bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new infra architecture 4

Browse Source
This commit is contained in:
Urtzi Alfaro
2026-01-19 14:22:07 +01:00
parent 9edcc8c231
commit e96405b828
10 changed files with 102 additions and 753 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
infrastructure/cicd/gitea/ingress.yaml.disabled
View File

@@ -1,44 +0,0 @@
# Gitea Ingress Configuration
# Routes external traffic to Gitea service for web UI and Git HTTP access
#
# Prerequisites:
# - Gitea must be deployed in the 'gitea' namespace
# - Ingress controller must be installed (nginx, traefik, etc.)
# - For HTTPS: cert-manager with a ClusterIssuer named 'letsencrypt-prod' or 'local-ca-issuer'
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
labels:
app.kubernetes.io/name: gitea
app.kubernetes.io/component: ingress
app.kubernetes.io/part-of: bakery-ia-cicd
annotations:
# For nginx ingress controller
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
# For traefik ingress controller
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
# For TLS with cert-manager (uncomment for HTTPS)
# cert-manager.io/cluster-issuer: "local-ca-issuer"
spec:
ingressClassName: nginx
# Uncomment for HTTPS
# tls:
# - hosts:
# - gitea.bakery-ia.local
# secretName: gitea-tls
rules:
- host: gitea.bakery-ia.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-http
port:
number: 3000

9
infrastructure/cicd/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Tekton is now managed via Helm, so we don't include it directly here
# The Tekton Helm chart is deployed separately via Tilt
# Gitea is managed via Helm, so we don't include it directly here
# The Gitea Helm chart is deployed separately and referenced in the ingress
# Flux is now managed via Helm chart located in this directory, so we don't include it directly here

3
infrastructure/cicd/tekton-helm/templates/event-listener.yaml
View File

@@ -29,5 +29,4 @@ spec:
bindings:
- ref: bakery-ia-trigger-binding
template:
ref: bakery-ia-trigger-template
replicas: 1
ref: bakery-ia-trigger-template

46
infrastructure/cicd/tekton-helm/templates/task-detect-changes.yaml Normal file
View File

@@ -0,0 +1,46 @@
# Tekton Task to Detect Changed Services
# This task analyzes git changes to determine which services need to be built
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: detect-changed-services
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: detection
spec:
workspaces:
- name: source
description: Workspace containing the source code
results:
- name: changed-services
description: Comma-separated list of changed services
steps:
- name: detect-changes
image: alpine/git
script: |
#!/bin/bash
set -e
cd $(workspaces.source.path)
# Get the list of changed files
CHANGED_FILES=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || git diff --name-only $(git rev-parse --abbrev-ref HEAD)@{upstream} HEAD 2>/dev/null || echo "")
if [ -z "$CHANGED_FILES" ]; then
# No changes detected, assume all services need building
echo "No git changes detected, building all services"
echo "all" > $(results.changed-services.path)
exit 0
fi
# Extract service names from changed file paths
CHANGED_SERVICES=$(echo "$CHANGED_FILES" | grep -o 'services/[^/]*' | sed 's/services\/\//' | sort -u | tr '\n' ',' | sed 's/,$//')
if [ -z "$CHANGED_SERVICES" ]; then
# Changes are in infrastructure or other non-service files
echo "infrastructure" > $(results.changed-services.path)
else
echo "$CHANGED_SERVICES" > $(results.changed-services.path)
fi

30
infrastructure/cicd/tekton-helm/templates/task-kaniko-build.yaml
View File

@@ -34,14 +34,28 @@ spec:
env:
- name: DOCKER_CONFIG
value: /tekton/home/.docker
command:
- /kaniko/executor
args:
- --dockerfile=$(workspaces.source.path)/Dockerfile
- --destination=$(params.registry)/$(params.service):$(params.git-revision)
- --context=$(workspaces.source.path)
- --cache=true
- --cache-repo=$(params.registry)/cache
script: |
#!/bin/bash
set -e
# Split services parameter by comma
IFS=',' read -ra SERVICES <<< "$(params.services)"
# Build each service
for service in "${SERVICES[@]}"; do
service=$(echo "$service" | xargs) # Trim whitespace
if [ -n "$service" ] && [ "$service" != "none" ]; then
echo "Building service: $service"
/kaniko/executor \
--dockerfile="$(workspaces.source.path)/services/$service/Dockerfile" \
--destination="$(params.registry)/$service:$(params.git-revision)" \
--context="$(workspaces.source.path)" \
--cache=true \
--cache-repo="$(params.registry)/cache"
fi
done
echo "success" > $(results.build-status.path)
resources:
limits:
cpu: 2000m

33
infrastructure/cicd/tekton-helm/templates/task-pipeline-summary.yaml Normal file
View File

@@ -0,0 +1,33 @@
# Tekton Task for Pipeline Summary
# This task generates a summary of the pipeline execution
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: pipeline-summary
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: {{ .Values.labels.app.name }}
app.kubernetes.io/component: summary
spec:
params:
- name: changed-services
type: string
description: Services that were changed
- name: git-revision
type: string
description: Git revision being processed
steps:
- name: generate-summary
image: alpine
script: |
#!/bin/bash
set -e
echo "=== Bakery-IA CI Pipeline Summary ==="
echo "Git Revision: $(params.git-revision)"
echo "Changed Services: $(params.changed-services)"
echo "Pipeline completed successfully"
# Log summary to stdout for visibility
echo "Summary generated"

24
infrastructure/cicd/tekton-helm/values-test.yaml
View File

@@ -1,24 +0,0 @@
# Test values for Tekton Helm chart
# This file overrides default values for testing purposes
# Use a test namespace
namespace: "tekton-test"
# Test registry URL
global:
registry:
url: "localhost:5000"
# Test secrets
secrets:
webhook:
token: "test-webhook-token"
registry:
username: "test-user"
password: "test-password"
registryUrl: "localhost:5000"
git:
username: "test-git-user"
password: "test-git-password"

208
mailu-values-corrected.yaml
View File

@@ -1,208 +0,0 @@
# Corrected Mailu Helm values to work with existing infrastructure
# Domain configuration
domain: bakery-ia.local
hostnames:
- mail.bakery-ia.local
# Mailu version
mailuVersion: "2024.06"
secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7"
# Timezone
timezone: "Etc/UTC"
# Postmaster configuration
postmaster: "admin"
# TLS configuration
tls:
flavor: "notls" # Since we're using ingress for TLS
# Limits configuration
limits:
messageSizeLimitInMegabytes: 50
authRatelimit:
ip: "60/hour"
user: "100/day"
messageRatelimit:
value: "200/day"
# External relay configuration (Mailgun)
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@bakery-ia.local"
password: "mailgun-api-key-replace-in-production"
# Webmail configuration
webmail:
enabled: true
flavor: "roundcube"
# Antivirus and antispam configuration
antivirus:
enabled: false # Disabled in dev to save resources
antispam:
enabled: true
flavor: "rspamd"
# Welcome message
welcomeMessage:
enabled: false # Disabled during development
# Logging
logLevel: "DEBUG"
# Network configuration
subnet: "10.42.0.0/16"
# Redis configuration - using external Redis (shared cluster Redis)
externalRedis:
enabled: true
host: "redis-service" # Using the service name in the same namespace
port: 6380 # Using plain TCP port for internal cluster communication
adminQuotaDbId: 15
adminRateLimitDbId: 15
rspamdDbId: 15
# Database configuration - using existing PostgreSQL service
externalDatabase:
enabled: true
type: "postgresql"
host: "auth-db-service" # Using an existing PostgreSQL service in the namespace
port: 5432
database: "mailu" # This database needs to be created manually
username: "mailu"
password: "E8Kz47YmVzDlHGs1M9wAbJzxcKnGONCT"
# Persistence configuration
persistence:
single_pvc: true
size: 10Gi
storageClass: ""
accessModes: [ReadWriteOnce]
# Ingress configuration - disabled to use with existing ingress
ingress:
enabled: false # Disable chart's Ingress; use existing one
tls: false # Disable TLS in chart since ingress handles it
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
path: /
pathType: ImplementationSpecific
# Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying
proxyProtocol:
smtp: false
smtps: false
submission: false
imap: false
imaps: false
pop3: false
pop3s: false
manageSieve: false
# Front configuration
front:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
http: 80
https: 443
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
# Admin configuration
admin:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
port: 80
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 300m
memory: 512Mi
# Postfix configuration
postfix:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
smtp: 25
submission: 587
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Dovecot configuration
dovecot:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
imap: 143
imaps: 993
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Rspamd configuration
rspamd:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
rspamd: 11333
rspamd-admin: 11334
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
# Network Policy
networkPolicy:
enabled: true
ingressController:
namespace: ingress-nginx
podSelector: |
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
monitoring:
namespace: monitoring
podSelector: |
matchLabels:
app: signoz-prometheus

231
mailu-values-fixed.yaml
View File

@@ -1,231 +0,0 @@
# Mailu Helm values with fixes for development environment
# Domain configuration
domain: bakery-ia.local
hostnames:
- mail.bakery-ia.local
# Mailu version
mailuVersion: "2024.06"
secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7"
# Timezone
timezone: "Etc/UTC"
# Postmaster configuration
postmaster: "admin"
# TLS configuration
tls:
flavor: "notls" # Since we're using ingress for TLS
# Limits configuration
limits:
messageSizeLimitInMegabytes: 50
authRatelimit:
ip: "60/hour"
user: "100/day"
messageRatelimit:
value: "200/day"
# External relay configuration (Mailgun)
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@bakery-ia.local"
password: "mailgun-api-key-replace-in-production"
# Webmail configuration
webmail:
enabled: true
flavor: "roundcube"
# Antivirus and antispam configuration
antivirus:
enabled: false # Disabled in dev to save resources
antispam:
enabled: true
flavor: "rspamd"
# Welcome message
welcomeMessage:
enabled: false # Disabled during development
# Logging
logLevel: "DEBUG"
# Network configuration
subnet: "10.42.0.0/16"
# Use internal database instead of external
externalDatabase:
enabled: false
# PostgreSQL configuration (internal)
postgresql:
enabled: true
architecture: standalone
auth:
enablePostgresUser: true
postgresPassword: "strong-postgres-password"
username: "mailu"
password: "mailu-db-password"
database: "mailu"
primary:
persistence:
enabled: true
size: 8Gi
storageClass: "standard"
# Use internal Redis instead of external
externalRedis:
enabled: false
# Redis configuration (internal)
redis:
enabled: true
architecture: standalone
auth:
enabled: false # Disable authentication for internal use
master:
persistence:
enabled: true
size: 1Gi
storageClass: "standard"
# Persistence configuration
persistence:
single_pvc: true
size: 10Gi
storageClass: ""
accessModes: [ReadWriteOnce]
# Ingress configuration - disabled to use with existing ingress
ingress:
enabled: false # Disable chart's Ingress; use existing one
tls: false # Disable TLS in chart since ingress handles it
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
path: /
pathType: ImplementationSpecific
# Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying
proxyProtocol:
smtp: false
smtps: false
submission: false
imap: false
imaps: false
pop3: false
pop3s: false
manageSieve: false
# Front configuration
front:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
http: 80
https: 443
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
# Admin configuration - with DNSSEC workaround
admin:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
port: 80
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 300m
memory: 512Mi
# Add environment variables to disable DNSSEC validation
extraEnvVars:
- name: "FLASK_SKIP_DNSSEC_VALIDATION"
value: "true"
# Postfix configuration
postfix:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
smtp: 25
submission: 587
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Dovecot configuration
dovecot:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
imap: 143
imaps: 993
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Rspamd configuration
rspamd:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
rspamd: 11333
rspamd-admin: 11334
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
# Network Policy
networkPolicy:
enabled: true
ingressController:
namespace: ingress-nginx
podSelector: |
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
monitoring:
namespace: monitoring
podSelector: |
matchLabels:
app: signoz-prometheus

227
mailu-values-internal-db.yaml
View File

@@ -1,227 +0,0 @@
# Mailu Helm values to use internal database and Redis
# Domain configuration
domain: bakery-ia.local
hostnames:
- mail.bakery-ia.local
# Mailu version
mailuVersion: "2024.06"
secretKey: "cb61b934d47029a64117c0e4110c93f66bbcf5eaa15c84c42727fad78f7"
# Timezone
timezone: "Etc/UTC"
# Postmaster configuration
postmaster: "admin"
# TLS configuration
tls:
flavor: "notls" # Since we're using ingress for TLS
# Limits configuration
limits:
messageSizeLimitInMegabytes: 50
authRatelimit:
ip: "60/hour"
user: "100/day"
messageRatelimit:
value: "200/day"
# External relay configuration (Mailgun)
externalRelay:
host: "[smtp.mailgun.org]:587"
username: "postmaster@bakery-ia.local"
password: "mailgun-api-key-replace-in-production"
# Webmail configuration
webmail:
enabled: true
flavor: "roundcube"
# Antivirus and antispam configuration
antivirus:
enabled: false # Disabled in dev to save resources
antispam:
enabled: true
flavor: "rspamd"
# Welcome message
welcomeMessage:
enabled: false # Disabled during development
# Logging
logLevel: "DEBUG"
# Network configuration
subnet: "10.42.0.0/16"
# Use internal database instead of external
externalDatabase:
enabled: false
# PostgreSQL configuration (internal)
postgresql:
enabled: true
architecture: standalone
auth:
enablePostgresUser: true
postgresPassword: "strong-postgres-password"
username: "mailu"
password: "mailu-db-password"
database: "mailu"
primary:
persistence:
enabled: true
size: 8Gi
storageClass: "standard"
# Use internal Redis instead of external
externalRedis:
enabled: false
# Redis configuration (internal)
redis:
enabled: true
architecture: standalone
auth:
enabled: false # Disable authentication for internal use
master:
persistence:
enabled: true
size: 1Gi
storageClass: "standard"
# Persistence configuration
persistence:
single_pvc: true
size: 10Gi
storageClass: ""
accessModes: [ReadWriteOnce]
# Ingress configuration - disabled to use with existing ingress
ingress:
enabled: false # Disable chart's Ingress; use existing one
tls: false # Disable TLS in chart since ingress handles it
tlsFlavorOverride: notls # No TLS on internal NGINX; expect external proxy to handle TLS
realIpHeader: X-Forwarded-For # Header for client IP from your Ingress
realIpFrom: 0.0.0.0/0 # Trust all proxies (restrict to your Ingress pod CIDR for security)
path: /
pathType: ImplementationSpecific
# Optional: Enable PROXY protocol for mail protocols if your Ingress supports TCP proxying
proxyProtocol:
smtp: false
smtps: false
submission: false
imap: false
imaps: false
pop3: false
pop3s: false
manageSieve: false
# Front configuration
front:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
http: 80
https: 443
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
# Admin configuration
admin:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
port: 80
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 300m
memory: 512Mi
# Postfix configuration
postfix:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
smtp: 25
submission: 587
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Dovecot configuration
dovecot:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
imap: 143
imaps: 993
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
# Rspamd configuration
rspamd:
image:
tag: "2024.06"
replicaCount: 1
service:
type: ClusterIP
ports:
rspamd: 11333
rspamd-admin: 11334
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
# Network Policy
networkPolicy:
enabled: true
ingressController:
namespace: ingress-nginx
podSelector: |
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/component: controller
monitoring:
namespace: monitoring
podSelector: |
matchLabels:
app: signoz-prometheus