Add new infra architecture 9

infrastructure/environments/common/configs/secrets.yaml

@@ -1,3 +1,9 @@
+# NOTE: gitea-registry-secret is dynamically created by:
+#   infrastructure/cicd/gitea/sync-registry-secret.sh
+# This script is automatically run by Tiltfile after Gitea setup.
+# The secret uses the same credentials as gitea-admin-secret in the gitea namespace.
+# DO NOT define gitea-registry-secret here to avoid credential sync issues.
+---
 apiVersion: v1
 kind: Secret
 metadata:

infrastructure/environments/dev/k8s-manifests/kustomization.yaml

@@ -40,63 +40,100 @@ patches:
         value: "true"
   # NOTE: nominatim patches removed - nominatim is now deployed via Helm (tilt trigger nominatim-helm)
 
+  # Add imagePullSecrets to all Deployments for Gitea registry authentication
+  - target:
+      kind: Deployment
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all StatefulSets for Gitea registry authentication
+  - target:
+      kind: StatefulSet
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all Jobs for Gitea registry authentication
+  - target:
+      kind: Job
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all CronJobs for Gitea registry authentication
+  - target:
+      kind: CronJob
+    patch: |-
+      - op: add
+        path: /spec/jobTemplate/spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
 labels:
   - includeSelectors: true
     pairs:
       environment: development
       tier: local
 
-# Dev image overrides - use local registry to avoid Docker Hub rate limits
+# Dev image overrides - use Gitea registry to avoid Docker Hub rate limits
 # IMPORTANT: All image names must be lowercase (Docker requirement)
-# The prepull-base-images.sh script converts names to lowercase when pushing to local registry
+# The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/
+# Format: registry.bakery-ia.local/bakery-admin/<package-name>:<original-tag>
 images:
   # Database images
   - name: postgres
-    newName: localhost:5000/postgres_17-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/postgres
+    newTag: "17-alpine"
   - name: redis
-    newName: localhost:5000/redis_7.4-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/redis
+    newTag: "7.4-alpine"
   - name: rabbitmq
-    newName: localhost:5000/rabbitmq_4.1-management-alpine
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/rabbitmq
+    newTag: "4.1-management-alpine"
   # Utility images
   - name: busybox
-    newName: localhost:5000/busybox_1.36
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/busybox
+    newTag: "1.36"
   - name: curlimages/curl
-    newName: localhost:5000/curlimages_curl_latest
+    newName: registry.bakery-ia.local/bakery-admin/curlimages-curl
     newTag: latest
   - name: bitnami/kubectl
-    newName: localhost:5000/bitnami_kubectl_latest
+    newName: registry.bakery-ia.local/bakery-admin/bitnami-kubectl
     newTag: latest
 
   # Alpine variants
   - name: alpine
-    newName: localhost:5000/alpine_3.19
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/alpine
+    newTag: "3.19"
   - name: alpine/git
-    newName: localhost:5000/alpine_git_2.43.0
-    newTag: latest
-  # CI/CD images (cached locally for consistency)
+    newName: registry.bakery-ia.local/bakery-admin/alpine-git
+    newTag: "2.43.0"
+  # CI/CD images (cached in Gitea registry for consistency)
   - name: gcr.io/kaniko-project/executor
-    newName: localhost:5000/gcr.io_kaniko-project_executor_v1.23.0
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/gcr.io-kaniko-project-executor
+    newTag: v1.23.0
   - name: gcr.io/go-containerregistry/crane
-    newName: localhost:5000/gcr.io_go-containerregistry_crane_latest
+    newName: registry.bakery-ia.local/bakery-admin/gcr.io-go-containerregistry-crane
     newTag: latest
   - name: registry.k8s.io/kustomize/kustomize
-    newName: localhost:5000/registry.k8s.io_kustomize_kustomize_v5.3.0
-    newTag: latest
-  # Storage images (lowercase - RELEASE becomes release)
+    newName: registry.bakery-ia.local/bakery-admin/registry.k8s.io-kustomize-kustomize
+    newTag: v5.3.0
+  # Storage images
   - name: minio/minio
-    newName: localhost:5000/minio_minio_release.2024-11-07t00-52-20z
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/minio-minio
+    newTag: RELEASE.2024-11-07T00-52-20Z
   - name: minio/mc
-    newName: localhost:5000/minio_mc_release.2024-11-17t19-35-25z
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/minio-mc
+    newTag: RELEASE.2024-11-17T19-35-25Z
   # NOTE: nominatim image override removed - nominatim is now deployed via Helm
   # Python base image
   - name: python
-    newName: localhost:5000/python_3.11-slim
-    newTag: latest
+    newName: registry.bakery-ia.local/bakery-admin/python
+    newTag: "3.11-slim"