diff --git a/infrastructure/cicd/gitea/ingress.yaml.disabled b/infrastructure/cicd/gitea/ingress.yaml.disabled deleted file mode 100644 index cc026840..00000000 --- a/infrastructure/cicd/gitea/ingress.yaml.disabled +++ /dev/null @@ -1,44 +0,0 @@ -# Gitea Ingress Configuration -# Routes external traffic to Gitea service for web UI and Git HTTP access -# -# Prerequisites: -# - Gitea must be deployed in the 'gitea' namespace -# - Ingress controller must be installed (nginx, traefik, etc.) -# - For HTTPS: cert-manager with a ClusterIssuer named 'letsencrypt-prod' or 'local-ca-issuer' - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gitea-ingress - namespace: gitea - labels: - app.kubernetes.io/name: gitea - app.kubernetes.io/component: ingress - app.kubernetes.io/part-of: bakery-ia-cicd - annotations: - # For nginx ingress controller - nginx.ingress.kubernetes.io/proxy-body-size: "100m" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - # For traefik ingress controller - traefik.ingress.kubernetes.io/router.entrypoints: web,websecure - # For TLS with cert-manager (uncomment for HTTPS) - # cert-manager.io/cluster-issuer: "local-ca-issuer" -spec: - ingressClassName: nginx - # Uncomment for HTTPS - # tls: - # - hosts: - # - gitea.bakery-ia.local - # secretName: gitea-tls - rules: - - host: gitea.bakery-ia.local - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: gitea-http - port: - number: 3000 diff --git a/infrastructure/cicd/kustomization.yaml b/infrastructure/cicd/kustomization.yaml deleted file mode 100644 index 4c2f45f5..00000000 --- a/infrastructure/cicd/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -# Tekton is now managed via Helm, so we don't include it directly here -# The Tekton Helm chart is deployed separately via Tilt - -# Gitea is managed via Helm, so we don't include it directly here -# The Gitea Helm chart is deployed separately and referenced in the ingress -# Flux is now managed via Helm chart located in this directory, so we don't include it directly here diff --git a/infrastructure/cicd/tekton-helm/templates/event-listener.yaml b/infrastructure/cicd/tekton-helm/templates/event-listener.yaml index 14448408..7121a2f6 100644 --- a/infrastructure/cicd/tekton-helm/templates/event-listener.yaml +++ b/infrastructure/cicd/tekton-helm/templates/event-listener.yaml @@ -29,5 +29,4 @@ spec: bindings: - ref: bakery-ia-trigger-binding template: - ref: bakery-ia-trigger-template - replicas: 1 \ No newline at end of file + ref: bakery-ia-trigger-template \ No newline at end of file diff --git a/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml new file mode 100644 index 00000000..287ab23c --- /dev/null +++ b/infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml @@ -0,0 +1,46 @@ +# Tekton Task to Detect Changed Services +# This task analyzes git changes to determine which services need to be built + +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: detect-changed-services + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/name: {{ .Values.labels.app.name }} + app.kubernetes.io/component: detection +spec: + workspaces: + - name: source + description: Workspace containing the source code + results: + - name: changed-services + description: Comma-separated list of changed services + steps: + - name: detect-changes + image: alpine/git + script: | + #!/bin/bash + set -e + + cd $(workspaces.source.path) + + # Get the list of changed files + CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only $(git rev-parse --abbrev-ref HEAD)@{upstream} HEAD 2>/dev/null || echo "") + + if [ -z "$CHANGED_FILES" ]; then + # No changes detected, assume all services need building + echo "No git changes detected, building all services" + echo "all" > $(results.changed-services.path) + exit 0 + fi + + # Extract service names from changed file paths + CHANGED_SERVICES=$(echo "$CHANGED_FILES" | grep -o 'services/[^/]*' | sed 's/services\/\//' | sort -u | tr '\n' ',' | sed 's/,$//') + + if [ -z "$CHANGED_SERVICES" ]; then + # Changes are in infrastructure or other non-service files + echo "infrastructure" > $(results.changed-services.path) + else + echo "$CHANGED_SERVICES" > $(results.changed-services.path) + fi \ No newline at end of file diff --git a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml index 4d8414cf..172b9bcf 100644 --- a/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml +++ b/infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml @@ -34,14 +34,28 @@ spec: env: - name: DOCKER_CONFIG value: /tekton/home/.docker - command: - - /kaniko/executor - args: - - --dockerfile=$(workspaces.source.path)/Dockerfile - - --destination=$(params.registry)/$(params.service):$(params.git-revision) - - --context=$(workspaces.source.path) - - --cache=true - - --cache-repo=$(params.registry)/cache + script: | + #!/bin/bash + set -e + + # Split services parameter by comma + IFS=',' read -ra SERVICES <<< "$(params.services)" + + # Build each service + for service in "${SERVICES[@]}"; do + service=$(echo "$service" | xargs) # Trim whitespace + if [ -n "$service" ] && [ "$service" != "none" ]; then + echo "Building service: $service" + /kaniko/executor \ + --dockerfile="$(workspaces.source.path)/services/$service/Dockerfile" \ + --destination="$(params.registry)/$service:$(params.git-revision)" \ + --context="$(workspaces.source.path)" \ + --cache=true \ + --cache-repo="$(params.registry)/cache" + fi + done + + echo "success" > $(results.build-status.path) resources: limits: cpu: 2000m diff --git a/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml b/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml new file mode 100644 index 00000000..99689037 --- /dev/null +++ b/infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml @@ -0,0 +1,33 @@ +# Tekton Task for Pipeline Summary +# This task generates a summary of the pipeline execution + +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: pipeline-summary + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/name: {{ .Values.labels.app.name }} + app.kubernetes.io/component: summary +spec: + params: + - name: changed-services + type: string + description: Services that were changed + - name: git-revision + type: string + description: Git revision being processed + steps: + - name: generate-summary + image: alpine + script: | + #!/bin/bash + set -e + + echo "=== Bakery-IA CI Pipeline Summary ===" + echo "Git Revision: $(params.git-revision)" + echo "Changed Services: $(params.changed-services)" + echo "Pipeline completed successfully" + + # Log summary to stdout for visibility + echo "Summary generated" \ No newline at end of file diff --git a/infrastructure/cicd/tekton-helm/values-test.yaml b/infrastructure/cicd/tekton-helm/values-test.yaml deleted file mode 100644 index 52e7e2f0..00000000 --- a/infrastructure/cicd/tekton-helm/values-test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Test values for Tekton Helm chart -# This file overrides default values for testing purposes - -# Use a test namespace -namespace: "tekton-test" - -# Test registry URL -global: - registry: - url: "localhost:5000" - -# Test secrets -secrets: - webhook: - token: "test-webhook-token" - - registry: - username: "test-user" - password: "test-password" - registryUrl: "localhost:5000" - - git: - username: "test-git-user" - password: "test-git-password" \ No newline at end of file diff --git a/mailu-values-corrected.yaml b/mailu-values-corrected.yaml deleted file mode 100644 index 2ecf412b..00000000 --- a/mailu-values-corrected.yaml +++ /dev/null @@ -1,208 +0,0 @@ -# Corrected Mailu Helm values to work with existing infrastructure - -# Domain configuration -domain: bakery-ia.local -hostnames: - - mail.bakery-ia.local - -# Mailu version -mailuVersion: "2024.06" -secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7" - -# Timezone -timezone: "Etc/UTC" - -# Postmaster configuration -postmaster: "admin" - -# TLS configuration -tls: - flavor: "notls" # Since we're using ingress for TLS - -# Limits configuration -limits: - messageSizeLimitInMegabytes: 50 - authRatelimit: - ip: "60/hour" - user: "100/day" - messageRatelimit: - value: "200/day" - -# External relay configuration (Mailgun) -externalRelay: - host: "[smtp.mailgun.org]:587" - username: "postmaster@bakery-ia.local" - password: "mailgun-api-key-replace-in-production" - -# Webmail configuration -webmail: - enabled: true - flavor: "roundcube" - -# Antivirus and antispam configuration -antivirus: - enabled: false # Disabled in dev to save resources -antispam: - enabled: true - flavor: "rspamd" - -# Welcome message -welcomeMessage: - enabled: false # Disabled during development - -# Logging -logLevel: "DEBUG" - -# Network configuration -subnet: "10.42.0.0/16" - -# Redis configuration - using external Redis (shared cluster Redis) -externalRedis: - enabled: true - host: "redis-service" # Using the service name in the same namespace - port: 6380 # Using plain TCP port for internal cluster communication - adminQuotaDbId: 15 - adminRateLimitDbId: 15 - rspamdDbId: 15 - -# Database configuration - using existing PostgreSQL service -externalDatabase: - enabled: true - type: "postgresql" - host: "auth-db-service" # Using an existing PostgreSQL service in the namespace - port: 5432 - database: "mailu" # This database needs to be created manually - username: "mailu" - password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT" - -# Persistence configuration -persistence: - single_pvc: true - size: 10Gi - storageClass: "" - accessModes: [ReadWriteOnce] - -# Ingress configuration - disabled to use with existing ingress -ingress: - enabled: false # Disable chart's Ingress; use existing one - tls: false # Disable TLS in chart since ingress handles it - tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS - realIpHeader: X-Forwarded-For # Header for client IP from your Ingress - realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security) - path: / - pathType: ImplementationSpecific - - # Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying - proxyProtocol: - smtp: false - smtps: false - submission: false - imap: false - imaps: false - pop3: false - pop3s: false - manageSieve: false - -# Front configuration -front: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - http: 80 - https: 443 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - -# Admin configuration -admin: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - port: 80 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 300m - memory: 512Mi - -# Postfix configuration -postfix: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - smtp: 25 - submission: 587 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Dovecot configuration -dovecot: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - imap: 143 - imaps: 993 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Rspamd configuration -rspamd: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - rspamd: 11333 - rspamd-admin: 11334 - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1000m - memory: 1Gi - -# Network Policy -networkPolicy: - enabled: true - ingressController: - namespace: ingress-nginx - podSelector: | - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - monitoring: - namespace: monitoring - podSelector: | - matchLabels: - app: signoz-prometheus \ No newline at end of file diff --git a/mailu-values-fixed.yaml b/mailu-values-fixed.yaml deleted file mode 100644 index d1be075b..00000000 --- a/mailu-values-fixed.yaml +++ /dev/null @@ -1,231 +0,0 @@ -# Mailu Helm values with fixes for development environment - -# Domain configuration -domain: bakery-ia.local -hostnames: - - mail.bakery-ia.local - -# Mailu version -mailuVersion: "2024.06" -secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7" - -# Timezone -timezone: "Etc/UTC" - -# Postmaster configuration -postmaster: "admin" - -# TLS configuration -tls: - flavor: "notls" # Since we're using ingress for TLS - -# Limits configuration -limits: - messageSizeLimitInMegabytes: 50 - authRatelimit: - ip: "60/hour" - user: "100/day" - messageRatelimit: - value: "200/day" - -# External relay configuration (Mailgun) -externalRelay: - host: "[smtp.mailgun.org]:587" - username: "postmaster@bakery-ia.local" - password: "mailgun-api-key-replace-in-production" - -# Webmail configuration -webmail: - enabled: true - flavor: "roundcube" - -# Antivirus and antispam configuration -antivirus: - enabled: false # Disabled in dev to save resources -antispam: - enabled: true - flavor: "rspamd" - -# Welcome message -welcomeMessage: - enabled: false # Disabled during development - -# Logging -logLevel: "DEBUG" - -# Network configuration -subnet: "10.42.0.0/16" - -# Use internal database instead of external -externalDatabase: - enabled: false - -# PostgreSQL configuration (internal) -postgresql: - enabled: true - architecture: standalone - auth: - enablePostgresUser: true - postgresPassword: "strong-postgres-password" - username: "mailu" - password: "mailu-db-password" - database: "mailu" - - primary: - persistence: - enabled: true - size: 8Gi - storageClass: "standard" - -# Use internal Redis instead of external -externalRedis: - enabled: false - -# Redis configuration (internal) -redis: - enabled: true - architecture: standalone - auth: - enabled: false # Disable authentication for internal use - - master: - persistence: - enabled: true - size: 1Gi - storageClass: "standard" - -# Persistence configuration -persistence: - single_pvc: true - size: 10Gi - storageClass: "" - accessModes: [ReadWriteOnce] - -# Ingress configuration - disabled to use with existing ingress -ingress: - enabled: false # Disable chart's Ingress; use existing one - tls: false # Disable TLS in chart since ingress handles it - tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS - realIpHeader: X-Forwarded-For # Header for client IP from your Ingress - realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security) - path: / - pathType: ImplementationSpecific - - # Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying - proxyProtocol: - smtp: false - smtps: false - submission: false - imap: false - imaps: false - pop3: false - pop3s: false - manageSieve: false - -# Front configuration -front: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - http: 80 - https: 443 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - -# Admin configuration - with DNSSEC workaround -admin: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - port: 80 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 300m - memory: 512Mi - # Add environment variables to disable DNSSEC validation - extraEnvVars: - - name: "FLASK_SKIP_DNSSEC_VALIDATION" - value: "true" - -# Postfix configuration -postfix: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - smtp: 25 - submission: 587 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Dovecot configuration -dovecot: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - imap: 143 - imaps: 993 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Rspamd configuration -rspamd: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - rspamd: 11333 - rspamd-admin: 11334 - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1000m - memory: 1Gi - -# Network Policy -networkPolicy: - enabled: true - ingressController: - namespace: ingress-nginx - podSelector: | - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - monitoring: - namespace: monitoring - podSelector: | - matchLabels: - app: signoz-prometheus \ No newline at end of file diff --git a/mailu-values-internal-db.yaml b/mailu-values-internal-db.yaml deleted file mode 100644 index a541eedb..00000000 --- a/mailu-values-internal-db.yaml +++ /dev/null @@ -1,227 +0,0 @@ -# Mailu Helm values to use internal database and Redis - -# Domain configuration -domain: bakery-ia.local -hostnames: - - mail.bakery-ia.local - -# Mailu version -mailuVersion: "2024.06" -secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7" - -# Timezone -timezone: "Etc/UTC" - -# Postmaster configuration -postmaster: "admin" - -# TLS configuration -tls: - flavor: "notls" # Since we're using ingress for TLS - -# Limits configuration -limits: - messageSizeLimitInMegabytes: 50 - authRatelimit: - ip: "60/hour" - user: "100/day" - messageRatelimit: - value: "200/day" - -# External relay configuration (Mailgun) -externalRelay: - host: "[smtp.mailgun.org]:587" - username: "postmaster@bakery-ia.local" - password: "mailgun-api-key-replace-in-production" - -# Webmail configuration -webmail: - enabled: true - flavor: "roundcube" - -# Antivirus and antispam configuration -antivirus: - enabled: false # Disabled in dev to save resources -antispam: - enabled: true - flavor: "rspamd" - -# Welcome message -welcomeMessage: - enabled: false # Disabled during development - -# Logging -logLevel: "DEBUG" - -# Network configuration -subnet: "10.42.0.0/16" - -# Use internal database instead of external -externalDatabase: - enabled: false - -# PostgreSQL configuration (internal) -postgresql: - enabled: true - architecture: standalone - auth: - enablePostgresUser: true - postgresPassword: "strong-postgres-password" - username: "mailu" - password: "mailu-db-password" - database: "mailu" - - primary: - persistence: - enabled: true - size: 8Gi - storageClass: "standard" - -# Use internal Redis instead of external -externalRedis: - enabled: false - -# Redis configuration (internal) -redis: - enabled: true - architecture: standalone - auth: - enabled: false # Disable authentication for internal use - - master: - persistence: - enabled: true - size: 1Gi - storageClass: "standard" - -# Persistence configuration -persistence: - single_pvc: true - size: 10Gi - storageClass: "" - accessModes: [ReadWriteOnce] - -# Ingress configuration - disabled to use with existing ingress -ingress: - enabled: false # Disable chart's Ingress; use existing one - tls: false # Disable TLS in chart since ingress handles it - tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS - realIpHeader: X-Forwarded-For # Header for client IP from your Ingress - realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security) - path: / - pathType: ImplementationSpecific - - # Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying - proxyProtocol: - smtp: false - smtps: false - submission: false - imap: false - imaps: false - pop3: false - pop3s: false - manageSieve: false - -# Front configuration -front: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - http: 80 - https: 443 - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - -# Admin configuration -admin: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - port: 80 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 300m - memory: 512Mi - -# Postfix configuration -postfix: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - smtp: 25 - submission: 587 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Dovecot configuration -dovecot: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - imap: 143 - imaps: 993 - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - -# Rspamd configuration -rspamd: - image: - tag: "2024.06" - replicaCount: 1 - service: - type: ClusterIP - ports: - rspamd: 11333 - rspamd-admin: 11334 - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 1000m - memory: 1Gi - -# Network Policy -networkPolicy: - enabled: true - ingressController: - namespace: ingress-nginx - podSelector: | - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - monitoring: - namespace: monitoring - podSelector: | - matchLabels: - app: signoz-prometheus \ No newline at end of file