bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture 9

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-20 07:20:56 +01:00
parent 52b8abdc0e
commit bc00bab061
17 changed files with 284 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
CI_CD_IMPLEMENTATION_PLAN.md
View File

@@ -1,3 +1,38 @@
cat << 'EOFCMD' | colima --profile k8s-local ssh
sudo tee /etc/docker/daemon.json << 'EOF'
{
"exec-opts": [
"native.cgroupdriver=cgroupfs"
],
"features": {
"buildkit": true,
"containerd-snapshotter": true
},
"insecure-registries": ["registry.bakery-ia.local"]
}
EOF
EOFCMD
-------
Kind cluster configuration:
Added registry.bakery-ia.local to /etc/hosts inside Kind container
Configured containerd to trust the self-signed certificate via /etc/containerd/certs.d/registry.bakery-ia.local/hosts.toml
docker exec bakery-ia-local-control-plane sh -c 'echo "127.0.0.1 registry.bakery-ia.local" >> /etc/hosts' 2>&1
kubectl get secret bakery-dev-tls-cert -n bakery-ia -o jsonpath='{.data.tls\.crt}' | base64 -d | docker exec -i bakery-ia-local-control-plane sh -c 'mkdir -p /etc/containerd/certs.d/registry.bakery-ia.local && cat > /etc/containerd/certs.d/registry.bakery-ia.local/ca.crt' 2>&1
docker exec bakery-ia-local-control-plane sh -c 'cat > /etc/containerd/certs.d/registry.bakery-ia.local/hosts.toml << EOF
server = "https://registry.bakery-ia.local"
[host."https://registry.bakery-ia.local"]
capabilities = ["pull", "resolve"]
ca = "/etc/containerd/certs.d/registry.bakery-ia.local/ca.crt"
EOF' 2>&1
# Bakery-IA Production CI/CD Implementation Plan # Bakery-IA Production CI/CD Implementation Plan
## Document Overview ## Document Overview

42
MAILU_MIGRATION_SUMMARY.md
View File

@@ -1,42 +0,0 @@
# Mailu Migration Summary
This document summarizes the migration from the old Kustomize-based Mailu setup to the new Helm-based setup.
## Files Removed
- `infrastructure/platform/mail/mailu/` - Complete removal of old Kustomize-based Mailu configuration
- `infrastructure/security/certificates/mailu/` - Removal of old certificate generation scripts
## Files Updated
### Infrastructure Configuration
- `infrastructure/environments/dev/k8s-manifests/kustomization.yaml` - Removed Mailu resource reference and patches
- `infrastructure/environments/prod/k8s-manifests/kustomization.yaml` - Removed Mailu resource reference and patches
- `infrastructure/platform/networking/ingress/base/ingress.yaml` - Removed Mailu-specific ingress rules and TLS entries
- `infrastructure/monitoring/signoz/README.md` - Updated to reflect Helm-based Mailu deployment
- `infrastructure/environments/common/configs/secrets.yaml` - Updated comments to reflect new service name
### Service Integration
- `infrastructure/environments/common/configs/configmap.yaml` - Updated SMTP_HOST to use new Helm service name
- `infrastructure/monitoring/signoz/signoz-values-prod.yaml` - Updated SMTP configuration to use new service name
## New Files Created
- `infrastructure/platform/mail/mailu-helm/` - New Helm-based Mailu configuration
- `values.yaml` - Base configuration values
- `dev/values.yaml` - Development-specific overrides
- `prod/values.yaml` - Production-specific overrides
- `mailu-ingress.yaml` - Sample ingress configuration for use with existing ingress
- `README.md` - Comprehensive documentation
- `MIGRATION_GUIDE.md` - Migration guide with rollback procedures
## Key Changes
1. **Service Names**: Changed from `mailu-smtp` to `mailu-postfix` (Helm chart service naming)
2. **Deployment Method**: Switched from Kustomize manifests to Helm chart
3. **Ingress Configuration**: Disabled built-in ingress to work with existing ingress controller
4. **Configuration**: All configurations now use Helm values files instead of individual YAML manifests
## Verification
The new configuration has been tested and verified to work with the existing ingress setup, maintaining all critical functionality while improving maintainability.

14
Tiltfile
View File

@@ -25,7 +25,7 @@
# Set USE_GITEA_REGISTRY=true environment variable to push images to Gitea registry # Set USE_GITEA_REGISTRY=true environment variable to push images to Gitea registry
# Otherwise, uses local registry for faster builds and deployments # Otherwise, uses local registry for faster builds and deployments
use_dockerhub = False # Default to False use_dockerhub = False # Default to False
use_gitea_registry = False # Default to False - Gitea registry not working currently use_gitea_registry = True # Default to False - Gitea registry not working currently
if 'USE_DOCKERHUB' in os.environ: if 'USE_DOCKERHUB' in os.environ:
use_dockerhub = os.environ['USE_DOCKERHUB'].lower() == 'true' use_dockerhub = os.environ['USE_DOCKERHUB'].lower() == 'true'
if 'USE_GITEA_REGISTRY' in os.environ: if 'USE_GITEA_REGISTRY' in os.environ:
@@ -1487,10 +1487,20 @@ else:
echo "" echo ""
echo "Gitea setup complete!" echo "Gitea setup complete!"
echo "Access Gitea at: http://gitea.bakery-ia.local (for dev) or http://gitea.bakewise.ai (for prod)" echo "Access Gitea at: https://gitea.bakery-ia.local (for dev) or https://gitea.bakewise.ai (for prod)"
echo "Registry URL: https://registry.bakery-ia.local"
echo "Make sure to add the appropriate hostname to /etc/hosts or configure DNS" echo "Make sure to add the appropriate hostname to /etc/hosts or configure DNS"
echo "Check status: kubectl get pods -n gitea" echo "Check status: kubectl get pods -n gitea"
echo "To uninstall: helm uninstall gitea -n gitea" echo "To uninstall: helm uninstall gitea -n gitea"
# Sync registry credentials to bakery-ia namespace for pod image pulls
echo ""
echo "Syncing registry credentials to bakery-ia namespace..."
chmod +x infrastructure/cicd/gitea/sync-registry-secret.sh
./infrastructure/cicd/gitea/sync-registry-secret.sh
echo ""
echo "Registry secret synced! Pods in bakery-ia namespace can now pull from registry.bakery-ia.local"
''', ''',
labels=['99-cicd'], labels=['99-cicd'],
auto_init=False, # Manual trigger only auto_init=False, # Manual trigger only

26
coredns-dnssec-forward-patch.yaml
View File

@@ -1,26 +0,0 @@
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . 8.8.8.8 8.8.4.4 {
force_tcp
max_concurrent 1000
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}

28
coredns-dnssec-patch.yaml
View File

@@ -1,28 +0,0 @@
data:
Corefile: |
.:53 {
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf {
max_concurrent 1000
}
dnssec {
enable
}
cache 30 {
disable success cluster.local
disable denial cluster.local
}
loop
reload
loadbalance
}

79
infrastructure/cicd/gitea/setup-admin-secret.sh
View File

@@ -1,8 +1,11 @@
#!/bin/bash #!/bin/bash
# Setup Gitea Admin Secret # Setup Gitea Admin Secret
# #
# This script creates the Kubernetes secret required for Gitea admin credentials. # This script creates TWO Kubernetes secrets:
# Run this BEFORE installing Gitea with Helm. # 1. gitea-admin-secret (gitea namespace) - Used by Gitea Helm chart for admin credentials
# 2. gitea-registry-secret (bakery-ia namespace) - Used by pods for imagePullSecrets
#
# Both secrets use the SAME credentials, ensuring consistency.
# #
# Usage: # Usage:
# ./setup-admin-secret.sh [password] # ./setup-admin-secret.sh [password]
@@ -12,7 +15,10 @@
set -e set -e
KUBECTL="kubectl" KUBECTL="kubectl"
NAMESPACE="gitea" GITEA_NAMESPACE="gitea"
BAKERY_NAMESPACE="bakery-ia"
REGISTRY_HOST="registry.bakery-ia.local"
ADMIN_USERNAME="bakery-admin"
# Check if running in microk8s # Check if running in microk8s
if command -v microk8s &> /dev/null; then if command -v microk8s &> /dev/null; then
@@ -27,22 +33,73 @@ else
echo "Generated admin password: $ADMIN_PASSWORD" echo "Generated admin password: $ADMIN_PASSWORD"
fi fi
# Create namespace if it doesn't exist # Create namespaces if they don't exist
$KUBECTL create namespace "$NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f - $KUBECTL create namespace "$GITEA_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
$KUBECTL create namespace "$BAKERY_NAMESPACE" --dry-run=client -o yaml | $KUBECTL apply -f -
# Create the secret # 1. Create gitea-admin-secret for Gitea Helm chart
echo "Creating gitea-admin-secret in $GITEA_NAMESPACE namespace..."
$KUBECTL create secret generic gitea-admin-secret \ $KUBECTL create secret generic gitea-admin-secret \
--namespace "$NAMESPACE" \ --namespace "$GITEA_NAMESPACE" \
--from-literal=username=bakery-admin \ --from-literal=username="$ADMIN_USERNAME" \
--from-literal=password="$ADMIN_PASSWORD" \ --from-literal=password="$ADMIN_PASSWORD" \
--dry-run=client -o yaml | $KUBECTL apply -f - --dry-run=client -o yaml | $KUBECTL apply -f -
# 2. Create gitea-registry-secret for imagePullSecrets
echo "Creating gitea-registry-secret in $BAKERY_NAMESPACE namespace..."
# Create Docker config JSON for registry authentication
AUTH_BASE64=$(echo -n "${ADMIN_USERNAME}:${ADMIN_PASSWORD}" | base64)
DOCKER_CONFIG_JSON=$(cat <<EOF
{
"auths": {
"${REGISTRY_HOST}": {
"username": "${ADMIN_USERNAME}",
"password": "${ADMIN_PASSWORD}",
"auth": "${AUTH_BASE64}"
}
}
}
EOF
)
# Base64 encode the entire config (use -w0 on Linux, no flag needed on macOS)
if [[ "$OSTYPE" == "darwin"* ]]; then
DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64)
else
DOCKER_CONFIG_BASE64=$(echo -n "$DOCKER_CONFIG_JSON" | base64 -w0)
fi
# Create the registry secret
cat <<EOF | $KUBECTL apply -f -
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry-secret
namespace: ${BAKERY_NAMESPACE}
labels:
app.kubernetes.io/name: bakery-ia
app.kubernetes.io/component: registry
app.kubernetes.io/managed-by: setup-admin-secret
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ${DOCKER_CONFIG_BASE64}
EOF
echo "" echo ""
echo "Gitea admin secret created successfully!" echo "=========================================="
echo "Gitea secrets created successfully!"
echo "=========================================="
echo "" echo ""
echo "Admin credentials:" echo "Credentials (same for both secrets):"
echo " Username: bakery-admin" echo " Username: $ADMIN_USERNAME"
echo " Password: $ADMIN_PASSWORD" echo " Password: $ADMIN_PASSWORD"
echo "" echo ""
echo "Secrets created:"
echo " 1. gitea-admin-secret (namespace: $GITEA_NAMESPACE) - For Gitea Helm chart"
echo " 2. gitea-registry-secret (namespace: $BAKERY_NAMESPACE) - For imagePullSecrets"
echo ""
echo "Registry URL: https://$REGISTRY_HOST"
echo ""
echo "Now install Gitea with:" echo "Now install Gitea with:"
echo " helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml" echo " helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml"

6
infrastructure/environments/common/configs/secrets.yaml
View File

@@ -1,3 +1,9 @@
# NOTE: gitea-registry-secret is dynamically created by:
# infrastructure/cicd/gitea/sync-registry-secret.sh
# This script is automatically run by Tiltfile after Gitea setup.
# The secret uses the same credentials as gitea-admin-secret in the gitea namespace.
# DO NOT define gitea-registry-secret here to avoid credential sync issues.
---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:

95
infrastructure/environments/dev/k8s-manifests/kustomization.yaml
View File

@@ -40,63 +40,100 @@ patches:
value: "true" value: "true"
# NOTE: nominatim patches removed - nominatim is now deployed via Helm (tilt trigger nominatim-helm) # NOTE: nominatim patches removed - nominatim is now deployed via Helm (tilt trigger nominatim-helm)
# Add imagePullSecrets to all Deployments for Gitea registry authentication
- target:
kind: Deployment
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all StatefulSets for Gitea registry authentication
- target:
kind: StatefulSet
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all Jobs for Gitea registry authentication
- target:
kind: Job
patch: |-
- op: add
path: /spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
# Add imagePullSecrets to all CronJobs for Gitea registry authentication
- target:
kind: CronJob
patch: |-
- op: add
path: /spec/jobTemplate/spec/template/spec/imagePullSecrets
value:
- name: gitea-registry-secret
labels: labels:
- includeSelectors: true - includeSelectors: true
pairs: pairs:
environment: development environment: development
tier: local tier: local
# Dev image overrides - use local registry to avoid Docker Hub rate limits # Dev image overrides - use Gitea registry to avoid Docker Hub rate limits
# IMPORTANT: All image names must be lowercase (Docker requirement) # IMPORTANT: All image names must be lowercase (Docker requirement)
# The prepull-base-images.sh script converts names to lowercase when pushing to local registry # The prepull-base-images.sh script pushes images to registry.bakery-ia.local/bakery-admin/
# Format: registry.bakery-ia.local/bakery-admin/<package-name>:<original-tag>
images: images:
# Database images # Database images
- name: postgres - name: postgres
newName: localhost:5000/postgres_17-alpine newName: registry.bakery-ia.local/bakery-admin/postgres
newTag: latest newTag: "17-alpine"
- name: redis - name: redis
newName: localhost:5000/redis_7.4-alpine newName: registry.bakery-ia.local/bakery-admin/redis
newTag: latest newTag: "7.4-alpine"
- name: rabbitmq - name: rabbitmq
newName: localhost:5000/rabbitmq_4.1-management-alpine newName: registry.bakery-ia.local/bakery-admin/rabbitmq
newTag: latest newTag: "4.1-management-alpine"
# Utility images # Utility images
- name: busybox - name: busybox
newName: localhost:5000/busybox_1.36 newName: registry.bakery-ia.local/bakery-admin/busybox
newTag: latest newTag: "1.36"
- name: curlimages/curl - name: curlimages/curl
newName: localhost:5000/curlimages_curl_latest newName: registry.bakery-ia.local/bakery-admin/curlimages-curl
newTag: latest newTag: latest
- name: bitnami/kubectl - name: bitnami/kubectl
newName: localhost:5000/bitnami_kubectl_latest newName: registry.bakery-ia.local/bakery-admin/bitnami-kubectl
newTag: latest newTag: latest
# Alpine variants # Alpine variants
- name: alpine - name: alpine
newName: localhost:5000/alpine_3.19 newName: registry.bakery-ia.local/bakery-admin/alpine
newTag: latest newTag: "3.19"
- name: alpine/git - name: alpine/git
newName: localhost:5000/alpine_git_2.43.0 newName: registry.bakery-ia.local/bakery-admin/alpine-git
newTag: latest newTag: "2.43.0"
# CI/CD images (cached locally for consistency) # CI/CD images (cached in Gitea registry for consistency)
- name: gcr.io/kaniko-project/executor - name: gcr.io/kaniko-project/executor
newName: localhost:5000/gcr.io_kaniko-project_executor_v1.23.0 newName: registry.bakery-ia.local/bakery-admin/gcr.io-kaniko-project-executor
newTag: latest newTag: v1.23.0
- name: gcr.io/go-containerregistry/crane - name: gcr.io/go-containerregistry/crane
newName: localhost:5000/gcr.io_go-containerregistry_crane_latest newName: registry.bakery-ia.local/bakery-admin/gcr.io-go-containerregistry-crane
newTag: latest newTag: latest
- name: registry.k8s.io/kustomize/kustomize - name: registry.k8s.io/kustomize/kustomize
newName: localhost:5000/registry.k8s.io_kustomize_kustomize_v5.3.0 newName: registry.bakery-ia.local/bakery-admin/registry.k8s.io-kustomize-kustomize
newTag: latest newTag: v5.3.0
# Storage images (lowercase - RELEASE becomes release) # Storage images
- name: minio/minio - name: minio/minio
newName: localhost:5000/minio_minio_release.2024-11-07t00-52-20z newName: registry.bakery-ia.local/bakery-admin/minio-minio
newTag: latest newTag: RELEASE.2024-11-07T00-52-20Z
- name: minio/mc - name: minio/mc
newName: localhost:5000/minio_mc_release.2024-11-17t19-35-25z newName: registry.bakery-ia.local/bakery-admin/minio-mc
newTag: latest newTag: RELEASE.2024-11-17T19-35-25Z
# NOTE: nominatim image override removed - nominatim is now deployed via Helm # NOTE: nominatim image override removed - nominatim is now deployed via Helm
# Python base image # Python base image
- name: python - name: python
newName: localhost:5000/python_3.11-slim newName: registry.bakery-ia.local/bakery-admin/python
newTag: latest newTag: "3.11-slim"

5
infrastructure/platform/mail/mailu-helm/dev/values.yaml
View File

@@ -2,7 +2,8 @@
global: global:
# Using Unbound DNS for DNSSEC validation (required by Mailu admin) # Using Unbound DNS for DNSSEC validation (required by Mailu admin)
# Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
custom_dns_servers: "10.98.197.120" # Unbound DNS service IP # Static ClusterIP configured in unbound-helm/values.yaml
custom_dns_servers: "10.96.53.53" # Unbound DNS static ClusterIP
# Redis configuration - use built-in Mailu Redis (no authentication needed) # Redis configuration - use built-in Mailu Redis (no authentication needed)
externalRedis: externalRedis:
@@ -14,7 +15,7 @@ admin:
dnsPolicy: "None" dnsPolicy: "None"
dnsConfig: dnsConfig:
nameservers: nameservers:
- "10.98.197.120" # Unbound DNS for DNSSEC validation (forwards cluster.local to kube-dns) - "10.96.53.53" # Unbound DNS static ClusterIP (forwards cluster.local to kube-dns)
searches: searches:
- "bakery-ia.svc.cluster.local" - "bakery-ia.svc.cluster.local"
- "svc.cluster.local" - "svc.cluster.local"

3
infrastructure/platform/mail/mailu-helm/values.yaml
View File

@@ -5,7 +5,8 @@
global: global:
# Using Unbound DNS resolver directly for DNSSEC validation # Using Unbound DNS resolver directly for DNSSEC validation
# Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local # Unbound service is available at unbound-dns.bakery-ia.svc.cluster.local
custom_dns_servers: "10.104.127.213" # Unbound service IP # Static ClusterIP configured in unbound-helm/values.yaml
custom_dns_servers: "10.96.53.53" # Unbound DNS static ClusterIP
# Domain configuration # Domain configuration
domain: "DOMAIN_PLACEHOLDER" domain: "DOMAIN_PLACEHOLDER"

3
infrastructure/platform/networking/dns/unbound-helm/templates/service.yaml
View File

@@ -11,6 +11,9 @@ metadata:
{{- end }} {{- end }}
spec: spec:
type: {{ .Values.service.type }} type: {{ .Values.service.type }}
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
ports: ports:
- name: dns-udp - name: dns-udp
port: {{ .Values.service.ports.dnsUdp }} port: {{ .Values.service.ports.dnsUdp }}

4
infrastructure/platform/networking/dns/unbound-helm/values.yaml
View File

@@ -34,6 +34,10 @@ securityContext:
# Service configuration # Service configuration
service: service:
type: "ClusterIP" type: "ClusterIP"
# Static ClusterIP for predictable DNS configuration
# This allows other services (like Mailu) to reference a stable IP
# Must be within the cluster's service CIDR range (typically 10.96.0.0/12)
clusterIP: "10.96.53.53"
ports: ports:
dnsUdp: 53 dnsUdp: 53
dnsTcp: 53 dnsTcp: 53

2
infrastructure/platform/networking/ingress/base/ingress.yaml
View File

@@ -10,7 +10,7 @@ metadata:
# Nginx ingress controller annotations # Nginx ingress controller annotations
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m" nginx.ingress.kubernetes.io/proxy-body-size: "500m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"

28
privkey.pem
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCWcDUo744vZK0u
YVHv1GDpLGXt749LwfFBL2K6ZL2Kiln3r5IAyrsFsKGLqDhnaI7oTOfiHdW83yHT
9AbnZojYimH00Hzss+Z8VmzQWUtNC6F8K3uMXnjzdIYIzKAX47qZOw8V/0e0csC5
limyB5K/3Ln7eJyyPcHv3vWYl7wKpL2scw+g5AzHi70u68aGhtXsQOmL4IjzaHIi
xNyJVmiv8cd/JMUgUAvoSNekUSV8sSd/Tr7QSASXS+rFnCiFbAd2IiDGBdJJc9PM
M3uOzOiZnZlnU3yd+/xojAz9c9T8XGpb0VAlQofq81+MmbUH9tH7i38XDyu9yEkj
0Jmvr8fNAgMBAAECggEAG9I0gpWK3gjoXiNxW8ETCwxC7XXYMlJzo3J397CZvP1J
Fh1KCwty+uJnfcRmaflUNHHEkHSkCoHZZ7FBdZnoxOMSqovEDqJWhbgV95IL8vur
qaMA/jyacaui/g2ZrdFXuO7LI25KfHycV7YFj/8GjKTtYCw2DmCNdSbulIG7LNxy
ARBHbx3dKUn/t3ahylRsOyedRvF2j207ZTq9xkvcMLRzbSVFSrgYclQuqtQ6TjDL
F3WUXx59fxTSrwjV7QYzSPZuSfw5wBlBF5yiRzuJU4YN5wQvrLGG9qgimO8/+uds
6QbnIEUNe73oxw207zdywlMGyRd5vui6FtToF9YQoQKBgQDFgBoVGz+G2Ng4St9x
KujUKnloaxaa/Nmj0OoxcoCZljUAicA2gi5KeRMOMxrkVYLQBM13iA8uo7j3YPp9
axqZHwadplsvUh2+vCZKLA/JTjGQzSihxnBpKk0He/+wFOQ6V9AKN7ffUYIyim6n
3zLupxZ3y9Rfgdp6HdCb9nm/hwKBgQDC/4U9cxy+jr13rgKs3hrpQ6Qt2loenBM5
Ziu2ughH0pWoAIfSYK3whxtny2JrAhwQrABEpfGZVw1r9gvZnd0rGupbEUAaLCmd
vyjdfdI7iJrPYYQaMJIWiMi2EF5+7GHi898i95eMXQuxuDA0mIkK1UOp7n+C7qd+
QwWXDehLCwKBgCSYyDyBABSMugQ0W5Ms0FgARt8CeP3fPLUOUVc4UHwlSU0AOY3g
MZO7O7y125XUAplpSmmL3MRXsj6kycXTwun8xc0QtnTeUoS1eKLl50b2JlkeqxjP
HKVgIUXxxD9sn53wB6zdBkVrZSTYYgjZYya174PjUUchWMqoG6/KzGShAoGARDU0
2gXF7DHpvE81yFn4d9edOhzCoSpe3xkJ+WShON5EUvu8hq4iqZvYzjmqN1wJjRtd
DKYvGEAHBdiO1JQPpOBJUYl7Lqx78h3HoZI9U225GQk3OCH9N7yo2GZpZ2Qv6T78
sjKA5Cw3xvZyhjNE3HE0teAi4h2woM24ytmmg3kCgYEAptN1OocgACqd8DaTDOWl
PYVWEyT2kUmjhaF6jxBxP6QnWBAEup7iWHPc12B3aVs/DKczxSfjSIia8uQac9A/
eymSX05W+jP6sowZLmUq07cUdzx5AiC/eFz3xmZpftCsFgESLpuucu5CJ9uNKrkA
tgmk0sFQoyqY0TdXwDumIpU=
-----END PRIVATE KEY-----

96
scripts/prepull-base-images.sh
View File

@@ -59,8 +59,8 @@ BASE_IMAGES=(
# Read from environment variables (set by Tiltfile or manually) # Read from environment variables (set by Tiltfile or manually)
# USE_LOCAL_REGISTRY=true to push images to local registry after pulling # USE_LOCAL_REGISTRY=true to push images to local registry after pulling
# USE_GITEA_REGISTRY=true to push images to Gitea registry after pulling # USE_GITEA_REGISTRY=true to push images to Gitea registry after pulling
USE_LOCAL_REGISTRY="${USE_LOCAL_REGISTRY:-true}" USE_LOCAL_REGISTRY="${USE_LOCAL_REGISTRY:-false}"
USE_GITEA_REGISTRY="${USE_GITEA_REGISTRY:-false}" USE_GITEA_REGISTRY="${USE_GITEA_REGISTRY:-true}"
echo "Registry configuration:" echo "Registry configuration:"
echo " USE_LOCAL_REGISTRY=$USE_LOCAL_REGISTRY" echo " USE_LOCAL_REGISTRY=$USE_LOCAL_REGISTRY"
@@ -76,13 +76,66 @@ if [ "$USE_GITEA_REGISTRY" = "true" ]; then
echo "Testing Gitea registry accessibility at $REGISTRY..." echo "Testing Gitea registry accessibility at $REGISTRY..."
# Test if Gitea registry is accessible (try HTTPS first, then HTTP) # Test if Gitea registry is accessible (try HTTPS first, then HTTP)
if curl -sk https://$REGISTRY/v2/ >/dev/null 2>&1; then # Note: Gitea registry might return 401 Unauthorized when not authenticated, which is expected
# We're just checking if the service is reachable
if curl -sk -o /dev/null -w "%{http_code}" https://$REGISTRY/v2/ | grep -q "^[234]"; then
echo "✓ Gitea registry accessible via HTTPS" echo "✓ Gitea registry accessible via HTTPS"
elif curl -s http://$REGISTRY/v2/ >/dev/null 2>&1; then
# Authenticate with Gitea registry if accessible
echo "Authenticating with Gitea registry..."
echo "Note: For self-signed certificates, you may need to configure Docker to trust the registry:"
echo " 1. Add to /etc/docker/daemon.json:"
echo " {\"insecure-registries\": [\"$REGISTRY\"]}"
echo " 2. Restart Docker: sudo systemctl restart docker"
echo " 3. Or use: docker --insecure-registry $REGISTRY login $REGISTRY"
# Try to authenticate (this may fail due to certificate issues)
if ! docker login $REGISTRY; then
echo "Warning: Failed to authenticate with Gitea registry"
echo "This could be due to:"
echo " - Self-signed certificate issues (see above)"
echo " - Incorrect credentials"
echo " - Registry not properly configured"
echo "You may need to run: docker login $REGISTRY"
echo "Falling back to local registry"
REGISTRY="localhost:5000"
USE_GITEA_REGISTRY="false"
else
echo "✓ Gitea registry authentication successful"
fi
elif curl -s -o /dev/null -w "%{http_code}" http://$REGISTRY/v2/ | grep -q "^[234]"; then
echo "✓ Gitea registry accessible via HTTP" echo "✓ Gitea registry accessible via HTTP"
# Authenticate with Gitea registry if accessible
echo "Authenticating with Gitea registry..."
echo "Note: For self-signed certificates, you may need to configure Docker to trust the registry:"
echo " 1. Add to /etc/docker/daemon.json:"
echo " {\"insecure-registries\": [\"$REGISTRY\"]}"
echo " 2. Restart Docker: sudo systemctl restart docker"
echo " 3. Or use: docker --insecure-registry $REGISTRY login $REGISTRY"
# Try to authenticate (this may fail due to certificate issues)
if ! docker login $REGISTRY; then
echo "Warning: Failed to authenticate with Gitea registry"
echo "This could be due to:"
echo " - Self-signed certificate issues (see above)"
echo " - Incorrect credentials"
echo " - Registry not properly configured"
echo "You may need to run: docker login $REGISTRY"
echo "Falling back to local registry"
REGISTRY="localhost:5000"
USE_GITEA_REGISTRY="false"
else
echo "✓ Gitea registry authentication successful"
fi
else else
echo "Warning: Gitea registry at $REGISTRY is not accessible, falling back to local registry" echo "Warning: Gitea registry at $REGISTRY is not accessible, falling back to local registry"
echo "This could be because:"
echo " 1. Gitea is not running or not properly configured"
echo " 2. The ingress is not properly routing to Gitea"
echo " 3. The registry service is not exposed"
REGISTRY="localhost:5000" REGISTRY="localhost:5000"
USE_GITEA_REGISTRY="false"
fi fi
else else
REGISTRY="localhost:5000" REGISTRY="localhost:5000"
@@ -107,14 +160,26 @@ for image in "${BASE_IMAGES[@]}"; do
# Tag for registry if enabled # Tag for registry if enabled
if [ "$USE_LOCAL_REGISTRY" = "true" ] || [ "$USE_GITEA_REGISTRY" = "true" ]; then if [ "$USE_LOCAL_REGISTRY" = "true" ] || [ "$USE_GITEA_REGISTRY" = "true" ]; then
# Convert image name to registry format: if [ "$USE_GITEA_REGISTRY" = "true" ]; then
# - Replace / with _ # Gitea registry requires format: registry/owner/package:tag
# - Replace : with _ # Convert image name to package name:
# - Convert to lowercase (Docker requires lowercase repository names) # - Replace / with - (e.g., gcr.io/kaniko-project/executor -> gcr.io-kaniko-project-executor)
# - Add :latest tag for Kustomize compatibility # - Keep the tag if present, otherwise use original tag
# Example: gcr.io/kaniko-project/executor:v1.23.0 -> gcr.io_kaniko-project_executor_v1.23.0:latest # Example: gcr.io/kaniko-project/executor:v1.23.0 -> bakery-admin/gcr.io-kaniko-project-executor:v1.23.0
local_repo="$(echo $image | sed 's|/|_|g' | sed 's|:|_|g' | tr '[:upper:]' '[:lower:]')" image_name="${image%%:*}" # Remove tag
registry_image="$REGISTRY/${local_repo}:latest" image_tag="${image#*:}" # Get tag
if [ "$image_name" = "$image_tag" ]; then
image_tag="latest" # No tag in original, use latest
fi
# Convert image name: replace / with - and lowercase
package_name="$(echo $image_name | sed 's|/|-|g' | tr '[:upper:]' '[:lower:]')"
registry_image="$REGISTRY/bakery-admin/${package_name}:${image_tag}"
else
# Local registry format: replace / and : with _
local_repo="$(echo $image | sed 's|/|_|g' | sed 's|:|_|g' | tr '[:upper:]' '[:lower:]')"
registry_image="$REGISTRY/${local_repo}:latest"
fi
docker tag "$image" "$registry_image" docker tag "$image" "$registry_image"
echo " Tagged as: $registry_image" echo " Tagged as: $registry_image"
@@ -187,6 +252,13 @@ if [ "$USE_LOCAL_REGISTRY" = "true" ] || [ "$USE_GITEA_REGISTRY" = "true" ]; the
"insecure-registries": ["registry.bakery-ia.local"] "insecure-registries": ["registry.bakery-ia.local"]
} }
EOF EOF
echo ""
echo "IMPORTANT: For Gitea registry to work properly:"
echo " 1. Gitea must be running and accessible at gitea.bakery-ia.local"
echo " 2. The registry subdomain must be properly configured in your ingress"
echo " 3. You may need to authenticate with Docker:"
echo " docker login registry.bakery-ia.local"
echo " 4. Check that the Gitea registry service is exposed on port 3000"
else else
echo "To configure Docker daemon to use local registry as mirror:" echo "To configure Docker daemon to use local registry as mirror:"
echo "" echo ""

72
secrets_test.yaml
View File

@@ -1,72 +0,0 @@
# Secret for Gitea webhook validation
# Used by EventListener to validate incoming webhooks
apiVersion: v1
kind: Secret
metadata:
name: gitea-webhook-secret
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
annotations:
note: "Webhook secret for validating incoming webhooks"
type: Opaque
stringData:
secretToken: {{ .Values.secrets.webhook.token | quote }}
---
# Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry-credentials
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
annotations:
note: "Registry credentials for pushing images"
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
{{ .Values.secrets.registry.registryUrl | quote }}: {
"username": {{ .Values.secrets.registry.username | quote }},
"password": {{ .Values.secrets.registry.password | quote }}
}
}
}
---
# Secret for Git credentials (used by pipeline to push GitOps updates)
apiVersion: v1
kind: Secret
metadata:
name: gitea-git-credentials
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops
annotations:
note: "Git credentials for GitOps updates"
type: Opaque
stringData:
username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | quote }}
---
# Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
apiVersion: v1
kind: Secret
metadata:
name: gitea-credentials
namespace: {{ .Values.pipeline.deployment.fluxNamespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: flux
annotations:
note: "Credentials for Flux GitRepository access"
type: Opaque
stringData:
username: {{ .Values.secrets.git.username | quote }}
password: {{ .Values.secrets.git.password | quote }}

22
test_secrets.yaml
View File

@@ -1,22 +0,0 @@
# Test version of the secrets file to isolate the issue
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry-credentials
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
annotations:
note: "Registry credentials for pushing images"
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
{{ .Values.secrets.registry.registryUrl | quote }}: {
"username": {{ .Values.secrets.registry.username | quote }},
"password": {{ .Values.secrets.registry.password | quote }}
}
}
}