# Tekton Update GitOps Task for Bakery-IA CI/CD # This task updates GitOps manifests with new image tags apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: update-gitops namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: {{ .Values.labels.app.name }} app.kubernetes.io/component: gitops spec: workspaces: - name: source description: Workspace containing the source code - name: git-credentials description: Git credentials for pushing changes params: - name: services type: string description: Comma-separated list of services to update - name: registry type: string description: Container registry URL - name: git-revision type: string description: Git revision to tag images with - name: git-branch type: string description: Git branch to push changes to - name: dry-run type: string description: Dry run mode - don't push changes default: "false" steps: - name: update-manifests image: alpine/git:2.43.0 securityContext: runAsNonRoot: true runAsUser: 65532 allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault workingDir: $(workspaces.source.path) env: - name: HOME value: /tekton/home - name: GIT_USERNAME valueFrom: secretKeyRef: name: gitea-git-credentials key: username - name: GIT_PASSWORD valueFrom: secretKeyRef: name: gitea-git-credentials key: password script: | #!/bin/sh set -e echo "============================================" echo "Updating GitOps Manifests" echo "Services: $(params.services)" echo "Registry: $(params.registry)" echo "Revision: $(params.git-revision)" echo "Branch: $(params.git-branch)" echo "Dry run: $(params.dry-run)" echo "============================================" # Configure git git config --global user.email "ci@bakery-ia.local" git config --global user.name "bakery-ia-ci" # Mark directories as safe to avoid ownership issues git config --global --add safe.directory /tmp/gitops git config --global --add safe.directory "$(workspaces.source.path)" # Clone the main repository (not a separate gitops repo) # Use external HTTPS URL via ingress for reliable TLS connectivity REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git" git clone "$REPO_URL" /tmp/gitops cd /tmp/gitops # Switch to target branch git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)" # Compute short hash once for job name updates SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-8) # Update image tags in Kubernetes manifests # Service names come from detect-changes task as folder names: auth, tenant, ai_insights, etc. for service in $(echo "$(params.services)" | tr ',' '\n'); do service=$(echo "$service" | xargs) # Trim whitespace if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then echo "" echo "============================================" echo "Updating manifest for service: $service" echo "============================================" # IMAGE_NAME is the same as the service folder name (matching Kaniko output) # This ensures consistency: folder name = image name = manifest reference IMAGE_NAME="$service" # Determine manifest paths based on service # Directory structure uses hyphens: ai-insights, alert-processor, demo-session # But image names use underscores: ai_insights, alert_processor, demo_session service_dir=$(echo "$service" | sed 's/_/-/g') if [ "$service" = "gateway" ]; then MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml" elif [ "$service" = "frontend" ]; then MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml" elif [ "$service" = "alert_processor" ]; then MANIFEST_PATH="infrastructure/services/microservices/alert-processor/alert-processor.yaml" elif [ "$service" = "demo_session" ]; then # demo-session uses deployment.yaml instead of demo-session-service.yaml MANIFEST_PATH="infrastructure/services/microservices/demo-session/deployment.yaml" else # Standard services: auth, tenant, orders, inventory, etc. # Also handles: ai_insights -> ai-insights, external -> external MANIFEST_PATH="infrastructure/services/microservices/${service_dir}/${service_dir}-service.yaml" fi # Update the image tag in the deployment YAML if [ -f "$MANIFEST_PATH" ]; then # Update image reference - match the exact image name pattern used in manifests sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH" echo "Updated: $MANIFEST_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)" else echo "Warning: Manifest not found: $MANIFEST_PATH" fi # Update migration job if it exists # Migration jobs use the hyphenated directory name MIGRATION_JOB_PATH="infrastructure/services/microservices/${service_dir}/migrations/${service_dir}-migration-job.yaml" if [ -f "$MIGRATION_JOB_PATH" ]; then # Update migration job image reference sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH" # Update job name to include short commit hash (makes it unique for K8s) sed -i "s|name: ${service_dir}-migration-[a-f0-9]*|name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH" # Also update labels to match sed -i "s|app.kubernetes.io/name: ${service_dir}-migration-[a-f0-9]*|app.kubernetes.io/name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH" echo "Updated migration: $MIGRATION_JOB_PATH" fi # Special case: external service has additional jobs if [ "$service" = "external" ]; then # Update external-data-init job EXTERNAL_DATA_INIT_JOB="infrastructure/services/microservices/external/migrations/external-data-init-job.yaml" if [ -f "$EXTERNAL_DATA_INIT_JOB" ]; then sed -i "s|image: registry.bakewise.ai/bakery-admin/external:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_INIT_JOB" sed -i "s|name: external-data-init-[a-f0-9]*|name: external-data-init-${SHORT_HASH}|g" "$EXTERNAL_DATA_INIT_JOB" echo "Updated external-data-init job: $EXTERNAL_DATA_INIT_JOB" fi # Update external-data-rotation cronjob EXTERNAL_DATA_ROTATION_JOB="infrastructure/services/microservices/external/cronjobs/external-data-rotation-cronjob.yaml" if [ -f "$EXTERNAL_DATA_ROTATION_JOB" ]; then sed -i "s|image: registry.bakewise.ai/bakery-admin/external:.*|image: $(params.registry)/external:$(params.git-revision)|g" "$EXTERNAL_DATA_ROTATION_JOB" sed -i "s|name: external-data-rotation-[a-f0-9]*|name: external-data-rotation-${SHORT_HASH}|g" "$EXTERNAL_DATA_ROTATION_JOB" echo "Updated external-data-rotation cronjob: $EXTERNAL_DATA_ROTATION_JOB" fi fi # Special case: demo_session service has cleanup worker if [ "$service" = "demo_session" ]; then DEMO_CLEANUP_WORKER="infrastructure/services/microservices/demo-session/demo-cleanup-worker.yaml" if [ -f "$DEMO_CLEANUP_WORKER" ]; then sed -i "s|image: registry.bakewise.ai/bakery-admin/demo_session:.*|image: $(params.registry)/demo_session:$(params.git-revision)|g" "$DEMO_CLEANUP_WORKER" sed -i "s|name: demo-cleanup-worker-[a-f0-9]*|name: demo-cleanup-worker-${SHORT_HASH}|g" "$DEMO_CLEANUP_WORKER" echo "Updated demo-cleanup-worker: $DEMO_CLEANUP_WORKER" fi fi fi done # Commit and push changes (unless dry-run) if [ "$(params.dry-run)" != "true" ]; then git add . git status if ! git diff --cached --quiet; then git commit -m "Update images for services: $(params.services) [skip ci]" git push origin "$(params.git-branch)" echo "GitOps manifests updated successfully" else echo "No changes to commit" fi else echo "Dry run mode - changes not pushed" git status git diff fi resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi