From 2226872c2186c2ed69a2cf7d81c040bc0f37eda1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 May 2026 19:03:51 +1000 Subject: [PATCH 1/3] feat: deploy internal/external traefik routers deploy traefik for internal and external applications. port forwarding from the external routers will only occur to the IP of the traefik-external service. - traefik-internal and traefik-external added - each is a different deployment --- .../traefik-system/gatewayclass-external.yaml | 7 ++ .../traefik-system/gatewayclass-internal.yaml | 7 ++ apps/base/traefik-system/kustomization.yaml | 8 ++ apps/base/traefik-system/namespace.yaml | 5 ++ .../au-syd1/traefik-system/kustomization.yaml | 20 +++++ .../traefik-system/values-external.yaml | 83 +++++++++++++++++++ .../traefik-system/values-internal.yaml | 83 +++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + 8 files changed, 214 insertions(+) create mode 100644 apps/base/traefik-system/gatewayclass-external.yaml create mode 100644 apps/base/traefik-system/gatewayclass-internal.yaml create mode 100644 apps/base/traefik-system/kustomization.yaml create mode 100644 apps/base/traefik-system/namespace.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/kustomization.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/values-external.yaml create mode 100644 apps/overlays/au-syd1/traefik-system/values-internal.yaml diff --git a/apps/base/traefik-system/gatewayclass-external.yaml b/apps/base/traefik-system/gatewayclass-external.yaml new file mode 100644 index 0000000..e6693e4 --- /dev/null +++ b/apps/base/traefik-system/gatewayclass-external.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: traefik-external +spec: + controllerName: traefik.io/gateway-controller-external diff --git a/apps/base/traefik-system/gatewayclass-internal.yaml b/apps/base/traefik-system/gatewayclass-internal.yaml new file mode 100644 index 0000000..86de860 --- /dev/null +++ b/apps/base/traefik-system/gatewayclass-internal.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: traefik-internal +spec: + controllerName: traefik.io/gateway-controller-internal diff --git a/apps/base/traefik-system/kustomization.yaml b/apps/base/traefik-system/kustomization.yaml new file mode 100644 index 0000000..057ce95 --- /dev/null +++ b/apps/base/traefik-system/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - gatewayclass-internal.yaml + - gatewayclass-external.yaml diff --git a/apps/base/traefik-system/namespace.yaml b/apps/base/traefik-system/namespace.yaml new file mode 100644 index 0000000..914f6b9 --- /dev/null +++ b/apps/base/traefik-system/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: traefik-system diff --git a/apps/overlays/au-syd1/traefik-system/kustomization.yaml b/apps/overlays/au-syd1/traefik-system/kustomization.yaml new file mode 100644 index 0000000..051112f --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/kustomization.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/traefik-system + +helmCharts: + - name: traefik + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "40.0.0" + releaseName: traefik-internal + namespace: traefik-system + valuesFile: values-internal.yaml + - name: traefik + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "40.0.0" + releaseName: traefik-external + namespace: traefik-system + valuesFile: values-external.yaml diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml new file mode 100644 index 0000000..fb0ff4e --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -0,0 +1,83 @@ +image: + tag: v3.7.0 + +additionalArguments: + - "--providers.kubernetesgateway.controllername=traefik.io/gateway-controller-external" + +podDisruptionBudget: + enabled: true + maxUnavailable: 1 + +gateway: + enabled: false + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +providers: + kubernetesCRD: + enabled: false + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: true + experimentalChannel: false + namespaces: [] + nativeLBByDefault: false + +logs: + access: + enabled: true + +global: + checkNewVersion: true + sendAnonymousUsage: false + notAppendXForwardedFor: false + +service: + enabled: true + single: true + annotations: + purelb.io/service-group: "dmz" + purelb.io/addresses: 198.18.199.0 + annotationsTCP: {} + annotationsUDP: {} + labels: {} + spec: + type: LoadBalancer + loadBalancerIP: "198.18.199.0" + additionalServices: {} + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: [] + behavior: {} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "{{ template \"traefik.fullname\" . }}" + +persistence: + enabled: false + +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ template "traefik.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}' + topologyKey: kubernetes.io/hostname + +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + +enabled: true diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml new file mode 100644 index 0000000..6770869 --- /dev/null +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -0,0 +1,83 @@ +image: + tag: v3.7.0 + +additionalArguments: + - "--providers.kubernetesgateway.controllername=traefik.io/gateway-controller-internal" + +podDisruptionBudget: + enabled: true + maxUnavailable: 1 + +gateway: + enabled: false + +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +providers: + kubernetesCRD: + enabled: false + kubernetesIngress: + enabled: false + kubernetesGateway: + enabled: true + experimentalChannel: false + namespaces: [] + nativeLBByDefault: false + +logs: + access: + enabled: true + +global: + checkNewVersion: true + sendAnonymousUsage: false + notAppendXForwardedFor: false + +service: + enabled: true + single: true + annotations: + purelb.io/service-group: "common" + purelb.io/addresses: 198.18.200.4 + annotationsTCP: {} + annotationsUDP: {} + labels: {} + spec: + type: LoadBalancer + loadBalancerIP: "198.18.200.4" + additionalServices: {} + +autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: [] + behavior: {} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "{{ template \"traefik.fullname\" . }}" + +persistence: + enabled: false + +affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: '{{ template "traefik.name" . }}' + app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}' + topologyKey: kubernetes.io/hostname + +podSecurityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + +enabled: true diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 3a8bc18..218d5ea 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -25,6 +25,7 @@ spec: - path: apps/overlays/*/reflector-system - path: apps/overlays/*/reloader-system - path: apps/overlays/*/reposync + - path: apps/overlays/*/traefik-system - path: apps/overlays/*/vm-system - path: apps/overlays/*/vso-system - path: apps/overlays/*/woodpecker -- 2.47.3 From 034b01115c57da3ef2e8e69a5a956189e39d5e82 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 May 2026 22:04:16 +1000 Subject: [PATCH 2/3] fix: disable chart-generated GatewayClass in traefik values Traefik chart v40 splits gatewayClass.enabled from gateway.enabled, defaulting to true. Both helm releases were generating a GatewayClass named "traefik", causing a kustomize merge collision. Disabled since GatewayClasses are managed in the base layer. --- apps/overlays/au-syd1/traefik-system/values-external.yaml | 3 +++ apps/overlays/au-syd1/traefik-system/values-internal.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/values-external.yaml b/apps/overlays/au-syd1/traefik-system/values-external.yaml index fb0ff4e..e063b71 100644 --- a/apps/overlays/au-syd1/traefik-system/values-external.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-external.yaml @@ -11,6 +11,9 @@ podDisruptionBudget: gateway: enabled: false +gatewayClass: + enabled: false + updateStrategy: type: RollingUpdate rollingUpdate: diff --git a/apps/overlays/au-syd1/traefik-system/values-internal.yaml b/apps/overlays/au-syd1/traefik-system/values-internal.yaml index 6770869..bbfeace 100644 --- a/apps/overlays/au-syd1/traefik-system/values-internal.yaml +++ b/apps/overlays/au-syd1/traefik-system/values-internal.yaml @@ -11,6 +11,9 @@ podDisruptionBudget: gateway: enabled: false +gatewayClass: + enabled: false + updateStrategy: type: RollingUpdate rollingUpdate: -- 2.47.3 From 61393cf0cc785b053104919f01ef5e92926a118a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 10 May 2026 22:11:49 +1000 Subject: [PATCH 3/3] fix: pass policy/v1 capability to traefik helm renders kustomize helm renderer doesn't pass cluster capabilities, causing the chart to fall back to policy/v1beta1 for PodDisruptionBudget. Explicitly declaring the v1 API version makes the chart template render correctly. --- apps/overlays/au-syd1/traefik-system/kustomization.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/overlays/au-syd1/traefik-system/kustomization.yaml b/apps/overlays/au-syd1/traefik-system/kustomization.yaml index 051112f..4639b51 100644 --- a/apps/overlays/au-syd1/traefik-system/kustomization.yaml +++ b/apps/overlays/au-syd1/traefik-system/kustomization.yaml @@ -12,9 +12,13 @@ helmCharts: releaseName: traefik-internal namespace: traefik-system valuesFile: values-internal.yaml + apiVersions: + - policy/v1/PodDisruptionBudget - name: traefik repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm version: "40.0.0" releaseName: traefik-external namespace: traefik-system valuesFile: values-external.yaml + apiVersions: + - policy/v1/PodDisruptionBudget -- 2.47.3