13 Commits

Author SHA1 Message Date
unkinben 9830c36e0b fix: correct external-dns target IP to 198.18.200.4
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-05-23 00:20:32 +10:00
unkinben 7275695f4e fix(artifactapi): add traefik.io/instance label to Gateway
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
2026-05-23 00:18:09 +10:00
unkinben afcc4f36fe feat(artifactapi): migrate Ingress to Gateway API
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Replace nginx Ingress with Gateway + HTTPRoute using the traefik-internal
GatewayClass. TLS is terminated at the Gateway listener via cert-manager.
2026-05-22 00:06:00 +10:00
unkinben f53a2dc4f8 fix: terraform_vault must be RFC1123 compliant (#128)
Reviewed-on: #128
2026-05-21 23:19:20 +10:00
unkinben c5dd3cc5cb feat: add terraform_vault role (#127)
this adds a service account that can be used to run the terraform_vault
workflows with, so that we can access the jwt to generate a token

Reviewed-on: #127
2026-05-21 23:13:48 +10:00
unkinben 462b2b3f4f feat(externaldns): add Gateway API sources for httproute, tlsroute, grpcroute, tcproute, udproute (#126)
Reviewed-on: #126
2026-05-18 00:11:33 +10:00
unkinben 73c9b3f603 fix(traefik): replace invalid controllername flag with labelSelector for v3 (#125)
Remove --providers.kubernetesgateway.controllername which does not exist in
Traefik v3, update GatewayClass controllerName to the standard v3 value, and
use labelSelector on each instance's kubernetesGateway provider to differentiate
internal vs external traffic.

Reviewed-on: #125
2026-05-18 00:03:12 +10:00
unkinben 9a01a9ef19 fix: enable gateway/ingress class on platform project (#124)
- add missing classes to platform required to deploy traefik system

Reviewed-on: #124
2026-05-17 23:56:12 +10:00
unkinben 53553ddcfd feat: deploy internal/external traefik routers (#119)
deploy traefik for internal and external applications. port forwarding
from the external routers will only occur to the IP of the
traefik-external service.

- traefik-internal and traefik-external added
- each is a different deployment

Reviewed-on: #119
2026-05-17 23:44:50 +10:00
unkinben 5d3ff3a0f4 feat(artifactapi): allow kubeconform and kustomize from GitHub (#123)
Adds immutable patterns for yannh/kubeconform and kubernetes-sigs/kustomize
to fix 403 Forbidden errors when downloading their Linux amd64 releases.

Reviewed-on: #123
2026-05-17 12:19:27 +10:00
unkinben c3002dc3c1 feat(artifactapi): allow kubecolor releases from GitHub (#122)
Reviewed-on: #122
2026-05-11 23:39:48 +10:00
unkinben 27db33536a feat(artifactapi): allow almalinux, debian, and fedora from Docker Hub (#121)
Reviewed-on: #121
2026-05-10 22:56:39 +10:00
unkinben 8a7068a1c4 feat(artifactapi): add argo-helm as a remote and virtual helm member (#120)
Reviewed-on: #120
2026-05-10 22:53:43 +10:00
20 changed files with 307 additions and 33 deletions
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
labels:
traefik.io/instance: internal
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.4
name: artifactapi
namespace: artifactapi
spec:
gatewayClassName: traefik-internal
listeners:
- allowedRoutes:
namespaces:
from: Same
hostname: artifactapi.k8s.syd1.au.unkin.net
name: https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- kind: Secret
name: artifactapi-tls
mode: Terminate
+20
View File
@@ -0,0 +1,20 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: artifactapi
namespace: artifactapi
spec:
hostnames:
- artifactapi.k8s.syd1.au.unkin.net
parentRefs:
- name: artifactapi
sectionName: https
rules:
- backendRefs:
- name: artifactapi-api
port: 80
matches:
- path:
type: PathPrefix
value: /
-32
View File
@@ -1,32 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifactapi.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifactapi.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/proxy-body-size: 10g
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: artifactapi-ingress
namespace: artifactapi
spec:
ingressClassName: nginx
rules:
- host: artifactapi.k8s.syd1.au.unkin.net
http:
paths:
- backend:
service:
name: artifactapi-api
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- artifactapi.k8s.syd1.au.unkin.net
secretName: artifactapi-tls
+2 -1
View File
@@ -6,7 +6,8 @@ resources:
- artifactapi-deployment.yaml
- artifactapi-hpa.yaml
- configmap.yaml
- ingress.yaml
- gateway.yaml
- httproute.yaml
- namespace.yaml
- postgres-deployment.yaml
- pvc.yaml
@@ -19,7 +19,10 @@ remotes:
package: "docker"
description: "Docker Hub registry"
immutable_patterns:
- "^library/almalinux"
- "^library/busybox"
- "^library/debian"
- "^library/fedora"
- "^library/nginx"
- "^library/postgres"
- "^library/redis"
@@ -26,7 +26,9 @@ remotes:
- "helmfile/helmfile/.*/helmfile_.*_linux_amd64.tar.gz$"
- "helmfile/vals/.*/vals_.*_linux_amd64.tar.gz$"
- "jesseduffield/lazydocker/.*/lazydocker_.*_Linux_x86_64.tar.gz$"
- "kubecolor/kubecolor/.*/kubecolor_.*_linux_amd64.tar.gz$"
- "kubernetes-sigs/gateway-api/.*/standard-install.yaml$"
- "kubernetes-sigs/kustomize/.*/kustomize_.*_linux_amd64.tar.gz$"
- "lxc/incus/.*.tar.gz$"
- "mikefarah/yq/.*/yq_linux_amd64$"
- "neovim/neovim-releases/.*/nvim-linux-x86_64.tar.gz$"
@@ -54,6 +56,7 @@ remotes:
- "VictoriaMetrics/VictoriaMetrics/.*/vlutils-linux-amd64-.*.tar.gz$"
- "VictoriaMetrics/VictoriaMetrics/.*/vmutils-linux-amd64-.*.tar.gz$"
- "xorpaul/g10k/.*/g10k-.*-linux-amd64.zip$"
- "yannh/kubeconform/.*/kubeconform-linux-amd64.tar.gz$"
cache:
immutable_ttl: 0
mutable_ttl: 7200
@@ -130,3 +130,14 @@ remotes:
cache:
immutable_ttl: 0
mutable_ttl: 3600
argo-helm:
base_url: "https://argoproj.github.io/argo-helm"
package: "helm"
description: "Argo Project Helm charts (ArgoCD, Image Updater, Rollouts, etc.)"
check_mutable_updates: true
immutable_patterns:
- "\\.tgz$"
cache:
immutable_ttl: 0
mutable_ttl: 3600
@@ -15,3 +15,4 @@ virtuals:
- stakater
- traefik
- victoriametrics
- argo-helm
@@ -0,0 +1,7 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: traefik-external
spec:
controllerName: traefik.io/gateway-controller
@@ -0,0 +1,7 @@
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: traefik-internal
spec:
controllerName: traefik.io/gateway-controller
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- gatewayclass-internal.yaml
- gatewayclass-external.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: traefik-system
+1
View File
@@ -6,5 +6,6 @@ resources:
- namespace.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- serviceaccount_terraform_vault.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-vault
namespace: woodpecker
@@ -24,6 +24,11 @@ policy: "sync"
sources:
- service
- ingress
- gateway-httproute
- gateway-tlsroute
- gateway-grpcroute
- gateway-tcproute
- gateway-udproute
# Environment variables for TSIG secret and algorithm from Vault
env:
@@ -0,0 +1,24 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/traefik-system
helmCharts:
- name: traefik
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "40.0.0"
releaseName: traefik-internal
namespace: traefik-system
valuesFile: values-internal.yaml
apiVersions:
- policy/v1/PodDisruptionBudget
- name: traefik
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
version: "40.0.0"
releaseName: traefik-external
namespace: traefik-system
valuesFile: values-external.yaml
apiVersions:
- policy/v1/PodDisruptionBudget
@@ -0,0 +1,85 @@
image:
tag: v3.7.0
podDisruptionBudget:
enabled: true
maxUnavailable: 1
gateway:
enabled: false
gatewayClass:
enabled: false
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
providers:
kubernetesCRD:
enabled: false
kubernetesIngress:
enabled: false
kubernetesGateway:
enabled: true
experimentalChannel: false
namespaces: []
nativeLBByDefault: false
labelSelector: "traefik.io/instance=external"
logs:
access:
enabled: true
global:
checkNewVersion: true
sendAnonymousUsage: false
notAppendXForwardedFor: false
service:
enabled: true
single: true
annotations:
purelb.io/service-group: "dmz"
purelb.io/addresses: 198.18.199.0
annotationsTCP: {}
annotationsUDP: {}
labels: {}
spec:
type: LoadBalancer
loadBalancerIP: "198.18.199.0"
additionalServices: {}
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
metrics: []
behavior: {}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: "{{ template \"traefik.fullname\" . }}"
persistence:
enabled: false
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "traefik.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
topologyKey: kubernetes.io/hostname
podSecurityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
enabled: true
@@ -0,0 +1,85 @@
image:
tag: v3.7.0
podDisruptionBudget:
enabled: true
maxUnavailable: 1
gateway:
enabled: false
gatewayClass:
enabled: false
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
providers:
kubernetesCRD:
enabled: false
kubernetesIngress:
enabled: false
kubernetesGateway:
enabled: true
experimentalChannel: false
namespaces: []
nativeLBByDefault: false
labelSelector: "traefik.io/instance=internal"
logs:
access:
enabled: true
global:
checkNewVersion: true
sendAnonymousUsage: false
notAppendXForwardedFor: false
service:
enabled: true
single: true
annotations:
purelb.io/service-group: "common"
purelb.io/addresses: 198.18.200.4
annotationsTCP: {}
annotationsUDP: {}
labels: {}
spec:
type: LoadBalancer
loadBalancerIP: "198.18.200.4"
additionalServices: {}
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
metrics: []
behavior: {}
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: "{{ template \"traefik.fullname\" . }}"
persistence:
enabled: false
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: '{{ template "traefik.name" . }}'
app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
topologyKey: kubernetes.io/hostname
podSecurityContext:
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
enabled: true
+1
View File
@@ -25,6 +25,7 @@ spec:
- path: apps/overlays/*/reflector-system
- path: apps/overlays/*/reloader-system
- path: apps/overlays/*/reposync
- path: apps/overlays/*/traefik-system
- path: apps/overlays/*/vm-system
- path: apps/overlays/*/vso-system
- path: apps/overlays/*/woodpecker
+4
View File
@@ -60,6 +60,10 @@ spec:
kind: Certificate
- group: 'cert-manager.io'
kind: Issuer
- group: 'gateway.networking.k8s.io'
kind: GatewayClass
- group: 'networking.k8s.io'
kind: IngressClass
namespaceResourceWhitelist:
- group: '*'
kind: '*'