deploy encapi to au-syd1 #230
Reference in New Issue
Block a user
Delete Branch "benvin/add-encapi-deployment"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
encapi is the new Postgres-backed Puppet ENC that replaces Cobbler (Go API + encapi-cli + terraform provider). It needs to run somewhere reachable by the puppet masters (
encapi-cli classify) and every node'senc_direct_factsfact. Deploy it in k8s alongside artifactapi, exposed atencapi.k8s.syd1.au.unkin.net.Changes
apps/base/encapi/: namespace, deployment (git.unkin.net/unkin/encapi, port 8000,/healthzprobes), service, gateway + httproute (encapi.k8s.syd1.au.unkin.net, traefik-internal), configmap (DB coordinates), CNPG cluster + pooler (databaseencapi), and VaultAuth + VaultStaticSecrets (postgres-credentials,environment)apps/overlays/au-syd1/encapioverlay referencing the baseapps/overlays/*/encapiin the platform ApplicationSet so ArgoCD picks it upNotes
default, namespace-scoped VSO pathskv/kubernetes/namespace/encapi/default/*).environmentmust carryDBPASS(matching the CNPG owner password) andENCAPI_WRITE_TOKEN;postgres-credentialscarries the CNPG owner username/password.kustomize build apps/overlays/au-syd1/encapivalidates clean (11 resources).encapi is the new Postgres-backed Puppet ENC replacing Cobbler. Stand it up in k8s alongside artifactapi so the puppet masters (via encapi-cli classify) and the enc_direct_facts fact can reach it at encapi.k8s.syd1.au.unkin.net. - add apps/base/encapi: namespace, deployment (git.unkin.net/unkin/encapi), service, gateway + httproute (encapi.k8s.syd1.au.unkin.net), configmap, CNPG cluster + pooler (db encapi), VaultAuth + VaultStaticSecrets (postgres-credentials, environment) - add apps/overlays/au-syd1/encapi overlay - register apps/overlays/*/encapi in the platform ApplicationSet Note: the Vault KV secrets kv/kubernetes/namespace/encapi/default/{postgres-credentials, environment} must be seeded before first sync; 'environment' carries DBPASS (matching the CNPG owner password) and ENCAPI_WRITE_TOKEN.