From 4f5c3f7ea0287336dcb232bb3c33ea249fb7d42f Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 01:29:54 +1000 Subject: [PATCH] feat(litellm): migrate Ingress to Gateway API (#134) ## Summary - Replace `Ingress` (nginx) with `Gateway` + `HTTPRoute` using `traefik-internal` GatewayClass - TLS terminated at the Gateway listener; cert-manager provisions the certificate via `vault-issuer` - external-dns annotations moved to the Gateway ## Test plan - [ ] ArgoCD syncs the litellm app cleanly - [ ] cert-manager issues the `litellm-tls` certificate - [ ] external-dns creates the DNS record - [ ] `https://litellm.k8s.syd1.au.unkin.net` is reachable Reviewed-on: https://git.unkin.net/unkin/argocd-apps/pulls/134 --- apps/base/litellm/gateway.yaml | 29 ++++++++++++++++++++++++++++ apps/base/litellm/httproute.yaml | 20 +++++++++++++++++++ apps/base/litellm/ingress.yaml | 29 ---------------------------- apps/base/litellm/kustomization.yaml | 3 ++- 4 files changed, 51 insertions(+), 30 deletions(-) create mode 100644 apps/base/litellm/gateway.yaml create mode 100644 apps/base/litellm/httproute.yaml delete mode 100644 apps/base/litellm/ingress.yaml diff --git a/apps/base/litellm/gateway.yaml b/apps/base/litellm/gateway.yaml new file mode 100644 index 0000000..3d20f56 --- /dev/null +++ b/apps/base/litellm/gateway.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 + name: litellm + namespace: litellm +spec: + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: litellm.k8s.syd1.au.unkin.net + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - kind: Secret + name: litellm-tls + mode: Terminate diff --git a/apps/base/litellm/httproute.yaml b/apps/base/litellm/httproute.yaml new file mode 100644 index 0000000..87f1a01 --- /dev/null +++ b/apps/base/litellm/httproute.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: litellm + namespace: litellm +spec: + hostnames: + - litellm.k8s.syd1.au.unkin.net + parentRefs: + - name: litellm + sectionName: https + rules: + - backendRefs: + - name: litellm + port: 4000 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/litellm/ingress.yaml b/apps/base/litellm/ingress.yaml deleted file mode 100644 index ad8c713..0000000 --- a/apps/base/litellm/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/hostname: litellm.k8s.syd1.au.unkin.net - external-dns.alpha.kubernetes.io/target: 198.18.200.0 - cert-manager.io/cluster-issuer: vault-issuer - cert-manager.io/common-name: litellm.k8s.syd1.au.unkin.net - cert-manager.io/private-key-size: "4096" - name: litellm - namespace: litellm -spec: - rules: - - host: litellm.k8s.syd1.au.unkin.net - http: - paths: - - backend: - service: - name: litellm - port: - number: 4000 - path: / - pathType: Prefix - tls: - - hosts: - - litellm.k8s.syd1.au.unkin.net - secretName: litellm-tls diff --git a/apps/base/litellm/kustomization.yaml b/apps/base/litellm/kustomization.yaml index dfd2cbd..3b22566 100644 --- a/apps/base/litellm/kustomization.yaml +++ b/apps/base/litellm/kustomization.yaml @@ -7,7 +7,8 @@ resources: - cnpg_pooler.yaml - deployment.yaml - hpa.yaml - - ingress.yaml + - gateway.yaml + - httproute.yaml - namespace.yaml - redis-deployment.yaml - redis-pvc.yaml