for consistency)
+    newName: registry.bakery-ia.local/bakery-admin/alpine-git
+    newTag: "2.43.0"
+  # CI/CD images (cached in Gitea registry for consistency)
  - name: gcr.io/kaniko-project/executor
-    newName: localhost:5000/gcr.io_kaniko-project_executor_v1.23.0
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/gcr.io-kaniko-project-executor
+    newTag: v1.23.0
  - name: gcr.io/go-containerregistry/crane
-    newName: localhost:5000/gcr.io_go-containerregistry_crane_latest
+    newName: registry.bakery-ia.local/bakery-admin/gcr.io-go-containerregistry-crane
    newTag: latest
  - name: registry.k8s.io/kustomize/kustomize
-    newName: localhost:5000/registry.k8s.io_kustomize_kustomize_v5.3.0
-    newTag: latest
-  # Storage images (lowercase - RELEASE becomes release)
+    newName: registry.bakery-ia.local/bakery-admin/registry.k8s.io-kustomize-kustomize
+    newTag: v5.3.0
+  # Storage images
  - name: minio/minio
-    newName: localhost:5000/minio_minio_release.2024-11-07t00-52-20z
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/minio-minio
+    newTag: RELEASE.2024-11-07T00-52-20Z
  - name: minio/mc
-    newName: localhost:5000/minio_mc_release.2024-11-17t19-35-25z
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/minio-mc
+    newTag: RELEASE.2024-11-17T19-35-25Z
  # NOTE: nominatim image override removed - nominatim is now deployed via Helm
  # Python base image
  - name: python
-    newName: localhost:5000/python_3.11-slim
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/python
+    newTag: "3.11-slim"
--- a/infrastructure/platform/mail/mailu-helm/dev/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/dev/values.yaml
@@ -2,7 +2,8 @@
 global:
  # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  custom_dns_servers: "10.98.197.120"  # Unbound DNS service IP
+  # Static ClusterIP configured in unbound-helm/values.yaml
+  custom_dns_servers: "10.96.53.53"  # Unbound DNS static ClusterIP

 # Redis configuration - use built-in Mailu Redis (no authentication needed)
 externalRedis:
@@ -14,7 +15,7 @@ admin:
  dnsPolicy: "None"
  dnsConfig:
    nameservers:
-      - "10.98.197.120"   # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns)
+      - "10.96.53.53"   # Unbound DNS static ClusterIP (forwards cluster.local to kube-dns)
    searches:
      - "bakery-ia.svc.cluster.local"
      - "svc.cluster.local"
--- a/infrastructure/platform/mail/mailu-helm/values.yaml
+++ b/infrastructure/platform/mail/mailu-helm/values.yaml
@@ -5,7 +5,8 @@
 global:
  # Using Unbound DNS resolver directly for DNSSEC validation
  # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
-  custom_dns_servers: "10.104.127.213"  # Unbound service IP
+  # Static ClusterIP configured in unbound-helm/values.yaml
+  custom_dns_servers: "10.96.53.53"  # Unbound DNS static ClusterIP

 # Domain configuration
 domain: "DOMAIN_PLACEHOLDER"
--- a/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml
@@ -11,6 +11,9 @@ metadata:
  {{- end }}
 spec:
  type: {{ .Values.service.type }}
+  {{- if .Values.service.clusterIP }}
+  clusterIP: {{ .Values.service.clusterIP }}
+  {{- end }}
  ports:
    - name: dns-udp
      port: {{ .Values.service.ports.dnsUdp }}
--- a/infrastructure/platform/networking/dns/unbound-helm/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/values.yaml
@@ -34,6 +34,10 @@ securityContext:
 # Service configuration
 service:
  type: "ClusterIP"
+  # Static ClusterIP for predictable DNS configuration
+  # This allows other services (like Mailu) to reference a stable IP
+  # Must be within the cluster's service CIDR range (typically 10.96.0.0/12)
+  clusterIP: "10.96.53.53"
  ports:
    dnsUdp: 53
    dnsTcp: 53
--- a/infrastructure/platform/networking/ingress/base/ingress.yaml
+++ b/infrastructure/platform/networking/ingress/base/ingress.yaml
@@ -10,7 +10,7 @@ metadata:
    # Nginx ingress controller annotations
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/proxy-body-size: "500m"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"