deploy encapi to au-syd1 #230

Merged
benvin merged 2 commits from benvin/add-encapi-deployment into main 2026-07-05 17:41:21 +10:00
Owner

Why

encapi is the new Postgres-backed Puppet ENC that replaces Cobbler (Go API + encapi-cli + terraform provider). It needs to run somewhere reachable by the puppet masters (encapi-cli classify) and every node's enc_direct_facts fact. Deploy it in k8s alongside artifactapi, exposed at encapi.k8s.syd1.au.unkin.net.

Changes

  • add apps/base/encapi/: namespace, deployment (git.unkin.net/unkin/encapi, port 8000, /healthz probes), service, gateway + httproute (encapi.k8s.syd1.au.unkin.net, traefik-internal), configmap (DB coordinates), CNPG cluster + pooler (database encapi), and VaultAuth + VaultStaticSecrets (postgres-credentials, environment)
  • add apps/overlays/au-syd1/encapi overlay referencing the base
  • register apps/overlays/*/encapi in the platform ApplicationSet so ArgoCD picks it up

Notes

  • Mirrors the artifactapi pattern (VaultAuth role default, namespace-scoped VSO paths kv/kubernetes/namespace/encapi/default/*).
  • Before first sync, seed the Vault KV secrets: environment must carry DBPASS (matching the CNPG owner password) and ENCAPI_WRITE_TOKEN; postgres-credentials carries the CNPG owner username/password.
  • kustomize build apps/overlays/au-syd1/encapi validates clean (11 resources).
## Why encapi is the new Postgres-backed Puppet ENC that replaces Cobbler (Go API + encapi-cli + terraform provider). It needs to run somewhere reachable by the puppet masters (`encapi-cli classify`) and every node's `enc_direct_facts` fact. Deploy it in k8s alongside artifactapi, exposed at `encapi.k8s.syd1.au.unkin.net`. ## Changes - add `apps/base/encapi/`: namespace, deployment (`git.unkin.net/unkin/encapi`, port 8000, `/healthz` probes), service, gateway + httproute (`encapi.k8s.syd1.au.unkin.net`, traefik-internal), configmap (DB coordinates), CNPG cluster + pooler (database `encapi`), and VaultAuth + VaultStaticSecrets (`postgres-credentials`, `environment`) - add `apps/overlays/au-syd1/encapi` overlay referencing the base - register `apps/overlays/*/encapi` in the platform ApplicationSet so ArgoCD picks it up ## Notes - Mirrors the artifactapi pattern (VaultAuth role `default`, namespace-scoped VSO paths `kv/kubernetes/namespace/encapi/default/*`). - Before first sync, seed the Vault KV secrets: `environment` must carry `DBPASS` (matching the CNPG owner password) and `ENCAPI_WRITE_TOKEN`; `postgres-credentials` carries the CNPG owner username/password. - `kustomize build apps/overlays/au-syd1/encapi` validates clean (11 resources).
unkinben added 1 commit 2026-07-04 23:25:41 +10:00
deploy encapi to au-syd1
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
568f48098e
encapi is the new Postgres-backed Puppet ENC replacing Cobbler. Stand it up in
k8s alongside artifactapi so the puppet masters (via encapi-cli classify) and
the enc_direct_facts fact can reach it at encapi.k8s.syd1.au.unkin.net.

- add apps/base/encapi: namespace, deployment (git.unkin.net/unkin/encapi), service,
  gateway + httproute (encapi.k8s.syd1.au.unkin.net), configmap, CNPG cluster +
  pooler (db encapi), VaultAuth + VaultStaticSecrets (postgres-credentials, environment)
- add apps/overlays/au-syd1/encapi overlay
- register apps/overlays/*/encapi in the platform ApplicationSet

Note: the Vault KV secrets kv/kubernetes/namespace/encapi/default/{postgres-credentials,
environment} must be seeded before first sync; 'environment' carries DBPASS (matching
the CNPG owner password) and ENCAPI_WRITE_TOKEN.
unkinben added 1 commit 2026-07-05 17:37:31 +10:00
encapi: use released image v0.1.1
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
5fb3b37e7b
The first successful encapi release is v0.1.1 (v0.0.1 was a placeholder and
v0.1.0's build failed on a gitignore bug). Point the deployment at the image
that actually exists in the registry.
benvin merged commit 333e638e24 into main 2026-07-05 17:41:21 +10:00
benvin deleted branch benvin/add-encapi-deployment 2026-07-05 17:41:22 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#230