chore: restore independent prod gitops config

README.md

@@ -1,27 +1,31 @@
-# ircs-prod-config
+# ircs-prod-config
 
-Independent GitOps repository for IRCS V3 production namespace `ircs-prod`.
+独立 GitOps 仓库，负责 IRCS V3 生产 namespace `ircs-prod` 的 Kubernetes 运行配置。
 
-This repo intentionally separates production runtime state from the source repository:
+代码仓库只负责构建和推送镜像；Argo CD 不再同步后端仓库中的生产清单。所有生产配置入口都在本仓库：
 
-- source repo: `gitea-admin/ircs-project-v3`, builds and pushes service images.
+- Argo CD Application：`apps/`
-- GitOps repo: `gitea-admin/ircs-prod-config`, declares Kubernetes runtime resources.
+- 生产 core 清单：`ircs-prod/core/`
+- 生产 edge HTTPRoute：`ircs-prod/edge-cutover/`
+- 数据库迁移 Job：`ircs-prod/migration/`
 
-Secrets are not stored here. Run `scripts/prepare-prod-secrets.ps1` before syncing the core ArgoCD application.
+当前 Argo CD repoURL：
 
-Deployment order:
+```text
+http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
+```
 
-1. Prepare `ircs-prod` namespace and secrets.
+## 发布链路
-2. Apply `apps/ircs-prod-core-application.yaml` to ArgoCD and sync it.
-3. Let the V3 migrator initialize a clean database. Do not migrate legacy `ircs-system` data by default.
-4. Verify portals and BFF through cluster endpoints.
-5. Sync `apps/ircs-prod-edge-application.yaml` or apply `ircs-prod/edge-cutover`, then remove old `ircs-system` business routes.
 
-Edge cutover is isolated from core to avoid hostname conflict while the old `ircs-system` routes still own production domains.
+1. 后端或前端仓库的 Gitea Actions 构建 ARM64 镜像并推送到 `registry.mnnu.eu.org/ircs`。
+2. Actions clone 本仓库并更新 `ircs-prod/` 中对应镜像标签。
+3. Actions 将 tag 回写 commit push 到本仓库 `main`。
+4. Argo CD 同步本仓库中的 `ircs-prod-core` 和 `ircs-prod-edge`。
+5. `ircs-prod-migrator` 保留为手动同步对象，避免迁移 Job 被镜像标签变化反复触发。
 
-Current cutover state:
+## 当前域名
 
-- `ircs-prod-core`: Synced/Healthy.
+- `huawai.mnnu.eu.org` -> `ircs-portal-frontend:3000`
-- `ircs-prod-edge`: Synced/Healthy.
+- `admin.mnnu.eu.org` -> `ircs-admin-frontend:80`
-- `ircs-system/huawai-route` and `ircs-system/ircs-route`: removed.
+
-- `ircs-system/kibana-route`: retained.
+公网 TLS 由 Envoy Gateway 和基础设施处理，业务 Pod 内部不配置 TLS。

apps/ircs-prod-core-application.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
     targetRevision: main
     path: ircs-prod/core
   destination:

apps/ircs-prod-edge-application.yaml

@@ -9,13 +9,16 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
     targetRevision: main
     path: ircs-prod/edge-cutover
   destination:
     server: https://kubernetes.default.svc
     namespace: ircs-prod
   syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true

apps/ircs-prod-migrator-application.yaml

@@ -9,7 +9,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
     targetRevision: main
     path: ircs-prod/migration
   destination:

apps/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ircs-prod-core-application.yaml
+  - ircs-prod-edge-application.yaml
+  - ircs-prod-migrator-application.yaml

docs/cutover-runbook.md

@@ -1,22 +1,17 @@
-# HTTPRoute cutover runbook
+# HTTPRoute cutover runbook
 
-Current production domains are owned by `ircs-system` routes:
+状态：历史记录
 
-- `huawai.sophia.fr.eu.org` -> `ircs-system/huawai-svc:80`
+当前 `mnnu.eu.org` 生产入口已由本仓库 `ircs-prod/edge-cutover/httproutes.yaml` 管理；本文只保留旧 `sophia` 域名切流思路，不再作为当前操作步骤。
-- `ircs.sophia.fr.eu.org` -> `ircs-system/ircs-frontend-svc:80`
 
-V3 production routes are declared under `ircs-prod/edge-cutover`:
+当前生产域名：
 
-- `huawai.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:80`
+- `huawai.mnnu.eu.org` -> `ircs-prod/ircs-portal-frontend:3000`
-- `ircs.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:8080`
+- `admin.mnnu.eu.org` -> `ircs-prod/ircs-admin-frontend:80`
 
-Cutover order:
+当前 API 路由：
 
-1. Confirm `ircs-prod` pods are Ready.
+- `huawai.mnnu.eu.org/api/backend`、`/api/portal`、`/media` -> `ircs-prod/ircs-portal-bff:8080`
-2. Confirm cluster-internal portal/admin smoke is healthy.
+- `admin.mnnu.eu.org/api/v1`、`/media` -> `ircs-prod/ircs-admin-bff:8080`
-3. Disable automated sync on old `argocd/ircs-app` so it does not recreate old routes.
-4. Apply edge routes and delete old `ircs-system` business routes.
-5. Verify Envoy Gateway accepts the new routes.
-6. Verify external domains through the NLB/Cloudflare path.
 
-Use `scripts/cutover-httproute.ps1 -Execute` from this repo root when ready.
+切流或新增域名时，直接修改 `ircs-prod/edge-cutover/httproutes.yaml` 并提交本仓库，由 Argo CD 自动同步。

docs/data-migration-runbook.md

@@ -1,20 +1,15 @@
-# ircs-system to ircs-prod compatible data migration
+# ircs-prod data migration runbook
 
-Goal: migrate old `ircs-system` business data into V3 `ircs-prod` while allowing incompatible runtime tables to be discarded.
+状态：历史记录
 
-Required order:
+当前 `ircs-prod` 按新环境干净初始化，不迁移旧 `ircs-system` 业务数据。`ircs-prod-migrator` 仍保留在 `ircs-prod/migration/`，但由 Argo CD 手动同步，避免迁移 Job 自动反复执行。
 
-1. Back up old `ircs-system` PostgreSQL.
+如果未来确实需要导入旧数据，先新增一份独立迁移方案并明确：
-2. Prepare `ircs-prod` secrets with `scripts/prepare-prod-secrets.ps1`.
-3. Sync `ircs-prod-core` and wait for PostgreSQL, RabbitMQ, Valkey, Elasticsearch, services, and migrator.
-4. Run `scripts/migrate-compatible-data.ps1` once without `-Execute` to compare table presence.
-5. Run `scripts/migrate-compatible-data.ps1 -Execute -TruncateTarget` only when `ircs-prod` has no valuable data.
-6. Rebuild search/index derived state through V3 ops runners after migration.
 
-Migration policy:
+- 源库和目标库。
+- 需要复制的业务表。
+- 必须跳过的 runtime、audit、outbox、lock、Liquibase 表。
+- 回滚方式。
+- 迁移前后只读校验 SQL。
 
-- Copy compatible V1 business tables only.
+不要直接复用旧 `ircs-system` 兼容迁移脚本作为生产操作入口。
-- Do not copy `databasechangelog` or `databasechangeloglock`.
-- Do not copy V3 derived audit/outbox/maintenance tables.
-- If a table or column becomes incompatible, prefer explicit table-level skip plus a written note over silent lossy conversion.
-- Existing R2 bucket remains `ircs` so historical media URLs stay valid.

ircs-prod/core/00-namespace.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Namespace
 metadata:
   name: ircs-prod

ircs-prod/core/01-app-config.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ircs-prod-app-config

ircs-prod/core/02-resource-quota.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ResourceQuota
 metadata:
   name: ircs-prod-quota

ircs-prod/core/kustomization.yaml

@@ -1,4 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - 00-namespace.yaml
@@ -29,4 +29,3 @@ resources:
   - manifests/storage-service.yaml
   - manifests/task-service.yaml
   - manifests/valkey.yaml
-

ircs-prod/core/manifests/aggregation-worker.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-aggregation-worker@sha256:659fd4e8e59dde4263b9710c5edd132e34d656aa9b58fe489ae1cac83fb28c14
+          image: registry.mnnu.eu.org/ircs/ircs-aggregation-worker:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -99,4 +99,3 @@ spec:
             limits:
               cpu: 250m
               memory: 512Mi
-

ircs-prod/core/manifests/catalog-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-catalog-service@sha256:c460196c3fba553431fb0642d22995f389577628dee445e1397dcd5e7e8b4dc0
+          image: registry.mnnu.eu.org/ircs/ircs-catalog-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -99,4 +99,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/config-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-config-service@sha256:f09efcc3c57412ef4a5c879a93a67ce00aa022ef4178ba73ac757434b3f77a76
+          image: registry.mnnu.eu.org/ircs/ircs-config-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -107,4 +107,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/content-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-content-service@sha256:b0761d6b17f95b87528e494b23bc4c09e8fee5dc0917724809d1108223f32bf0
+          image: registry.mnnu.eu.org/ircs/ircs-content-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -125,4 +125,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/credential-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-credential-service@sha256:749095ecaad722df22b593163bc1ed643861592a4160384b7365e6337a7741d8
+          image: registry.mnnu.eu.org/ircs/ircs-credential-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -110,4 +110,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/elasticsearch.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
   name: elasticsearch-svc
@@ -40,7 +40,6 @@ spec:
     type: RollingUpdate
     rollingUpdate:
       partition: 0
-      maxUnavailable: 1
   selector:
     matchLabels:
       app: elasticsearch
@@ -54,7 +53,9 @@ spec:
       dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
-      securityContext: {}
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
       terminationGracePeriodSeconds: 30
       initContainers:
         - name: install-plugins
@@ -173,4 +174,3 @@ spec:
         resources:
           requests:
             storage: 5Gi
-

ircs-prod/core/manifests/frontend-bff.yaml

@@ -27,10 +27,10 @@ spec:
         ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-portal-bff@sha256:4d3f2b8115635b111ec14cf5ac501707eb29b207487ce2317db117032b939e56
+          image: registry.mnnu.eu.org/ircs/ircs-portal-bff:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -140,10 +140,10 @@ spec:
         ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-admin-bff@sha256:e043f6a537aea4e02572e93766212bf4dc4465359ed1dbd255ae5b365fc9ca23
+          image: registry.mnnu.eu.org/ircs/ircs-admin-bff:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -232,4 +232,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/frontend-portal-admin.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ConfigMap
 metadata:
   name: ircs-frontend-gateway-nginx
@@ -308,10 +308,10 @@ spec:
         ircs.prodigalgal.com/config-version: "bff-20260606-1"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: huawai
-          image: harbor.mnnu.eu.org/ircs/huawai@sha256:a411c3498cd2871093953b570616a6e89b3f0d1621308e175692dffd109b2751
+          image: registry.mnnu.eu.org/ircs/ircs-huawai-frontend:sha-fbd4430f6682
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -369,10 +369,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: ircs-admin-frontend
-          image: harbor.mnnu.eu.org/ircs/ircs-frontend@sha256:132b7d3bb073734ab8072769521e94885b25f8e9e319253e7c1c433d87c91302
+          image: registry.mnnu.eu.org/ircs/ircs-admin-frontend:sha-7a74ebb402ab
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -465,4 +465,3 @@ spec:
         - name: nginx-config
           configMap:
             name: ircs-frontend-gateway-nginx
-

ircs-prod/core/manifests/identity-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-identity-service@sha256:f055eeda67241fffde05adcd90904a9f92000910a182401c6f1f375f09db0777
+          image: registry.mnnu.eu.org/ircs/ircs-identity-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -146,4 +146,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/ingestion-worker.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-ingestion-worker@sha256:600b2f614b204a01d0dfd6565e87619f73bd5bc136f58ee92d12dee24c77ed8d
+          image: registry.mnnu.eu.org/ircs/ircs-ingestion-worker:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -93,4 +93,3 @@ spec:
             limits:
               cpu: 250m
               memory: 512Mi
-

ircs-prod/core/manifests/interaction-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-interaction-service@sha256:77477b1dd77eb41752d8971c5a961b3903c44d87d74b34017f682c07fd52b7a4
+          image: registry.mnnu.eu.org/ircs/ircs-interaction-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -118,4 +118,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/magnet-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-magnet-service@sha256:88783970566a3f9aa2667fe6001af5f9ccc3882d965f425d715cf4b0f4146bb0
+          image: registry.mnnu.eu.org/ircs/ircs-magnet-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -103,4 +103,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/metadata-worker.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-metadata-worker@sha256:c8389f1bd63d7d9b663ff434ed90bb87e2dfd6caa735148c6521b6eb44ea3189
+          image: registry.mnnu.eu.org/ircs/ircs-metadata-worker:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -113,4 +113,3 @@ spec:
             limits:
               cpu: 250m
               memory: 512Mi
-

ircs-prod/core/manifests/migrator-job.yaml

@@ -1,53 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: ircs-migrator
-  namespace: ircs-prod
-  labels:
-    app: ircs-migrator
-    app.kubernetes.io/part-of: ircs
-    environment: prod
-spec:
-  backoffLimit: 0
-  ttlSecondsAfterFinished: 300
-  template:
-    metadata:
-      labels:
-        app: ircs-migrator
-        app.kubernetes.io/part-of: ircs
-        environment: prod
-    spec:
-      restartPolicy: Never
-      imagePullSecrets:
-        - name: harbor-secret
-      containers:
-        - name: migrator
-          image: harbor.mnnu.eu.org/ircs/ircs-migrator@sha256:64223fa99f7c2793b0145cc539bafa4b0c70fa3cc0af0e9059a2fed3bf7a2437
-          imagePullPolicy: IfNotPresent
-          env:
-            - name: SPRING_DATASOURCE_URL
-              valueFrom:
-                configMapKeyRef:
-                  name: ircs-prod-app-config
-                  key: DB_URL
-            - name: SPRING_DATASOURCE_USERNAME
-              value: postgres
-            - name: SPRING_DATASOURCE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: ircs-prod-secrets
-                  key: DB_PASSWORD
-            - name: SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE
-              value: "2"
-            - name: SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE
-              value: "0"
-            - name: SPRING_DATASOURCE_HIKARI_IDLE_TIMEOUT
-              value: "30000"
-          resources:
-            requests:
-              cpu: 25m
-              memory: 128Mi
-            limits:
-              cpu: 250m
-              memory: 512Mi
-

ircs-prod/core/manifests/normalization-worker.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-normalization-worker@sha256:1f82b17374a8c3e2307bbdd406a106587b5bacc28db4a3e6386a435fbcd8d697
+          image: registry.mnnu.eu.org/ircs/ircs-normalization-worker:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -124,4 +124,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/notification-worker.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-notification-worker@sha256:46f41e02c0c76de3e1497ad1c1eaf554f72e0f6a47dfc3a56c798c5e6fc4cf82
+          image: registry.mnnu.eu.org/ircs/ircs-notification-worker:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -135,4 +135,3 @@ spec:
             limits:
               cpu: 250m
               memory: 512Mi
-

ircs-prod/core/manifests/observability-monitoring.yaml

@@ -1,4 +1,4 @@
-apiVersion: monitoring.coreos.com/v1
+apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: ircs-prod-service-monitor
@@ -67,4 +67,3 @@ spec:
       interval: 30s
       scrapeTimeout: 10s
       honorLabels: true
-

ircs-prod/core/manifests/ops-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-ops-service@sha256:12bf1e9983f92145f318ad370370ef7ae27fdb68cd3f05c72b281cac94e761ce
+          image: registry.mnnu.eu.org/ircs/ircs-ops-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -138,4 +138,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/portal-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-portal-service@sha256:c4270d97a20098164c5b68cec1fcad99a4e56f99f1493aa78683afd5395bb33e
+          image: registry.mnnu.eu.org/ircs/ircs-portal-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -116,4 +116,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/postgres.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
   name: postgres-svc
@@ -37,7 +37,6 @@ spec:
     type: RollingUpdate
     rollingUpdate:
       partition: 0
-      maxUnavailable: 1
   selector:
     matchLabels:
       app: postgres
@@ -121,4 +120,3 @@ spec:
         resources:
           requests:
             storage: 2Gi
-

ircs-prod/core/manifests/rabbitmq.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
   name: rabbitmq-svc
@@ -40,7 +40,6 @@ spec:
     type: RollingUpdate
     rollingUpdate:
       partition: 0
-      maxUnavailable: 1
   selector:
     matchLabels:
       app: rabbitmq
@@ -123,4 +122,3 @@ spec:
         resources:
           requests:
             storage: 1Gi
-

ircs-prod/core/manifests/scraper-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-scraper-service@sha256:2a48db6d3df769248bf174129c534361be1303e1d7d7a87b973504ba29b82731
+          image: registry.mnnu.eu.org/ircs/ircs-scraper-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -130,4 +130,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/search-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-search-service@sha256:a7d4173655f20e7796b46bbc0cfe940c178d8f970d8b55f0b43e3f8b4e6fcfbf
+          image: registry.mnnu.eu.org/ircs/ircs-search-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -146,4 +146,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/storage-service.yaml

@@ -22,10 +22,10 @@ spec:
         environment: prod
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-storage-service@sha256:df6bfcdeb3a285e8b3842b0c0d99da2312b8f755c5fb1f49d35b0ccac8369749
+          image: registry.mnnu.eu.org/ircs/ircs-storage-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -144,4 +144,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/task-service.yaml

@@ -24,10 +24,10 @@ spec:
         ircs.prodigalgal.com/no-public-route: "true"
     spec:
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-task-service@sha256:b1897407cca7efa0223e0beceb0e03826940d7f694e2b5d7071f8b3ddba4ed5b
+          image: registry.mnnu.eu.org/ircs/ircs-task-service:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           ports:
             - name: http
@@ -149,4 +149,3 @@ spec:
     - name: http
       port: 8080
       targetPort: http
-

ircs-prod/core/manifests/valkey.yaml

@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
   name: valkey-svc
@@ -74,4 +74,3 @@ spec:
             limits:
               cpu: 250m
               memory: 256Mi
-

ircs-prod/edge-cutover/httproutes.yaml

@@ -1,4 +1,32 @@
-apiVersion: gateway.networking.k8s.io/v1
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: huawai-http-redirect
+  namespace: ircs-prod
+  labels:
+    app.kubernetes.io/part-of: ircs
+    environment: prod
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: mnnu-gateway
+      namespace: gateway-system
+      sectionName: http
+  hostnames:
+    - huawai.mnnu.eu.org
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+---
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: huawai-route
@@ -7,14 +35,31 @@ metadata:
     app.kubernetes.io/part-of: ircs
     environment: prod
 spec:
-  hostnames:
-    - huawai.sophia.fr.eu.org
   parentRefs:
     - group: gateway.networking.k8s.io
       kind: Gateway
-      name: production-gateway
+      name: mnnu-gateway
-      namespace: envoy-gateway-system
+      namespace: gateway-system
+      sectionName: https
+  hostnames:
+    - huawai.mnnu.eu.org
   rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /api/backend
+        - path:
+            type: PathPrefix
+            value: /api/portal
+        - path:
+            type: PathPrefix
+            value: /media
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: ircs-portal-bff
+          port: 8080
+          weight: 1
     - matches:
         - path:
             type: PathPrefix
@@ -22,27 +67,69 @@ spec:
       backendRefs:
         - group: ""
           kind: Service
-          name: ircs-frontend-gateway
+          name: ircs-portal-frontend
-          port: 80
+          port: 3000
           weight: 1
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: ircs-route
+  name: admin-http-redirect
   namespace: ircs-prod
   labels:
     app.kubernetes.io/part-of: ircs
     environment: prod
 spec:
-  hostnames:
-    - ircs.sophia.fr.eu.org
   parentRefs:
     - group: gateway.networking.k8s.io
       kind: Gateway
-      name: production-gateway
+      name: mnnu-gateway
-      namespace: envoy-gateway-system
+      namespace: gateway-system
+      sectionName: http
+  hostnames:
+    - admin.mnnu.eu.org
   rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: admin-route
+  namespace: ircs-prod
+  labels:
+    app.kubernetes.io/part-of: ircs
+    environment: prod
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: mnnu-gateway
+      namespace: gateway-system
+      sectionName: https
+  hostnames:
+    - admin.mnnu.eu.org
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /api/v1
+        - path:
+            type: PathPrefix
+            value: /media
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: ircs-admin-bff
+          port: 8080
+          weight: 1
     - matches:
         - path:
             type: PathPrefix
@@ -50,6 +137,6 @@ spec:
       backendRefs:
         - group: ""
           kind: Service
-          name: ircs-frontend-gateway
+          name: ircs-admin-frontend
-          port: 8080
+          port: 80
           weight: 1

ircs-prod/edge-cutover/kustomization.yaml

@@ -1,5 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - httproutes.yaml
-

ircs-prod/migration/migrator-job.yaml

@@ -9,7 +9,6 @@ metadata:
     environment: prod
 spec:
   backoffLimit: 0
-  ttlSecondsAfterFinished: 300
   template:
     metadata:
       labels:
@@ -19,10 +18,10 @@ spec:
     spec:
       restartPolicy: Never
       imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
       containers:
         - name: migrator
-          image: harbor.mnnu.eu.org/ircs/ircs-migrator@sha256:64223fa99f7c2793b0145cc539bafa4b0c70fa3cc0af0e9059a2fed3bf7a2437
+          image: registry.mnnu.eu.org/ircs/ircs-migrator:sha-de9957f9ced5
           imagePullPolicy: IfNotPresent
           env:
             - name: SPRING_DATASOURCE_URL