chore: restore independent prod gitops config

deploy: normalize bff 404 images
deploy: roll out 404 error handling images
2026-06-15 18:10:47 +08:00 · 2026-06-14 20:57:10 +08:00 · 2026-06-14 20:46:53 +08:00 · 2026-06-14 17:45:56 +08:00 · 2026-06-14 16:04:38 +08:00 · 2026-06-14 12:46:49 +08:00
43 changed files with 423 additions and 171 deletions
@@ -0,0 +1 @@
 backups/
@@ -1,20 +1,31 @@
-# ircs-prod-config
+# ircs-prod-config
-Independent GitOps repository for IRCS V3 production namespace `ircs-prod`.
+独立 GitOps 仓库，负责 IRCS V3 生产 namespace `ircs-prod` 的 Kubernetes 运行配置。
-This repo intentionally separates production runtime state from the source repository:
+代码仓库只负责构建和推送镜像；Argo CD 不再同步后端仓库中的生产清单。所有生产配置入口都在本仓库：
- source repo: `gitea-admin/ircs-project-v3`, builds and pushes service images.
+- Argo CD Application：`apps/`
- GitOps repo: `gitea-admin/ircs-prod-config`, declares Kubernetes runtime resources.
+- 生产 core 清单：`ircs-prod/core/`
 - 生产 edge HTTPRoute：`ircs-prod/edge-cutover/`
 - 数据库迁移 Job：`ircs-prod/migration/`
-Secrets are not stored here. Run `scripts/prepare-prod-secrets.ps1` before syncing the core ArgoCD application.
+当前 Argo CD repoURL：
-Deployment order:
+```text
 http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
 ```
-1. Prepare `ircs-prod` namespace and secrets.
+## 发布链路
 2. Apply `apps/ircs-prod-core-application.yaml` to ArgoCD and sync it.
 3. Run V3 migrator and compatible data migration from `ircs-system`.
 4. Verify portals and BFF through cluster endpoints.
 5. Sync or apply `ircs-prod/edge-cutover` and remove old `ircs-system` routes.
-Edge cutover is isolated from core to avoid hostname conflict while the old `ircs-system` routes still own production domains.
+1. 后端或前端仓库的 Gitea Actions 构建 ARM64 镜像并推送到 `registry.mnnu.eu.org/ircs`。
 2. Actions clone 本仓库并更新 `ircs-prod/` 中对应镜像标签。
 3. Actions 将 tag 回写 commit push 到本仓库 `main`。
 4. Argo CD 同步本仓库中的 `ircs-prod-core` 和 `ircs-prod-edge`。
 5. `ircs-prod-migrator` 保留为手动同步对象，避免迁移 Job 被镜像标签变化反复触发。
 ## 当前域名
 - `huawai.mnnu.eu.org` -> `ircs-portal-frontend:3000`
 - `admin.mnnu.eu.org` -> `ircs-admin-frontend:80`
 公网 TLS 由 Envoy Gateway 和基础设施处理，业务 Pod 内部不配置 TLS。
@@ -9,7 +9,7 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
    targetRevision: main
    path: ircs-prod/core
  destination:
@@ -9,13 +9,16 @@ metadata:
 spec:
  project: default
  source:
-    repoURL: https://gitea.mnnu.eu.org/gitea-admin/ircs-prod-config.git
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
    targetRevision: main
    path: ircs-prod/edge-cutover
  destination:
    server: https://kubernetes.default.svc
    namespace: ircs-prod
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -0,0 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ircs-prod-migrator
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: ircs
    environment: prod
 spec:
  project: default
  source:
    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/ircs-prod-config.git
    targetRevision: main
    path: ircs-prod/migration
  destination:
    server: https://kubernetes.default.svc
    namespace: ircs-prod
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
@@ -0,0 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ircs-prod-core-application.yaml
  - ircs-prod-edge-application.yaml
  - ircs-prod-migrator-application.yaml
@@ -1,22 +1,17 @@
-# HTTPRoute cutover runbook
+# HTTPRoute cutover runbook
-Current production domains are owned by `ircs-system` routes:
+状态：历史记录
- `huawai.sophia.fr.eu.org` -> `ircs-system/huawai-svc:80`
+当前 `mnnu.eu.org` 生产入口已由本仓库 `ircs-prod/edge-cutover/httproutes.yaml` 管理；本文只保留旧 `sophia` 域名切流思路，不再作为当前操作步骤。
 - `ircs.sophia.fr.eu.org` -> `ircs-system/ircs-frontend-svc:80`
-V3 production routes are declared under `ircs-prod/edge-cutover`:
+当前生产域名：
- `huawai.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:80`
+- `huawai.mnnu.eu.org` -> `ircs-prod/ircs-portal-frontend:3000`
- `ircs.sophia.fr.eu.org` -> `ircs-prod/ircs-frontend-gateway:8080`
+- `admin.mnnu.eu.org` -> `ircs-prod/ircs-admin-frontend:80`
-Cutover order:
+当前 API 路由：
-1. Confirm `ircs-prod` pods are Ready.
+- `huawai.mnnu.eu.org/api/backend`、`/api/portal`、`/media` -> `ircs-prod/ircs-portal-bff:8080`
-2. Confirm cluster-internal portal/admin smoke is healthy.
+- `admin.mnnu.eu.org/api/v1`、`/media` -> `ircs-prod/ircs-admin-bff:8080`
 3. Disable automated sync on old `argocd/ircs-app` so it does not recreate old routes.
 4. Apply edge routes and delete old `ircs-system` business routes.
 5. Verify Envoy Gateway accepts the new routes.
 6. Verify external domains through the NLB/Cloudflare path.
-Use `scripts/cutover-httproute.ps1 -Execute` from this repo root when ready.
+切流或新增域名时，直接修改 `ircs-prod/edge-cutover/httproutes.yaml` 并提交本仓库，由 Argo CD 自动同步。
@@ -1,20 +1,15 @@
-# ircs-system to ircs-prod compatible data migration
+# ircs-prod data migration runbook
-Goal: migrate old `ircs-system` business data into V3 `ircs-prod` while allowing incompatible runtime tables to be discarded.
+状态：历史记录
-Required order:
+当前 `ircs-prod` 按新环境干净初始化，不迁移旧 `ircs-system` 业务数据。`ircs-prod-migrator` 仍保留在 `ircs-prod/migration/`，但由 Argo CD 手动同步，避免迁移 Job 自动反复执行。
-1. Back up old `ircs-system` PostgreSQL.
+如果未来确实需要导入旧数据，先新增一份独立迁移方案并明确：
 2. Prepare `ircs-prod` secrets with `scripts/prepare-prod-secrets.ps1`.
 3. Sync `ircs-prod-core` and wait for PostgreSQL, RabbitMQ, Valkey, Elasticsearch, services, and migrator.
 4. Run `scripts/migrate-compatible-data.ps1` once without `-Execute` to compare table presence.
 5. Run `scripts/migrate-compatible-data.ps1 -Execute -TruncateTarget` only when `ircs-prod` has no valuable data.
 6. Rebuild search/index derived state through V3 ops runners after migration.
-Migration policy:
+- 源库和目标库。
 - 需要复制的业务表。
 - 必须跳过的 runtime、audit、outbox、lock、Liquibase 表。
 - 回滚方式。
 - 迁移前后只读校验 SQL。
- Copy compatible V1 business tables only.
+不要直接复用旧 `ircs-system` 兼容迁移脚本作为生产操作入口。
 - Do not copy `databasechangelog` or `databasechangeloglock`.
 - Do not copy V3 derived audit/outbox/maintenance tables.
 - If a table or column becomes incompatible, prefer explicit table-level skip plus a written note over silent lossy conversion.
 - Existing R2 bucket remains `ircs` so historical media URLs stay valid.
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Namespace
 metadata:
  name: ircs-prod
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ircs-prod-app-config
@@ -7,6 +7,19 @@ metadata:
    app.kubernetes.io/part-of: ircs
    environment: prod
 data:
  APP_BFF_CATALOG_BASE_URL: http://ircs-catalog-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_CONFIG_BASE_URL: http://ircs-config-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_CONTENT_BASE_URL: http://ircs-content-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_CREDENTIAL_BASE_URL: http://ircs-credential-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_IDENTITY_BASE_URL: http://ircs-identity-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_INTERACTION_BASE_URL: http://ircs-interaction-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_MAGNET_BASE_URL: http://ircs-magnet-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_OPS_BASE_URL: http://ircs-ops-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_PORTAL_BASE_URL: http://ircs-portal-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_SCRAPER_BASE_URL: http://ircs-scraper-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_SEARCH_BASE_URL: http://ircs-search-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_STORAGE_BASE_URL: http://ircs-storage-service.ircs-prod.svc.cluster.local:8080
  APP_BFF_TASK_BASE_URL: http://ircs-task-service.ircs-prod.svc.cluster.local:8080
  APP_MAIL_ENABLED: "true"
  DB_URL: jdbc:postgresql://postgres-svc.ircs-prod.svc.cluster.local:5432/ircs?connectionTimeZone=UTC
  ELASTICSEARCH_URIS: http://elasticsearch-svc.ircs-prod.svc.cluster.local:9200
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ResourceQuota
 metadata:
  name: ircs-prod-quota
@@ -1,4 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - 00-namespace.yaml
@@ -17,7 +17,6 @@ resources:
  - manifests/interaction-service.yaml
  - manifests/magnet-service.yaml
  - manifests/metadata-worker.yaml
  - manifests/migrator-job.yaml
  - manifests/normalization-worker.yaml
  - manifests/notification-worker.yaml
  - manifests/observability-monitoring.yaml
@@ -30,4 +29,3 @@ resources:
  - manifests/storage-service.yaml
  - manifests/task-service.yaml
  - manifests/valkey.yaml
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-aggregation-worker
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-aggregation-worker@sha256:154db2f8da961cb300308f7d06337edc0ab11a3784a3fa432d23bf9cb2460e87
+          image: registry.mnnu.eu.org/ircs/ircs-aggregation-worker:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -99,4 +99,3 @@ spec:
            limits:
              cpu: 250m
              memory: 512Mi
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-catalog-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-catalog-service@sha256:c9c4aed0785e8d9716268b1b9f8f34d7bcd66ec5e3f1389c206185f72fa765e3
+          image: registry.mnnu.eu.org/ircs/ircs-catalog-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -99,4 +99,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-config-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-config-service@sha256:b19eeefe3dbac9483dbb01589afb79e89e43b702619186e6bb7ba988f1e7069e
+          image: registry.mnnu.eu.org/ircs/ircs-config-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -107,4 +107,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-content-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-content-service@sha256:414245458ad96793c17e88a74c1aa702c8aa593331d64d217d53fa6234bcb617
+          image: registry.mnnu.eu.org/ircs/ircs-content-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -125,4 +125,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-credential-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-credential-service@sha256:327c7307de0547d7d320010cffcee2f098cddb4ade6a94d8020c864809078eda
+          image: registry.mnnu.eu.org/ircs/ircs-credential-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -110,4 +110,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
  name: elasticsearch-svc
@@ -31,6 +31,15 @@ metadata:
 spec:
  serviceName: elasticsearch-svc
  replicas: 1
  podManagementPolicy: OrderedReady
  revisionHistoryLimit: 10
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      partition: 0
  selector:
    matchLabels:
      app: elasticsearch
@@ -41,9 +50,17 @@ spec:
        app.kubernetes.io/part-of: ircs
        environment: prod
    spec:
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      terminationGracePeriodSeconds: 30
      initContainers:
        - name: install-plugins
          image: alpine:3.19
          imagePullPolicy: IfNotPresent
          command:
            - sh
            - -c
@@ -77,6 +94,8 @@ spec:
          volumeMounts:
            - name: plugins-volume
              mountPath: /plugins
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      containers:
        - name: elasticsearch
          image: docker.elastic.co/elasticsearch/elasticsearch:9.1.4
@@ -84,8 +103,10 @@ spec:
          ports:
            - name: http
              containerPort: 9200
              protocol: TCP
            - name: transport
              containerPort: 9300
              protocol: TCP
          env:
            - name: discovery.type
              value: single-node
@@ -105,31 +126,43 @@ spec:
              port: http
            failureThreshold: 60
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            tcpSocket:
              port: http
            failureThreshold: 3
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          livenessProbe:
            tcpSocket:
              port: http
            failureThreshold: 3
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 100m
              memory: 1Gi
            limits:
-              cpu: 1000m
+              cpu: "1"
              memory: 2Gi
          volumeMounts:
            - name: elasticsearch-data
              mountPath: /usr/share/elasticsearch/data
            - name: plugins-volume
              mountPath: /usr/share/elasticsearch/plugins
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
      volumes:
        - name: plugins-volume
          emptyDir: {}
  volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: elasticsearch-data
        labels:
          app: elasticsearch
@@ -137,7 +170,7 @@ spec:
          environment: prod
      spec:
        accessModes: ["ReadWriteOnce"]
        volumeMode: Filesystem
        resources:
          requests:
            storage: 5Gi
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-portal-bff
@@ -24,12 +24,13 @@ spec:
        environment: prod
      annotations:
        ircs.prodigalgal.com/no-public-route: "true"
        ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-portal-bff@sha256:713932a12c577f2dcb910d85f96a5f1c7489542d6cda8a2089efceb3195918d1
+          image: registry.mnnu.eu.org/ircs/ircs-portal-bff:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -136,12 +137,13 @@ spec:
        environment: prod
      annotations:
        ircs.prodigalgal.com/no-public-route: "true"
        ircs.prodigalgal.com/config-version: "bff-prod-targets-20260614-1"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-admin-bff@sha256:e0314abeba097d5f2a25809bf4c7691cdb720b524841e94c522a3f7270baf899
+          image: registry.mnnu.eu.org/ircs/ircs-admin-bff:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -230,4 +232,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: ConfigMap
 metadata:
  name: ircs-frontend-gateway-nginx
@@ -308,10 +308,10 @@ spec:
        ircs.prodigalgal.com/config-version: "bff-20260606-1"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: huawai
-          image: harbor.mnnu.eu.org/ircs/huawai@sha256:a411c3498cd2871093953b570616a6e89b3f0d1621308e175692dffd109b2751
+          image: registry.mnnu.eu.org/ircs/ircs-huawai-frontend:sha-fbd4430f6682
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -369,10 +369,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: ircs-admin-frontend
-          image: harbor.mnnu.eu.org/ircs/ircs-frontend@sha256:132b7d3bb073734ab8072769521e94885b25f8e9e319253e7c1c433d87c91302
+          image: registry.mnnu.eu.org/ircs/ircs-admin-frontend:sha-7a74ebb402ab
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -465,4 +465,3 @@ spec:
        - name: nginx-config
          configMap:
            name: ircs-frontend-gateway-nginx
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-identity-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-identity-service@sha256:adda80c8a9c0986a465da376eb527096e3c8ed0cb60fc914cf0df3968533ccb0
+          image: registry.mnnu.eu.org/ircs/ircs-identity-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -146,4 +146,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-ingestion-worker
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-ingestion-worker@sha256:7429f763a0c07e767018ea473836ff16546f4d91085f0e5c6c28af31f25093fc
+          image: registry.mnnu.eu.org/ircs/ircs-ingestion-worker:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -93,4 +93,3 @@ spec:
            limits:
              cpu: 250m
              memory: 512Mi
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-interaction-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-interaction-service@sha256:540f6edb8357fb30208a5fa9de957e25506dca9c49a66ff16833438d6eab3ac7
+          image: registry.mnnu.eu.org/ircs/ircs-interaction-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -118,4 +118,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-magnet-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-magnet-service@sha256:190b98486dd4fd662d9433e1032a41c768d6b4cc4c11aeae91f1f7142ebf09b5
+          image: registry.mnnu.eu.org/ircs/ircs-magnet-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -103,4 +103,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-metadata-worker
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-metadata-worker@sha256:556d9e0e90c3686974d42f9844d46c46684ce9e8c44cea8c3af653cbebdde5db
+          image: registry.mnnu.eu.org/ircs/ircs-metadata-worker:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -113,4 +113,3 @@ spec:
            limits:
              cpu: 250m
              memory: 512Mi
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-normalization-worker
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-normalization-worker@sha256:399ca4e645c20a8fef850499a5b1c4223fc6308ca36598f778641e1efbb8eaf8
+          image: registry.mnnu.eu.org/ircs/ircs-normalization-worker:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -124,4 +124,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-notification-worker
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-notification-worker@sha256:c0234ec40b13b3a24925ec2bcfb5b6298622335f44284003d12f09199de3fdd3
+          image: registry.mnnu.eu.org/ircs/ircs-notification-worker:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -135,4 +135,3 @@ spec:
            limits:
              cpu: 250m
              memory: 512Mi
@@ -1,4 +1,4 @@
-apiVersion: monitoring.coreos.com/v1
+apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: ircs-prod-service-monitor
@@ -67,4 +67,3 @@ spec:
      interval: 30s
      scrapeTimeout: 10s
      honorLabels: true
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-ops-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-ops-service@sha256:ec5a8ec36286e45fa4d85e07b861c7e349dd914017e1b0a03639833ab20b686f
+          image: registry.mnnu.eu.org/ircs/ircs-ops-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -138,4 +138,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-portal-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-portal-service@sha256:13273b98a366bf5690fb372316248d91711f41afb4906de0cf8e737ce76fc59c
+          image: registry.mnnu.eu.org/ircs/ircs-portal-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -116,4 +116,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
  name: postgres-svc
@@ -28,6 +28,15 @@ metadata:
 spec:
  serviceName: postgres-svc
  replicas: 1
  podManagementPolicy: OrderedReady
  revisionHistoryLimit: 10
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      partition: 0
  selector:
    matchLabels:
      app: postgres
@@ -38,6 +47,11 @@ spec:
        app.kubernetes.io/part-of: ircs
        environment: prod
    spec:
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      containers:
        - name: postgres
          image: postgres:18-alpine
@@ -45,6 +59,7 @@ spec:
          ports:
            - name: postgres
              containerPort: 5432
              protocol: TCP
          env:
            - name: POSTGRES_DB
              value: ircs
@@ -62,14 +77,22 @@ spec:
              command: ["pg_isready", "-U", "postgres", "-d", "ircs"]
            failureThreshold: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 1
          readinessProbe:
            exec:
              command: ["pg_isready", "-U", "postgres", "-d", "ircs"]
            failureThreshold: 3
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          livenessProbe:
            exec:
              command: ["pg_isready", "-U", "postgres", "-d", "ircs"]
            failureThreshold: 3
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 100m
@@ -80,8 +103,12 @@ spec:
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
  volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: postgres-data
        labels:
          app: postgres
@@ -89,7 +116,7 @@ spec:
          environment: prod
      spec:
        accessModes: ["ReadWriteOnce"]
        volumeMode: Filesystem
        resources:
          requests:
            storage: 2Gi
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
  name: rabbitmq-svc
@@ -31,6 +31,15 @@ metadata:
 spec:
  serviceName: rabbitmq-svc
  replicas: 1
  podManagementPolicy: OrderedReady
  revisionHistoryLimit: 10
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      partition: 0
  selector:
    matchLabels:
      app: rabbitmq
@@ -41,6 +50,11 @@ spec:
        app.kubernetes.io/part-of: ircs
        environment: prod
    spec:
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      containers:
        - name: rabbitmq
          image: rabbitmq:4.1.8-management
@@ -48,8 +62,10 @@ spec:
          ports:
            - name: amqp
              containerPort: 5672
              protocol: TCP
            - name: management
              containerPort: 15672
              protocol: TCP
          env:
            - name: RABBITMQ_DEFAULT_USER
              value: admin
@@ -63,16 +79,21 @@ spec:
              command: ["rabbitmq-diagnostics", "-q", "ping"]
            failureThreshold: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          readinessProbe:
            exec:
              command: ["rabbitmq-diagnostics", "-q", "ping"]
            failureThreshold: 3
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 10
          livenessProbe:
            exec:
              command: ["rabbitmq-diagnostics", "-q", "ping"]
            failureThreshold: 3
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 10
          resources:
            requests:
@@ -84,8 +105,12 @@ spec:
          volumeMounts:
            - name: rabbitmq-data
              mountPath: /var/lib/rabbitmq
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
  volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: rabbitmq-data
        labels:
          app: rabbitmq
@@ -93,7 +118,7 @@ spec:
          environment: prod
      spec:
        accessModes: ["ReadWriteOnce"]
        volumeMode: Filesystem
        resources:
          requests:
            storage: 1Gi
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-scraper-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-scraper-service@sha256:57d7a63db890dd5be03d3981f428f23a56c46ea367ddcdcebc9d018e873ce457
+          image: registry.mnnu.eu.org/ircs/ircs-scraper-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -130,4 +130,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-search-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-search-service@sha256:b935a800abe3c92320408f3410c1883f6367736117e92dd574edced6bb3434e0
+          image: registry.mnnu.eu.org/ircs/ircs-search-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -146,4 +146,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-storage-service
@@ -22,10 +22,10 @@ spec:
        environment: prod
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-storage-service@sha256:d84e61ee19b84a77a0cd1c608eb51cf673b0d8fc47571366742542ff5a00b88c
+          image: registry.mnnu.eu.org/ircs/ircs-storage-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -144,4 +144,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: apps/v1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ircs-task-service
@@ -24,10 +24,10 @@ spec:
        ircs.prodigalgal.com/no-public-route: "true"
    spec:
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: app
-          image: harbor.mnnu.eu.org/ircs/ircs-task-service@sha256:74482cc394083003bb3dc52d9290e3473d3f17b1e5bad01ad91123facf31709f
+          image: registry.mnnu.eu.org/ircs/ircs-task-service:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -149,4 +149,3 @@ spec:
    - name: http
      port: 8080
      targetPort: http
@@ -1,4 +1,4 @@
-apiVersion: v1
+apiVersion: v1
 kind: Service
 metadata:
  name: valkey-svc
@@ -74,4 +74,3 @@ spec:
            limits:
              cpu: 250m
              memory: 256Mi
@@ -1,4 +1,32 @@
-apiVersion: gateway.networking.k8s.io/v1
+apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: huawai-http-redirect
  namespace: ircs-prod
  labels:
    app.kubernetes.io/part-of: ircs
    environment: prod
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: mnnu-gateway
      namespace: gateway-system
      sectionName: http
  hostnames:
    - huawai.mnnu.eu.org
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestRedirect
          requestRedirect:
            scheme: https
            statusCode: 301
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: huawai-route
@@ -7,14 +35,31 @@ metadata:
    app.kubernetes.io/part-of: ircs
    environment: prod
 spec:
  hostnames:
    - huawai.sophia.fr.eu.org
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
-      name: production-gateway
+      name: mnnu-gateway
-      namespace: envoy-gateway-system
+      namespace: gateway-system
      sectionName: https
  hostnames:
    - huawai.mnnu.eu.org
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/backend
        - path:
            type: PathPrefix
            value: /api/portal
        - path:
            type: PathPrefix
            value: /media
      backendRefs:
        - group: ""
          kind: Service
          name: ircs-portal-bff
          port: 8080
          weight: 1
    - matches:
        - path:
            type: PathPrefix
@@ -22,27 +67,69 @@ spec:
      backendRefs:
        - group: ""
          kind: Service
-          name: ircs-frontend-gateway
+          name: ircs-portal-frontend
-          port: 80
+          port: 3000
          weight: 1
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: ircs-route
+  name: admin-http-redirect
  namespace: ircs-prod
  labels:
    app.kubernetes.io/part-of: ircs
    environment: prod
 spec:
  hostnames:
    - ircs.sophia.fr.eu.org
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
-      name: production-gateway
+      name: mnnu-gateway
-      namespace: envoy-gateway-system
+      namespace: gateway-system
      sectionName: http
  hostnames:
    - admin.mnnu.eu.org
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestRedirect
          requestRedirect:
            scheme: https
            statusCode: 301
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: admin-route
  namespace: ircs-prod
  labels:
    app.kubernetes.io/part-of: ircs
    environment: prod
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: mnnu-gateway
      namespace: gateway-system
      sectionName: https
  hostnames:
    - admin.mnnu.eu.org
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/v1
        - path:
            type: PathPrefix
            value: /media
      backendRefs:
        - group: ""
          kind: Service
          name: ircs-admin-bff
          port: 8080
          weight: 1
    - matches:
        - path:
            type: PathPrefix
@@ -50,6 +137,6 @@ spec:
      backendRefs:
        - group: ""
          kind: Service
-          name: ircs-frontend-gateway
+          name: ircs-admin-frontend
-          port: 8080
+          port: 80
          weight: 1
@@ -1,5 +1,4 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - httproutes.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - migrator-job.yaml
@@ -1,4 +1,4 @@
-apiVersion: batch/v1
+apiVersion: batch/v1
 kind: Job
 metadata:
  name: ircs-migrator
@@ -9,7 +9,6 @@ metadata:
    environment: prod
 spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 300
  template:
    metadata:
      labels:
@@ -19,10 +18,10 @@ spec:
    spec:
      restartPolicy: Never
      imagePullSecrets:
-        - name: harbor-secret
+        - name: registry-secret
      containers:
        - name: migrator
-          image: harbor.mnnu.eu.org/ircs/ircs-migrator@sha256:64223fa99f7c2793b0145cc539bafa4b0c70fa3cc0af0e9059a2fed3bf7a2437
+          image: registry.mnnu.eu.org/ircs/ircs-migrator:sha-de9957f9ced5
          imagePullPolicy: IfNotPresent
          env:
            - name: SPRING_DATASOURCE_URL
@@ -50,4 +49,3 @@ spec:
            limits:
              cpu: 250m
              memory: 512Mi
@@ -26,6 +26,23 @@ function Invoke-Postgres($Namespace, $Sql) {
  kubectl -n $Namespace exec statefulset/postgres -- sh -lc "PGPASSWORD=\`$POSTGRES_PASSWORD psql -U postgres -d $Database -Atc '$escapedSql'"
 }
 function Get-TableColumns($Namespace, $TableName) {
  $sql = "select column_name || '|' || udt_name || '|' || is_nullable || '|' || coalesce(column_default, '') from information_schema.columns where table_schema='public' and table_name='$TableName' order by ordinal_position"
  $lines = @(Invoke-Postgres $Namespace $sql)
  $columns = @()
  foreach ($line in $lines) {
    if (-not $line) { continue }
    $parts = $line -split '\|', 4
    $columns += [pscustomobject]@{
      Name = $parts[0]
      UdtName = $parts[1]
      Nullable = $parts[2]
      Default = if ($parts.Count -ge 4) { $parts[3] } else { '' }
    }
  }
  return $columns
 }
 Write-Host "Compatible business tables planned for migration: $($tables.Count)"
 Write-Host "Excluded tables: databasechangelog, databasechangeloglock, V3 runtime audit/outbox/maintenance derived tables."
@@ -36,6 +53,40 @@ $missingNew = $tables | Where-Object { $_ -notin $newTables }
 if ($missingOld) { throw "Old namespace is missing expected tables: $($missingOld -join ', ')" }
 if ($missingNew) { throw "New namespace is missing expected tables. Run ircs-prod core migrator first: $($missingNew -join ', ')" }
 $schemaIssues = @()
 foreach ($table in $tables) {
  $oldColumns = @(Get-TableColumns $OldNamespace $table)
  $newColumns = @(Get-TableColumns $NewNamespace $table)
  $newByName = @{}
  foreach ($column in $newColumns) {
    $newByName[$column.Name] = $column
  }
  $oldByName = @{}
  foreach ($column in $oldColumns) {
    $oldByName[$column.Name] = $column
    if (-not $newByName.ContainsKey($column.Name)) {
      $schemaIssues += "${table}: old column '$($column.Name)' is missing in target"
      continue
    }
    $target = $newByName[$column.Name]
    if ($column.UdtName -ne $target.UdtName) {
      $schemaIssues += "$table.$($column.Name): type mismatch old=$($column.UdtName) new=$($target.UdtName)"
    }
  }
  foreach ($column in $newColumns) {
    if (-not $oldByName.ContainsKey($column.Name) -and $column.Nullable -eq 'NO' -and -not $column.Default) {
      $schemaIssues += "${table}: target required column '$($column.Name)' has no old value and no default"
    }
  }
 }
 if ($schemaIssues.Count -gt 0) {
  $schemaIssues | ForEach-Object { Write-Host "SCHEMA ISSUE: $_" }
  throw "Schema preflight failed with $($schemaIssues.Count) issue(s)."
 }
 Write-Host "Schema preflight passed for $($tables.Count) compatible business tables."
 if (-not $Execute) {
  Write-Host "Dry run only. Add -Execute to stream data from $OldNamespace to $NewNamespace."
  exit 0
@@ -11,7 +11,12 @@ $ErrorActionPreference = "Stop"
 function New-Base64SecretValue([int]$Bytes = 48) {
  $buffer = [byte[]]::new($Bytes)
-  [System.Security.Cryptography.RandomNumberGenerator]::Fill($buffer)
+  $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
  try {
    $rng.GetBytes($buffer)
  } finally {
    $rng.Dispose()
  }
  return [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes([Convert]::ToBase64String($buffer)))
 }
Author	SHA1	Message	Date
Prodiglagla	9e326c375a	chore: restore independent prod gitops config	2026-06-15 18:10:47 +08:00
Prodiglagla	c86deb5e12	deploy: normalize bff 404 images	2026-06-14 20:57:10 +08:00
Prodiglagla	f6360fe327	deploy: roll out 404 error handling images	2026-06-14 20:46:53 +08:00
Prodiglagla	8d9e11a500	fix: configure prod bff targets	2026-06-14 17:45:56 +08:00
Prodiglagla	fc7f421203	docs: record clean prod cutover	2026-06-14 16:04:38 +08:00
Prodiglagla	59b93e9f78	add prod data migration schema preflight	2026-06-14 12:46:49 +08:00
Prodiglagla	40b1f722a3	fix prod migrator application path	2026-06-14 12:43:27 +08:00
Prodiglagla	a89e26b839	stabilize prod statefulset gitops drift	2026-06-14 12:41:42 +08:00
Prodiglagla	5932f37fc0	declare prod statefulset defaults	2026-06-14 12:33:27 +08:00
Prodiglagla	712770d7d3	fix prod secret token generation compatibility	2026-06-14 12:16:02 +08:00