bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit - production deployment

Browse Source
This commit is contained in:
Bakery Admin
2026-01-21 17:17:16 +01:00
commit c23d00dd92
2289 changed files with 638440 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
infrastructure/cicd/tekton-helm/Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
name: tekton-cicd
description: Tekton CI/CD infrastructure for Bakery-IA
type: application
version: 0.1.0
appVersion: "0.57.0"
maintainers:
- name: Bakery-IA Team
email: team@bakery-ia.local
annotations:
category: Infrastructure
app.kubernetes.io/name: tekton-cicd
app.kubernetes.io/instance: tekton-cicd
app.kubernetes.io/version: "0.57.0"
app.kubernetes.io/part-of: bakery-ia

145
infrastructure/cicd/tekton-helm/GITEA_SECRET_INTEGRATION.md Normal file
View File

@@ -0,0 +1,145 @@
# Gitea Admin Secret Integration for Tekton
This document explains how Tekton CI/CD integrates with the existing Gitea admin secret to ensure credential consistency across the system.
## Architecture Overview
```mermaid
graph TD
A[Gitea Admin Secret] --> B[Tekton Registry Credentials]
A --> C[Tekton Git Credentials]
A --> D[Flux Git Credentials]
B --> E[Kaniko Build Task]
C --> F[GitOps Update Task]
D --> G[Flux GitRepository]
```
## How It Works
The system uses Helm's `lookup` function to reference the existing `gitea-admin-secret` from the Gitea namespace, ensuring that:
1. **Single Source of Truth**: All CI/CD components use the same credentials as Gitea
2. **Automatic Synchronization**: When Gitea admin password changes, all CI/CD components automatically use the new credentials
3. **Reduced Maintenance**: No need to manually update credentials in multiple places
## Secret Reference Flow
```
Gitea Namespace: gitea-admin-secret
└── username: bakery-admin
└── password: [secure-password]
Tekton Namespace:
├── gitea-registry-credentials (dockerconfigjson)
│ └── references gitea-admin-secret.password
├── gitea-git-credentials (opaque)
│ └── references gitea-admin-secret.password
└── gitea-credentials (opaque) [flux-system namespace]
└── references gitea-admin-secret.password
```
## Deployment Requirements
### Prerequisites
1. **Gitea must be installed first**: The `gitea-admin-secret` must exist before deploying Tekton
2. **Same username**: All components use `bakery-admin` as the username
3. **Namespace access**: Tekton service account needs read access to Gitea namespace secrets
### Installation Steps
1. **Install Gitea with admin secret**:
```bash
# Run the setup script to create gitea-admin-secret
./infrastructure/cicd/gitea/setup-admin-secret.sh your-secure-password
# Install Gitea Helm chart
helm install gitea gitea/gitea -n gitea -f infrastructure/cicd/gitea/values.yaml
```
2. **Install Tekton with secret references**:
```bash
# Install Tekton - it will automatically reference the Gitea admin secret
helm install tekton-cicd infrastructure/cicd/tekton-helm \
--namespace tekton-pipelines \
--set secrets.webhook.token="your-webhook-token"
```
## Troubleshooting
### Common Issues
1. **Secret not found error**:
- Ensure Gitea is installed before Tekton
- Verify the `gitea-admin-secret` exists in the `gitea` namespace
- Check that Tekton service account has RBAC permissions to read Gitea secrets
2. **Authentication failures**:
- Verify the Gitea admin password is correct
- Ensure the username is `bakery-admin` (matching the Gitea admin)
- Check that the password hasn't been manually changed in Gitea UI
### Debugging Commands
```bash
# Check if gitea-admin-secret exists
kubectl get secret gitea-admin-secret -n gitea
# Verify Tekton secrets were created correctly
kubectl get secret gitea-registry-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-git-credentials -n tekton-pipelines -o yaml
kubectl get secret gitea-credentials -n flux-system -o yaml
# Check RBAC permissions
kubectl get role,rolebinding,clusterrole,clusterrolebinding -n tekton-pipelines
```
## Security Considerations
### Benefits
1. **Reduced attack surface**: Fewer secrets to manage and rotate
2. **Automatic rotation**: Changing Gitea admin password automatically updates all CI/CD components
3. **Consistent access control**: Single point for credential management
### Best Practices
1. **Use strong passwords**: Generate secure random passwords for Gitea admin
2. **Rotate regularly**: Change the Gitea admin password periodically
3. **Limit access**: Restrict who can read the `gitea-admin-secret`
4. **Audit logs**: Monitor access to the admin secret
## Manual Override
If you need to use different credentials for specific components, you can override the values:
```bash
helm install tekton-cicd infrastructure/cicd/tekton-helm \
--namespace tekton-pipelines \
--set secrets.webhook.token="your-webhook-token" \
--set secrets.registry.password="custom-registry-password" \
--set secrets.git.password="custom-git-password"
```
However, this is **not recommended** as it breaks the single source of truth principle.
## Helm Template Details
The integration uses Helm's `lookup` function with `b64dec` to decode the base64-encoded password:
```yaml
password: {{ .Values.secrets.git.password | default (lookup "v1" "Secret" "gitea" "gitea-admin-secret").data.password | b64dec | quote }}
```
This means:
1. Look up the `gitea-admin-secret` in the `gitea` namespace
2. Get the `password` field from the secret's `data` section
3. Base64 decode it (Kubernetes stores secret data as base64)
4. Use it as the password value
5. If `.Values.secrets.git.password` is provided, use that instead (for manual override)
## Conclusion
This integration provides a robust, secure way to manage credentials across the CI/CD pipeline while maintaining consistency with Gitea's admin credentials.

83
infrastructure/cicd/tekton-helm/README.md Normal file
View File

@@ -0,0 +1,83 @@
# Tekton CI/CD Helm Chart
This Helm chart deploys the Tekton CI/CD infrastructure for the Bakery-IA project.
## Prerequisites
- Kubernetes 1.20+
- Tekton Pipelines installed (v0.57.0 or later)
- Helm 3.0+
## Installation
Before installing this chart, Tekton Pipelines must be installed separately:
```bash
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
```
Then install the chart:
### Development Installation
```bash
helm install tekton-cicd infrastructure/cicd/tekton-helm \
--namespace tekton-pipelines \
--create-namespace
```
### Production Installation
**Important**: Never use default secrets in production. Always provide secure credentials.
```bash
# Generate secure webhook token
export TEKTON_WEBHOOK_TOKEN=$(openssl rand -hex 32)
# Use the same password as Gitea admin (from GITEA_ADMIN_PASSWORD)
helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
-n tekton-pipelines \
-f infrastructure/cicd/tekton-helm/values.yaml \
-f infrastructure/cicd/tekton-helm/values-prod.yaml \
--set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
--set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
--set secrets.git.password=$GITEA_ADMIN_PASSWORD
```
## Configuration
The following table lists the configurable parameters of the tekton-cicd chart and their default values.
| Parameter | Description | Default |
|-----------|-------------|---------|
| `global.registry.url` | Container registry URL | `"gitea.bakery-ia.local:5000"` |
| `global.git.branch` | Git branch name | `"main"` |
| `global.git.userName` | Git user name | `"bakery-ia-ci"` |
| `global.git.userEmail` | Git user email | `"ci@bakery-ia.local"` |
| `pipeline.build.cacheTTL` | Build cache TTL | `"24h"` |
| `pipeline.build.verbosity` | Build verbosity level | `"info"` |
| `pipeline.test.skipTests` | Skip tests flag | `"false"` |
| `pipeline.test.skipLint` | Skip lint flag | `"false"` |
| `pipeline.deployment.namespace` | Deployment namespace | `"bakery-ia"` |
| `pipeline.deployment.fluxNamespace` | Flux namespace | `"flux-system"` |
| `pipeline.workspace.size` | Workspace size | `"5Gi"` |
| `pipeline.workspace.storageClass` | Workspace storage class | `"standard"` |
| `secrets.webhook.token` | Webhook validation token | `"example-webhook-token-do-not-use-in-production"` |
| `secrets.registry.username` | Registry username | `"example-user"` |
| `secrets.registry.password` | Registry password | `"example-password"` |
| `secrets.registry.registryUrl` | Registry URL | `"gitea.bakery-ia.local:5000"` |
| `secrets.git.username` | Git username | `"example-user"` |
| `secrets.git.password` | Git password | `"example-password"` |
| `namespace` | Namespace for Tekton resources | `"tekton-pipelines"` |
## Uninstallation
To uninstall/delete the `tekton-cicd` release:
```bash
helm delete tekton-cicd --namespace tekton-pipelines
```
## Values
For a detailed list of configurable values, see the `values.yaml` file.

22
infrastructure/cicd/tekton-helm/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
Thank you for installing {{ .Chart.Name }}.
This chart deploys the Tekton CI/CD infrastructure for Bakery-IA.
IMPORTANT: Tekton Pipelines must be installed separately before deploying this chart.
To install Tekton Pipelines, run:
kubectl apply -f https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
To verify Tekton is running:
kubectl get pods -n tekton-pipelines
After Tekton is installed, this chart will deploy:
- ConfigMaps with pipeline configuration
- RBAC resources for triggers and pipelines
- Secrets for registry and Git credentials
- Tasks, Pipelines, and Triggers for CI/CD
To check the status of deployed resources:
kubectl get all -n {{ .Release.Namespace }}
For more information about Tekton, visit: https://tekton.dev/

80
infrastructure/cicd/tekton-helm/templates/clusterroles.yaml Normal file
View File

@@ -0,0 +1,80 @@
# ClusterRole for Tekton Triggers to create PipelineRuns
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-triggers-role
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
rules:
# Ability to create PipelineRuns from triggers
- apiGroups: ["tekton.dev"]
resources: ["pipelineruns", "taskruns"]
verbs: ["create", "get", "list", "watch"]
# Ability to read pipelines and tasks
- apiGroups: ["tekton.dev"]
resources: ["pipelines", "tasks", "clustertasks"]
verbs: ["get", "list", "watch"]
# Ability to manage PVCs for workspaces
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "get", "list", "watch", "delete"]
# Ability to read secrets for credentials
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Ability to read configmaps
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
# Ability to manage events for logging
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
# Ability to list cluster-scoped trigger resources (needed for Tekton Triggers controller)
- apiGroups: ["triggers.tekton.dev"]
resources: ["clustertriggerbindings", "clusterinterceptors"]
verbs: ["get", "list", "watch"]
---
# ClusterRole for Pipeline execution (needed for git operations and deployments)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tekton-pipeline-role
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline
rules:
# Ability to read/update deployments for GitOps
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "patch", "update"]
# Ability to read secrets for credentials
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
# Ability to read configmaps
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
# Ability to manage pods for build operations
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
---
# Role for EventListener to access triggers resources
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tekton-triggers-eventlistener-role
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
rules:
- apiGroups: ["triggers.tekton.dev"]
resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "watch"]

32
infrastructure/cicd/tekton-helm/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pipeline-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: config
data:
# Container Registry Configuration
REGISTRY_URL: "{{ .Values.global.registry.url }}"
# Git Configuration
GIT_BRANCH: "{{ .Values.global.git.branch }}"
GIT_USER_NAME: "{{ .Values.global.git.userName }}"
GIT_USER_EMAIL: "{{ .Values.global.git.userEmail }}"
# Build Configuration
BUILD_CACHE_TTL: "{{ .Values.pipeline.build.cacheTTL }}"
BUILD_VERBOSITY: "{{ .Values.pipeline.build.verbosity }}"
# Test Configuration
SKIP_TESTS: "{{ .Values.pipeline.test.skipTests }}"
SKIP_LINT: "{{ .Values.pipeline.test.skipLint }}"
# Deployment Configuration
DEPLOY_NAMESPACE: "{{ .Values.pipeline.deployment.namespace }}"
FLUX_NAMESPACE: "{{ .Values.pipeline.deployment.fluxNamespace }}"
# Workspace Configuration
WORKSPACE_SIZE: "{{ .Values.pipeline.workspace.size }}"
WORKSPACE_STORAGE_CLASS: "{{ .Values.pipeline.workspace.storageClass }}"

32
infrastructure/cicd/tekton-helm/templates/event-listener.yaml Normal file
View File

@@ -0,0 +1,32 @@
# Tekton EventListener for Bakery-IA CI/CD
# This listener receives webhook events and triggers pipelines
apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
name: bakery-ia-event-listener
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
spec:
serviceAccountName: {{ .Values.serviceAccounts.triggers.name }}
triggers:
- name: bakery-ia-gitea-trigger
interceptors:
- ref:
name: "cel"
params:
- name: "filter"
value: "has(body.repository) && body.ref.contains('main')"
- ref:
name: "bitbucket"
params:
- name: "secretRef"
value:
secretName: gitea-webhook-secret
secretKey: secretToken
bindings:
- ref: bakery-ia-trigger-binding
template:
ref: bakery-ia-trigger-template

9
infrastructure/cicd/tekton-helm/templates/namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- if .Values.namespace }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: {{ .Values.labels.app.component }}
{{- end }}

164
infrastructure/cicd/tekton-helm/templates/pipeline-ci.yaml Normal file
View File

@@ -0,0 +1,164 @@
# Main CI Pipeline for Bakery-IA
# This pipeline orchestrates the build, test, and deploy process
# Includes: fetch -> detect changes -> test -> build -> update gitops
# Supports environment-configurable base images for dev/prod flexibility
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: bakery-ia-ci
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline
spec:
workspaces:
- name: shared-workspace
description: Shared workspace for source code
- name: docker-credentials
description: Docker registry credentials
- name: git-credentials
description: Git credentials for pushing GitOps updates
optional: true
params:
- name: git-url
type: string
description: Repository URL
- name: git-revision
type: string
description: Git revision/commit hash
- name: registry
type: string
description: Container registry URL for pushing built images
- name: git-branch
type: string
description: Target branch for GitOps updates
default: "main"
- name: skip-tests
type: string
description: Skip tests if "true"
default: "false"
- name: dry-run
type: string
description: Dry run mode - don't push changes
default: "false"
# Base image configuration for environment-specific builds
- name: base-registry
type: string
description: "Base image registry URL (e.g., docker.io for prod, localhost:5000 for dev)"
default: "{{ .Values.pipeline.build.baseRegistry }}"
- name: python-image
type: string
description: "Python base image name and tag (e.g., python:3.11-slim for prod)"
default: "{{ .Values.pipeline.build.pythonImage }}"
tasks:
# Stage 1: Fetch source code
- name: fetch-source
taskRef:
name: git-clone
workspaces:
- name: output
workspace: shared-workspace
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.git-revision)
# Stage 2: Detect which services changed
- name: detect-changes
runAfter: [fetch-source]
taskRef:
name: detect-changed-services
workspaces:
- name: source
workspace: shared-workspace
# Stage 3: Run tests on changed services
- name: run-tests
runAfter: [detect-changes]
taskRef:
name: run-tests
when:
- input: "$(tasks.detect-changes.results.changed-services)"
operator: notin
values: ["none", "infrastructure"]
- input: "$(params.skip-tests)"
operator: notin
values: ["true"]
workspaces:
- name: source
workspace: shared-workspace
params:
- name: services
value: $(tasks.detect-changes.results.changed-services)
- name: skip-tests
value: $(params.skip-tests)
# Stage 4: Build and push container images
- name: build-and-push
runAfter: [run-tests]
taskRef:
name: kaniko-build
when:
- input: "$(tasks.detect-changes.results.changed-services)"
operator: notin
values: ["none", "infrastructure"]
workspaces:
- name: source
workspace: shared-workspace
- name: docker-credentials
workspace: docker-credentials
params:
- name: services
value: $(tasks.detect-changes.results.changed-services)
- name: registry
value: $(params.registry)
- name: git-revision
value: $(params.git-revision)
# Environment-configurable base images
- name: base-registry
value: $(params.base-registry)
- name: python-image
value: $(params.python-image)
# Stage 5: Update GitOps manifests
- name: update-gitops-manifests
runAfter: [build-and-push]
taskRef:
name: update-gitops
when:
- input: "$(tasks.detect-changes.results.changed-services)"
operator: notin
values: ["none", "infrastructure"]
- input: "$(tasks.build-and-push.results.build-status)"
operator: in
values: ["success", "partial"]
workspaces:
- name: source
workspace: shared-workspace
- name: git-credentials
workspace: git-credentials
params:
- name: services
value: $(tasks.detect-changes.results.changed-services)
- name: registry
value: $(params.registry)
- name: git-revision
value: $(params.git-revision)
- name: git-branch
value: $(params.git-branch)
- name: dry-run
value: $(params.dry-run)
# Final tasks that run regardless of pipeline success/failure
finally:
- name: pipeline-summary
taskRef:
name: pipeline-summary
params:
- name: changed-services
value: $(tasks.detect-changes.results.changed-services)
- name: git-revision
value: $(params.git-revision)

51
infrastructure/cicd/tekton-helm/templates/rolebindings.yaml Normal file
View File

@@ -0,0 +1,51 @@
# ClusterRoleBinding for Tekton Triggers
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-triggers-binding
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: tekton-triggers-role
apiGroup: rbac.authorization.k8s.io
---
# ClusterRoleBinding for Pipeline execution
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tekton-pipeline-binding
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.pipeline.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: tekton-pipeline-role
apiGroup: rbac.authorization.k8s.io
---
# RoleBinding for EventListener
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tekton-triggers-eventlistener-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: tekton-triggers-eventlistener-role
apiGroup: rbac.authorization.k8s.io

87
infrastructure/cicd/tekton-helm/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,87 @@
# Secret for Gitea webhook validation
# Used by EventListener to validate incoming webhooks
apiVersion: v1
kind: Secret
metadata:
name: gitea-webhook-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
annotations:
note: "Webhook secret for validating incoming webhooks"
type: Opaque
stringData:
secretToken: {{ .Values.secrets.webhook.token | quote }}
---
# Secret for Gitea container registry credentials
# Used by Kaniko to push images to Gitea registry
# References the existing gitea-admin-secret for consistency
{{- $giteaSecret := (lookup "v1" "Secret" "gitea" "gitea-admin-secret") }}
{{- $giteaPassword := "" }}
{{- if and $giteaSecret $giteaSecret.data (index $giteaSecret.data "password") }}
{{- $giteaPassword = index $giteaSecret.data "password" | b64dec }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry-credentials
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
annotations:
note: "Registry credentials for pushing images - references gitea-admin-secret"
type: kubernetes.io/dockerconfigjson
stringData:
{{- $registryPassword := .Values.secrets.registry.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
{{- if and .Values.secrets.registry.registryUrl .Values.secrets.registry.username }}
.dockerconfigjson: |
{
"auths": {
{{ .Values.secrets.registry.registryUrl | quote }}: {
"username": {{ .Values.secrets.registry.username | quote }},
"password": {{ $registryPassword | quote }}
}
}
}
{{- else }}
.dockerconfigjson: '{"auths":{}}'
{{- end }}
---
# Secret for Git credentials (used by pipeline to push GitOps updates)
# References the existing gitea-admin-secret for consistency
apiVersion: v1
kind: Secret
metadata:
name: gitea-git-credentials
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops
annotations:
note: "Git credentials for GitOps updates - references gitea-admin-secret"
type: Opaque
stringData:
{{- $gitPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
username: {{ .Values.secrets.git.username | quote }}
password: {{ $gitPassword | quote }}
---
# Secret for Flux GitRepository access
# Used by Flux to pull from Gitea repository
# References the existing gitea-admin-secret for consistency
apiVersion: v1
kind: Secret
metadata:
name: gitea-credentials
namespace: {{ .Values.pipeline.deployment.fluxNamespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: flux
annotations:
note: "Credentials for Flux GitRepository access - references gitea-admin-secret"
type: Opaque
stringData:
{{- $fluxPassword := .Values.secrets.git.password | default $giteaPassword | default "PLACEHOLDER_PASSWORD" }}
username: {{ .Values.secrets.git.username | quote }}
password: {{ $fluxPassword | quote }}

19
infrastructure/cicd/tekton-helm/templates/serviceaccounts.yaml Normal file
View File

@@ -0,0 +1,19 @@
# ServiceAccount for Tekton Triggers EventListener
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.triggers.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
---
# ServiceAccount for Pipeline execution
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccounts.pipeline.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: pipeline

87
infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml Normal file
View File

@@ -0,0 +1,87 @@
# Tekton Task to Detect Changed Services
# This task analyzes git changes to determine which services need to be built
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: detect-changed-services
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: detection
spec:
workspaces:
- name: source
description: Workspace containing the source code
results:
- name: changed-services
description: Comma-separated list of changed services
steps:
- name: detect-changes
image: alpine/git
script: |
#!/bin/bash
set -e
cd $(workspaces.source.path)
# Get the list of changed files
CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only $(git rev-parse --abbrev-ref HEAD)@{upstream} HEAD 2>/dev/null || echo "")
if [ -z "$CHANGED_FILES" ]; then
# No changes detected, assume all services need building
echo "No git changes detected, building all services"
echo "all" > $(results.changed-services.path)
exit 0
fi
# Initialize an array to collect changed services
declare -a changed_services=()
# Check for changes in services/ directory
while IFS= read -r service_dir; do
if [ -n "$service_dir" ]; then
service_name=$(basename "$service_dir")
if [[ ! " ${changed_services[@]} " =~ " ${service_name} " ]]; then
changed_services+=("$service_name")
fi
fi
done < <(echo "$CHANGED_FILES" | grep '^services/' | cut -d'/' -f2 | sort -u)
# Check for changes in gateway/ directory
if echo "$CHANGED_FILES" | grep -q '^gateway/'; then
if [[ ! " ${changed_services[@]} " =~ " gateway " ]]; then
changed_services+=("gateway")
fi
fi
# Check for changes in frontend/ directory
if echo "$CHANGED_FILES" | grep -q '^frontend/'; then
if [[ ! " ${changed_services[@]} " =~ " frontend " ]]; then
changed_services+=("frontend")
fi
fi
# Check for changes in shared/ directory (might affect multiple services)
if echo "$CHANGED_FILES" | grep -q '^shared/'; then
if [[ ! " ${changed_services[@]} " =~ " shared " ]]; then
changed_services+=("shared")
fi
fi
# Convert array to comma-separated string
CHANGED_SERVICES=""
for service in "${changed_services[@]}"; do
if [ -z "$CHANGED_SERVICES" ]; then
CHANGED_SERVICES="$service"
else
CHANGED_SERVICES="$CHANGED_SERVICES,$service"
fi
done
if [ -z "$CHANGED_SERVICES" ]; then
# Changes are in infrastructure or other non-service files
echo "infrastructure" > $(results.changed-services.path)
else
echo "$CHANGED_SERVICES" > $(results.changed-services.path)
fi

95
infrastructure/cicd/tekton-helm/templates/task-git-clone.yaml Normal file
View File

@@ -0,0 +1,95 @@
# Tekton Git Clone Task for Bakery-IA CI/CD
# This task clones the source code repository
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: git-clone
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: source
spec:
workspaces:
- name: output
description: Workspace to clone the repository into
params:
- name: url
type: string
description: Repository URL to clone
- name: revision
type: string
description: Git revision to checkout
default: "main"
- name: depth
type: string
description: Git clone depth (0 for full history)
default: "1"
results:
- name: commit-sha
description: The commit SHA that was checked out
- name: commit-message
description: The commit message
steps:
- name: clone
image: alpine/git:2.43.0
script: |
#!/bin/sh
set -e
URL="$(params.url)"
REVISION="$(params.revision)"
DEPTH="$(params.depth)"
OUTPUT_PATH="$(workspaces.output.path)"
echo "============================================"
echo "Git Clone Task"
echo "============================================"
echo "URL: $URL"
echo "Revision: $REVISION"
echo "Depth: $DEPTH"
echo "============================================"
# Clone with depth for faster checkout
if [ "$DEPTH" = "0" ]; then
echo "Cloning full repository..."
git clone "$URL" "$OUTPUT_PATH"
else
echo "Cloning with depth $DEPTH..."
git clone --depth "$DEPTH" "$URL" "$OUTPUT_PATH"
fi
cd "$OUTPUT_PATH"
# Fetch the specific revision if needed
if [ "$REVISION" != "main" ] && [ "$REVISION" != "master" ]; then
echo "Fetching revision: $REVISION"
git fetch --depth 1 origin "$REVISION" 2>/dev/null || true
fi
# Checkout the revision
echo "Checking out: $REVISION"
git checkout "$REVISION" 2>/dev/null || git checkout "origin/$REVISION"
# Get commit info
COMMIT_SHA=$(git rev-parse HEAD)
COMMIT_MSG=$(git log -1 --pretty=format:"%s")
echo ""
echo "============================================"
echo "Clone Complete"
echo "============================================"
echo "Commit: $COMMIT_SHA"
echo "Message: $COMMIT_MSG"
echo "============================================"
# Write results
echo -n "$COMMIT_SHA" > $(results.commit-sha.path)
echo -n "$COMMIT_MSG" > $(results.commit-message.path)
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi

103
infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml Normal file
View File

@@ -0,0 +1,103 @@
# Tekton Kaniko Build Task for Bakery-IA CI/CD
# This task builds and pushes container images using Kaniko
# Supports environment-configurable base images via build-args
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: kaniko-build
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: build
spec:
workspaces:
- name: source
description: Workspace containing the source code
- name: docker-credentials
description: Docker registry credentials
params:
- name: services
type: string
description: Comma-separated list of services to build
- name: registry
type: string
description: Container registry URL for pushing built images
- name: git-revision
type: string
description: Git revision to tag images with
- name: base-registry
type: string
description: Base image registry URL (e.g., docker.io, ghcr.io/org)
default: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
- name: python-image
type: string
description: Python base image name and tag
default: "python_3.11-slim"
results:
- name: build-status
description: Status of the build operation
steps:
- name: build-and-push
image: gcr.io/kaniko-project/executor:v1.15.0
env:
- name: DOCKER_CONFIG
value: /tekton/home/.docker
script: |
#!/bin/bash
set -e
echo "==================================================================="
echo "Kaniko Build Configuration"
echo "==================================================================="
echo "Target Registry: $(params.registry)"
echo "Base Registry: $(params.base-registry)"
echo "Python Image: $(params.python-image)"
echo "Git Revision: $(params.git-revision)"
echo "==================================================================="
# Split services parameter by comma
IFS=',' read -ra SERVICES <<< "$(params.services)"
# Build each service
for service in "${SERVICES[@]}"; do
service=$(echo "$service" | xargs) # Trim whitespace
if [ -n "$service" ] && [ "$service" != "none" ]; then
echo ""
echo "Building service: $service"
echo "-------------------------------------------------------------------"
# Determine Dockerfile path (services vs gateway vs frontend)
if [ "$service" = "gateway" ]; then
DOCKERFILE_PATH="$(workspaces.source.path)/gateway/Dockerfile"
elif [ "$service" = "frontend" ]; then
DOCKERFILE_PATH="$(workspaces.source.path)/frontend/Dockerfile.kubernetes"
else
DOCKERFILE_PATH="$(workspaces.source.path)/services/$service/Dockerfile"
fi
/kaniko/executor \
--dockerfile="$DOCKERFILE_PATH" \
--destination="$(params.registry)/$service:$(params.git-revision)" \
--context="$(workspaces.source.path)" \
--build-arg="BASE_REGISTRY=$(params.base-registry)" \
--build-arg="PYTHON_IMAGE=$(params.python-image)" \
--cache=true \
--cache-repo="$(params.registry)/cache"
echo "Successfully built: $(params.registry)/$service:$(params.git-revision)"
fi
done
echo ""
echo "==================================================================="
echo "Build completed successfully!"
echo "==================================================================="
echo "success" > $(results.build-status.path)
resources:
limits:
cpu: 2000m
memory: 4Gi
requests:
cpu: 500m
memory: 1Gi

33
infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Tekton Task for Pipeline Summary
# This task generates a summary of the pipeline execution
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pipeline-summary
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: summary
spec:
params:
- name: changed-services
type: string
description: Services that were changed
- name: git-revision
type: string
description: Git revision being processed
steps:
- name: generate-summary
image: alpine
script: |
#!/bin/bash
set -e
echo "=== Bakery-IA CI Pipeline Summary ==="
echo "Git Revision: $(params.git-revision)"
echo "Changed Services: $(params.changed-services)"
echo "Pipeline completed successfully"
# Log summary to stdout for visibility
echo "Summary generated"

86
infrastructure/cicd/tekton-helm/templates/task-run-tests.yaml Normal file
View File

@@ -0,0 +1,86 @@
# Tekton Run Tests Task for Bakery-IA CI/CD
# This task runs tests on the source code
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: run-tests
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: test
spec:
workspaces:
- name: source
description: Workspace containing the source code
params:
- name: services
type: string
description: Comma-separated list of services to test
- name: skip-tests
type: string
description: Skip tests if "true"
default: "false"
steps:
- name: run-unit-tests
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/bash
set -e
echo "============================================"
echo "Running Unit Tests"
echo "Services: $(params.services)"
echo "Skip tests: $(params.skip-tests)"
echo "============================================"
if [ "$(params.skip-tests)" = "true" ]; then
echo "Skipping tests as requested"
exit 0
fi
# Install dependencies if requirements file exists
if [ -f "requirements.txt" ]; then
pip install --no-cache-dir -r requirements.txt
fi
# Run unit tests
python -m pytest tests/unit/ -v
echo "Unit tests completed successfully"
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 200m
memory: 512Mi
- name: run-integration-tests
image: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python_3.11-slim:latest
workingDir: $(workspaces.source.path)
script: |
#!/bin/bash
set -e
echo "============================================"
echo "Running Integration Tests"
echo "Services: $(params.services)"
echo "============================================"
if [ "$(params.skip-tests)" = "true" ]; then
echo "Skipping integration tests as requested"
exit 0
fi
# Run integration tests
python -m pytest tests/integration/ -v
echo "Integration tests completed successfully"
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 200m
memory: 512Mi

153
infrastructure/cicd/tekton-helm/templates/task-update-gitops.yaml Normal file
View File

@@ -0,0 +1,153 @@
# Tekton Update GitOps Task for Bakery-IA CI/CD
# This task updates GitOps manifests with new image tags
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: update-gitops
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: gitops
spec:
workspaces:
- name: source
description: Workspace containing the source code
- name: git-credentials
description: Git credentials for pushing changes
params:
- name: services
type: string
description: Comma-separated list of services to update
- name: registry
type: string
description: Container registry URL
- name: git-revision
type: string
description: Git revision to tag images with
- name: git-branch
type: string
description: Git branch to push changes to
- name: dry-run
type: string
description: Dry run mode - don't push changes
default: "false"
steps:
- name: update-manifests
image: alpine/git:2.43.0
workingDir: $(workspaces.source.path)
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: gitea-git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: gitea-git-credentials
key: password
script: |
#!/bin/bash
set -e
echo "============================================"
echo "Updating GitOps Manifests"
echo "Services: $(params.services)"
echo "Registry: $(params.registry)"
echo "Revision: $(params.git-revision)"
echo "Branch: $(params.git-branch)"
echo "Dry run: $(params.dry-run)"
echo "============================================"
# Configure git
git config --global user.email "ci@bakery-ia.local"
git config --global user.name "bakery-ia-ci"
# Clone the main repository (not a separate gitops repo)
# Use internal cluster DNS which works in all environments
REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bakery-ia.git"
git clone "$REPO_URL" /tmp/gitops
cd /tmp/gitops
# Switch to target branch
git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)"
# Update image tags in Kubernetes manifests
for service in $(echo "$(params.services)" | tr ',' '\n'); do
service=$(echo "$service" | xargs) # Trim whitespace
if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
echo "Updating manifest for service: $service"
# Format service name for directory (convert from kebab-case to snake_case if needed)
# Handle special cases like demo-session -> demo_session, alert-processor -> alert_processor, etc.
formatted_service=$(echo "$service" | sed 's/-/_/g')
# For gateway and frontend, they have different directory structures
if [ "$service" = "gateway" ]; then
MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml"
IMAGE_NAME="gateway" # gateway image name is just "gateway"
elif [ "$service" = "frontend" ]; then
MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml"
IMAGE_NAME="dashboard" # frontend service uses "dashboard" as image name
else
# For microservices, look in the microservices directory
# Convert service name to directory format (kebab-case)
service_dir=$(echo "$service" | sed 's/_/-/g')
# Check for different possible manifest file names
if [ -f "infrastructure/services/microservices/$service_dir/deployment.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/deployment.yaml"
elif [ -f "infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml"
elif [ -f "infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml" ]; then
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
else
# Default to the standard naming pattern
MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${formatted_service}-service.yaml"
fi
# For most services, the image name follows the pattern service-name-service
IMAGE_NAME="${service_dir}-service"
fi
# Update the image tag in the deployment YAML
if [ -f "$MANIFEST_PATH" ]; then
# Update image reference from bakery/image_name:tag to registry/image_name:git_revision
# Handle various image name formats that might exist in the manifests
sed -i "s|image: bakery/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH"
# Also handle the case where the image name might be formatted differently
sed -i "s|image: bakery/${service}:.*|image: $(params.registry)/${service}:$(params.git-revision)|g" "$MANIFEST_PATH"
sed -i "s|image: bakery/${formatted_service}:.*|image: $(params.registry)/${formatted_service}:$(params.git-revision)|g" "$MANIFEST_PATH"
echo "Updated image in: $MANIFEST_PATH for image: bakery/${IMAGE_NAME}:* -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
else
echo "Warning: Manifest file not found: $MANIFEST_PATH"
fi
fi
done
# Commit and push changes (unless dry-run)
if [ "$(params.dry-run)" != "true" ]; then
git add .
git status
if ! git diff --cached --quiet; then
git commit -m "Update images for services: $(params.services) [skip ci]"
git push origin "$(params.git-branch)"
echo "GitOps manifests updated successfully"
else
echo "No changes to commit"
fi
else
echo "Dry run mode - changes not pushed"
git status
git diff
fi
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi

23
infrastructure/cicd/tekton-helm/templates/trigger-binding.yaml Normal file
View File

@@ -0,0 +1,23 @@
# Tekton TriggerBinding for Bakery-IA CI/CD
# This binding extracts parameters from incoming webhook payloads
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerBinding
metadata:
name: bakery-ia-trigger-binding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
spec:
params:
- name: git-repo-url
value: "{{"{{ .payload.repository.clone_url }}"}}"
- name: git-revision
value: "{{"{{ .payload.after }}"}}"
- name: git-branch
value: "{{"{{ .payload.ref }}" | replace "refs/heads/" "" | replace "refs/tags/" "" }}"
- name: git-repo-name
value: "{{"{{ .payload.repository.name }}"}}"
- name: git-repo-full-name
value: "{{"{{ .payload.repository.full_name }}"}}"

79
infrastructure/cicd/tekton-helm/templates/trigger-template.yaml Normal file
View File

@@ -0,0 +1,79 @@
# Tekton TriggerTemplate for Bakery-IA CI/CD
# This template defines how PipelineRuns are created when triggers fire
apiVersion: triggers.tekton.dev/v1beta1
kind: TriggerTemplate
metadata:
name: bakery-ia-trigger-template
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: triggers
spec:
params:
- name: git-repo-url
description: The git repository URL
- name: git-revision
description: The git revision/commit hash
- name: git-branch
description: The git branch name
default: "main"
- name: git-repo-name
description: The git repository name
default: "bakery-ia"
- name: git-repo-full-name
description: The full repository name (org/repo)
default: "bakery-admin/bakery-ia"
# Registry URL - keep in sync with pipeline-config ConfigMap
- name: registry-url
description: Container registry URL
default: {{ .Values.global.registry.url | quote }}
resourcetemplates:
- apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: bakery-ia-ci-run-
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
tekton.dev/pipeline: bakery-ia-ci
triggers.tekton.dev/trigger: bakery-ia-gitea-trigger
annotations:
# Track the source commit
bakery-ia.io/git-revision: $(tt.params.git-revision)
bakery-ia.io/git-branch: $(tt.params.git-branch)
spec:
pipelineRef:
name: bakery-ia-ci
serviceAccountName: {{ .Values.serviceAccounts.pipeline.name }}
workspaces:
- name: shared-workspace
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: {{ .Values.pipeline.workspace.size }}
- name: docker-credentials
secret:
secretName: gitea-registry-credentials
- name: git-credentials
secret:
secretName: gitea-git-credentials
params:
- name: git-url
value: $(tt.params.git-repo-url)
- name: git-revision
value: $(tt.params.git-revision)
- name: git-branch
value: $(tt.params.git-branch)
# Use template parameter for registry URL
- name: registry
value: $(tt.params.registry-url)
- name: skip-tests
value: "false"
- name: dry-run
value: "false"
# Timeout for the entire pipeline run
timeouts:
pipeline: "1h0m0s"
tasks: "45m0s"

81
infrastructure/cicd/tekton-helm/values-prod.yaml Normal file
View File

@@ -0,0 +1,81 @@
# Production values for tekton-cicd Helm chart
# This file overrides values.yaml for production deployment
#
# Installation:
# helm upgrade --install tekton-cicd infrastructure/cicd/tekton-helm \
# -n tekton-pipelines \
# -f infrastructure/cicd/tekton-helm/values.yaml \
# -f infrastructure/cicd/tekton-helm/values-prod.yaml \
# --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN \
# --set secrets.registry.password=$GITEA_ADMIN_PASSWORD \
# --set secrets.git.password=$GITEA_ADMIN_PASSWORD
#
# Required environment variables:
# TEKTON_WEBHOOK_TOKEN - Secure webhook token (generate with: openssl rand -hex 32)
# GITEA_ADMIN_PASSWORD - Gitea admin password (must match gitea-admin-secret)
# Global settings for production
global:
# Git configuration
git:
userEmail: "ci@bakewise.ai"
# Pipeline configuration for production
pipeline:
# Build configuration
build:
verbosity: "warn" # Less verbose in production
# Test configuration
test:
skipTests: "false"
skipLint: "false"
# Workspace configuration - ensure storage class exists in production cluster
workspace:
size: "10Gi"
storageClass: "standard" # Adjust to your production storage class
# Tekton controller settings - increased resources for production
controller:
replicas: 2
resources:
limits:
cpu: 2000m
memory: 2Gi
requests:
cpu: 200m
memory: 256Mi
# Tekton webhook settings - increased resources for production
webhook:
replicas: 2
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
# Secrets configuration
# IMPORTANT: These MUST be overridden via --set flags during deployment
# DO NOT commit actual secrets to this file
secrets:
# Webhook secret for validating incoming webhooks
# Override with: --set secrets.webhook.token=$TEKTON_WEBHOOK_TOKEN
webhook:
token: "" # MUST be set via --set flag
# Registry credentials for pushing images
# Override with: --set secrets.registry.password=$GITEA_ADMIN_PASSWORD
registry:
username: "bakery-admin"
password: "" # MUST be set via --set flag
registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
# Git credentials for GitOps updates
# Override with: --set secrets.git.password=$GITEA_ADMIN_PASSWORD
git:
username: "bakery-admin"
password: "" # MUST be set via --set flag

99
infrastructure/cicd/tekton-helm/values.yaml Normal file
View File

@@ -0,0 +1,99 @@
# Default values for tekton-cicd Helm chart
# This file contains configurable values for the CI/CD pipeline
# Global settings
global:
# Registry configuration
registry:
url: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
# Git configuration
git:
branch: "main"
userName: "bakery-ia-ci"
userEmail: "ci@bakery-ia.local"
# Pipeline configuration
pipeline:
# Build configuration
build:
cacheTTL: "24h"
verbosity: "info"
# Base image registry configuration
# For dev: localhost:5000 with python_3.11-slim
# For prod: gitea registry with python_3.11-slim
baseRegistry: "gitea-http.gitea.svc.cluster.local:3000/bakery-admin"
pythonImage: "python_3.11-slim"
# Test configuration
test:
skipTests: "false"
skipLint: "false"
# Deployment configuration
deployment:
namespace: "bakery-ia"
fluxNamespace: "flux-system"
# Workspace configuration
workspace:
size: "5Gi"
storageClass: "standard"
# Tekton controller settings
controller:
replicas: 1
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 100m
memory: 128Mi
# Tekton webhook settings
webhook:
replicas: 1
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 64Mi
# Namespace for Tekton resources
# Set to empty/false to skip namespace creation (namespace is created by Tekton installation)
namespace: ""
# Secrets configuration
secrets:
# Webhook secret for validating incoming webhooks
webhook:
token: "secure-webhook-token-replace-with-actual-value"
# Registry credentials for pushing images
# Uses the same credentials as Gitea admin for consistency
registry:
username: "bakery-admin"
password: "" # Will be populated from gitea-admin-secret
registryUrl: "gitea-http.gitea.svc.cluster.local:3000"
# Git credentials for GitOps updates
# Uses the same credentials as Gitea admin for consistency
git:
username: "bakery-admin"
password: "" # Will be populated from gitea-admin-secret
# Service accounts
serviceAccounts:
triggers:
name: "tekton-triggers-sa"
pipeline:
name: "tekton-pipeline-sa"
# Labels to apply to resources
labels:
app:
name: "bakery-ia-cicd"
component: "tekton"