Initial commit - production deployment

infrastructure/cicd/gitea/README.md

@@ -0,0 +1,188 @@
+# Gitea Configuration for Bakery-IA CI/CD
+
+This directory contains the Helm values and scripts for setting up Gitea as the Git server for the Bakery-IA project.
+
+## Features
+
+- **Automatic Admin User**: Admin user is created automatically from Kubernetes secret
+- **Automatic Repository Creation**: The `bakery-ia` repository is created via a Kubernetes Job after Gitea starts
+- **Registry Support**: Container registry enabled for storing Docker images
+- **Tekton Integration**: Webhook automatically configured if Tekton is installed
+
+## Quick Start
+
+### Development
+
+```bash
+# 1. Setup secrets and init job (uses default dev password)
+./infrastructure/cicd/gitea/setup-admin-secret.sh
+
+# 2. Install Gitea
+helm repo add gitea https://dl.gitea.io/charts
+helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml
+
+# 3. Wait for everything to be ready
+kubectl wait --for=condition=ready pod -n gitea -l app.kubernetes.io/name=gitea --timeout=300s
+
+# 4. Check init job completed
+kubectl logs -n gitea -l app.kubernetes.io/component=init --tail=50
+```
+
+### Production
+
+```bash
+# 1. Generate and export secure password
+export GITEA_ADMIN_PASSWORD=$(openssl rand -base64 32)
+
+# 2. Setup secrets with production flag (requires GITEA_ADMIN_PASSWORD)
+./infrastructure/cicd/gitea/setup-admin-secret.sh --production
+
+# 3. Install Gitea with production values
+helm repo add gitea https://dl.gitea.io/charts
+helm upgrade --install gitea gitea/gitea -n gitea \
+  -f infrastructure/cicd/gitea/values.yaml \
+  -f infrastructure/cicd/gitea/values-prod.yaml
+
+# 4. Wait for everything to be ready
+kubectl wait --for=condition=ready pod -n gitea -l app.kubernetes.io/name=gitea --timeout=300s
+
+# 5. Install Tekton CI/CD (see tekton-helm/README.md for details)
+export TEKTON_WEBHOOK_TOKEN=$(openssl rand -hex 32)
+helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
+  -n tekton-pipelines \
+  -f infrastructure/cicd/tekton-helm/values.yaml \
+  -f infrastructure/cicd/tekton-helm/values-prod.yaml \
+  --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
+  --set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
+  --set secrets.git.password=$GITEA_ADMIN_PASSWORD
+```
+
+## Files
+
+| File | Description |
+|------|-------------|
+| `values.yaml` | Helm values for Gitea chart |
+| `values-prod.yaml` | Production Helm values |
+| `setup-admin-secret.sh` | Creates secrets and applies init job |
+| `gitea-init-job.yaml` | Kubernetes Job to create initial repository |
+| `setup-gitea-repository.sh` | Helper to push local code to Gitea |
+
+## How It Works
+
+### 1. Admin User Initialization
+
+The Gitea Helm chart automatically creates the admin user on first install. Credentials are read from a Kubernetes secret:
+
+```yaml
+gitea:
+  admin:
+    username: bakery-admin
+    email: admin@bakery-ia.local
+    existingSecret: gitea-admin-secret  # Secret with username/password keys
+    passwordMode: keepUpdated           # Sync password changes from secret
+```
+
+The `setup-admin-secret.sh` script creates this secret before Helm install.
+
+### 2. Repository Initialization
+
+Since the Gitea Helm chart doesn't support automatic repository creation, we use a Kubernetes Job (`gitea-init-job.yaml`) that:
+
+1. Waits for Gitea to be ready
+2. Creates the `bakery-ia` repository via Gitea API
+3. Optionally configures a webhook for Tekton CI/CD
+
+The Job is idempotent - it skips creation if the repository already exists.
+
+## Detailed Installation
+
+### Step 1: Create Secrets
+
+```bash
+# Using default password (for dev environments)
+./infrastructure/cicd/gitea/setup-admin-secret.sh
+
+# Or specify a custom password
+./infrastructure/cicd/gitea/setup-admin-secret.sh "your-secure-password"
+
+# Or use environment variable
+export GITEA_ADMIN_PASSWORD="your-secure-password"
+./infrastructure/cicd/gitea/setup-admin-secret.sh
+```
+
+This creates:
+- `gitea-admin-secret` in `gitea` namespace - used by Gitea for admin credentials
+- `gitea-registry-secret` in `bakery-ia` namespace - used for `imagePullSecrets`
+- Applies `gitea-init-job.yaml` (ConfigMap + Job)
+
+### Step 2: Install Gitea
+
+```bash
+helm repo add gitea https://dl.gitea.io/charts
+helm repo update
+
+helm install gitea gitea/gitea -n gitea \
+  -f infrastructure/cicd/gitea/values.yaml
+```
+
+### Step 3: Verify Installation
+
+```bash
+# Wait for Gitea pod
+kubectl wait --for=condition=ready pod -n gitea -l app.kubernetes.io/name=gitea --timeout=300s
+
+# Check init job logs
+kubectl logs -n gitea job/gitea-init-repo
+
+# Verify repository was created
+curl -u bakery-admin:pvYUkGWJijqc0QfIZEXw \
+  https://gitea.bakery-ia.local/api/v1/repos/bakery-admin/bakery-ia
+```
+
+## CI/CD Integration
+
+Repository URL:
+```
+https://gitea.bakery-ia.local/bakery-admin/bakery-ia.git
+```
+
+Internal cluster URL (for pipelines):
+```
+http://gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git
+```
+
+## Troubleshooting
+
+### Init Job Failed
+
+```bash
+# Check job status
+kubectl get jobs -n gitea
+
+# View logs
+kubectl logs -n gitea job/gitea-init-repo
+
+# Re-run the job
+kubectl delete job gitea-init-repo -n gitea
+kubectl apply -f infrastructure/cicd/gitea/gitea-init-job.yaml
+```
+
+### Repository Not Created
+
+1. Check if Gitea is ready: `kubectl get pods -n gitea`
+2. Check init job logs: `kubectl logs -n gitea job/gitea-init-repo`
+3. Manually create via API or use `setup-gitea-repository.sh`
+
+### Authentication Issues
+
+1. Verify secret exists: `kubectl get secret gitea-admin-secret -n gitea`
+2. Check credentials: `kubectl get secret gitea-admin-secret -n gitea -o jsonpath='{.data.password}' | base64 -d`
+
+## Upgrading
+
+```bash
+helm upgrade gitea gitea/gitea -n gitea \
+  -f infrastructure/cicd/gitea/values.yaml
+```
+
+Repositories and data are preserved during upgrades (stored in PVC).