Fix kustomization: remove merge conflicts, fix paths, add gateway resource

infrastructure/environments/prod/k8s-manifests/kustomization.yaml

@@ -11,13 +11,13 @@ metadata:
 
 resources:
   - ../../../environments/common/configs
-  - ../../../platform/infrastructure
   - ../../../platform/cert-manager
   - ../../../platform/networking/ingress/overlays/prod
+  - ../../../platform/gateway
   - ../../../platform/storage
   - ../../../services/databases
   - ../../../services/microservices
-  - ../../../cicd
+  # NOTE: CI/CD (gitea, tekton, flux) deployed via Helm, not kustomize
   - prod-certificate.yaml
 
 
@@ -107,6 +107,41 @@ patches:
       - op: add
         path: /data/VITE_ENVIRONMENT
         value: "production"
+  # Add imagePullSecrets to all Deployments for gitea registry authentication
+  - target:
+      kind: Deployment
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all StatefulSets for gitea registry authentication
+  - target:
+      kind: StatefulSet
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all Jobs for gitea registry authentication
+  - target:
+      kind: Job
+    patch: |-
+      - op: add
+        path: /spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
+
+  # Add imagePullSecrets to all CronJobs for gitea registry authentication
+  - target:
+      kind: CronJob
+    patch: |-
+      - op: add
+        path: /spec/jobTemplate/spec/template/spec/imagePullSecrets
+        value:
+          - name: gitea-registry-secret
   # SigNoz resource patches for production
   # SigNoz ClickHouse production configuration
   - target:
@@ -172,76 +207,103 @@ patches:
 images:
   # Application services
   - name: bakery/auth-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/auth-service
     newTag: latest
   - name: bakery/tenant-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/tenant-service
     newTag: latest
   - name: bakery/training-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/training-service
     newTag: latest
   - name: bakery/forecasting-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/forecasting-service
     newTag: latest
   - name: bakery/sales-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/sales-service
     newTag: latest
   - name: bakery/external-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/external-service
     newTag: latest
   - name: bakery/notification-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/notification-service
     newTag: latest
   - name: bakery/inventory-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/inventory-service
     newTag: latest
   - name: bakery/recipes-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/recipes-service
     newTag: latest
   - name: bakery/suppliers-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/suppliers-service
     newTag: latest
   - name: bakery/pos-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/pos-service
     newTag: latest
   - name: bakery/orders-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/orders-service
     newTag: latest
   - name: bakery/production-service
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/production-service
     newTag: latest
   - name: bakery/alert-processor
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alert-processor
     newTag: latest
   - name: bakery/gateway
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gateway
     newTag: latest
   - name: bakery/dashboard
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/dashboard
     newTag: latest
   # =============================================================================
-  # Production Base Images - mapped to production registry
-  # TODO: Update PROD_REGISTRY_URL to your production registry (e.g., ghcr.io/your-org)
-  # =============================================================================
-  # Database images (using canonical Docker Hub - no rate limits in prod with auth)
+  # Database images (cached in gitea registry for consistency)
   - name: postgres
-    newTag: 17-alpine
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/postgres
+    newTag: "17-alpine"
   - name: redis
-    newTag: 7.4-alpine
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/redis
+    newTag: "7.4-alpine"
   - name: rabbitmq
-    newTag: 4.1-management-alpine
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/rabbitmq
+    newTag: "4.1-management-alpine"
   # Utility images
   - name: busybox
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/busybox
     newTag: "1.36"
   - name: curlimages/curl
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/curlimages-curl
     newTag: latest
   - name: bitnami/kubectl
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/bitnami-kubectl
     newTag: latest
 
   # Alpine variants
   - name: alpine
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine
     newTag: "3.19"
   - name: alpine/git
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/alpine-git
     newTag: 2.43.0
-  # CI/CD images (GCR/registry.k8s.io - no rate limits)
+  # CI/CD images (cached in gitea registry for consistency)
   - name: gcr.io/kaniko-project/executor
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-kaniko-project-executor
     newTag: v1.23.0
   - name: gcr.io/go-containerregistry/crane
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/gcr.io-go-containerregistry-crane
     newTag: latest
   - name: registry.k8s.io/kustomize/kustomize
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/registry.k8s.io-kustomize-kustomize
     newTag: v5.3.0
   # Storage images
   - name: minio/minio
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-minio
     newTag: RELEASE.2024-11-07T00-52-20Z
   - name: minio/mc
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/minio-mc
     newTag: RELEASE.2024-11-17T19-35-25Z
   # NOTE: nominatim image override removed - nominatim is now deployed via Helm
   # Python base image
   - name: python
+    newName: gitea-http.gitea.svc.cluster.local:3000/bakery-admin/python
     newTag: 3.11-slim
 
 replicas:

infrastructure/platform/networking/ingress/overlays/prod/kustomization.yaml

@@ -20,6 +20,9 @@ patches:
         value: gitea.bakewise.ai
       - op: replace
         path: /spec/tls/0/hosts/2
+        value: registry.bakewise.ai
+      - op: add
+        path: /spec/tls/0/hosts/-
         value: mail.bakewise.ai
       - op: replace
         path: /spec/tls/0/secretName
@@ -32,10 +35,11 @@ patches:
         value: gitea.bakewise.ai
       - op: replace
         path: /spec/rules/2/host
-        value: mail.bakewise.ai
+        value: registry.bakewise.ai
+      # Mail rule removed - mail ingress is deployed separately via mailu-helm
       - op: add
         path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-origin
-        value: "https://bakewise.ai,https://www.bakewise.ai,https://mail.bakewise.ai"
+        value: "https://bakewise.ai,https://www.bakewise.ai,https://mail.bakewise.ai,https://registry.bakewise.ai,https://gitea.bakewise.ai"
       - op: add
         path: /metadata/annotations/nginx.ingress.kubernetes.io~1limit-rps
         value: "100"