From 1f4364b51a979be7c184ecc0514d13eb35c64b07 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 22 May 2026 00:09:35 +1000 Subject: [PATCH 1/3] feat(puppet): migrate puppetboard Ingress to Gateway API Replace nginx Ingress with Gateway + HTTPRoute using the traefik-internal GatewayClass. TLS is terminated at the Gateway listener via cert-manager. --- ...petboard.yaml => gateway_puppetboard.yaml} | 38 +++++++++---------- apps/base/puppet/httproute_puppetboard.yaml | 25 ++++++++++++ apps/base/puppet/kustomization.yaml | 3 +- 3 files changed, 45 insertions(+), 21 deletions(-) rename apps/base/puppet/{ingress_puppetboard.yaml => gateway_puppetboard.yaml} (55%) create mode 100644 apps/base/puppet/httproute_puppetboard.yaml diff --git a/apps/base/puppet/ingress_puppetboard.yaml b/apps/base/puppet/gateway_puppetboard.yaml similarity index 55% rename from apps/base/puppet/ingress_puppetboard.yaml rename to apps/base/puppet/gateway_puppetboard.yaml index 18b7193..78d819d 100644 --- a/apps/base/puppet/ingress_puppetboard.yaml +++ b/apps/base/puppet/gateway_puppetboard.yaml @@ -1,14 +1,13 @@ --- -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway metadata: annotations: - kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net - external-dns.alpha.kubernetes.io/target: 198.18.200.0 cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: puppetboard.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.0 labels: app.kubernetes.io/component: puppetboard app.kubernetes.io/instance: puppetserver @@ -17,18 +16,17 @@ metadata: name: puppetboard namespace: puppet spec: - rules: - - host: puppetboard.k8s.syd1.au.unkin.net - http: - paths: - - backend: - service: - name: puppetboard - port: - number: 80 - path: / - pathType: Prefix - tls: - - hosts: - - puppetboard.k8s.syd1.au.unkin.net - secretName: puppetboard-tls + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: puppetboard.k8s.syd1.au.unkin.net + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - kind: Secret + name: puppetboard-tls + mode: Terminate diff --git a/apps/base/puppet/httproute_puppetboard.yaml b/apps/base/puppet/httproute_puppetboard.yaml new file mode 100644 index 0000000..6794b2d --- /dev/null +++ b/apps/base/puppet/httproute_puppetboard.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/component: puppetboard + app.kubernetes.io/instance: puppetserver + app.kubernetes.io/name: puppetserver + app.kubernetes.io/version: 8.8.0 + name: puppetboard + namespace: puppet +spec: + hostnames: + - puppetboard.k8s.syd1.au.unkin.net + parentRefs: + - name: puppetboard + sectionName: https + rules: + - backendRefs: + - name: puppetboard + port: 80 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/puppet/kustomization.yaml b/apps/base/puppet/kustomization.yaml index 417a6cc..99cd358 100644 --- a/apps/base/puppet/kustomization.yaml +++ b/apps/base/puppet/kustomization.yaml @@ -25,7 +25,8 @@ resources: - horizontalpodautoscaler_puppetserver-masters-autoscaler.yaml - horizontalpodautoscaler_puppetserver-puppetboard-autoscaler.yaml - horizontalpodautoscaler_puppetserver-puppetdb-autoscaler.yaml - - ingress_puppetboard.yaml + - gateway_puppetboard.yaml + - httproute_puppetboard.yaml - ingress_puppetdb.yaml - service_puppetserver-agents-to-puppet.yaml - service_puppet-headless.yaml -- 2.47.3 From ca81cc528c7d33cf95605b5b99e6807e9fe8d5ed Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:18:24 +1000 Subject: [PATCH 2/3] fix(puppet): add traefik.io/instance label to puppetboard Gateway --- apps/base/puppet/gateway_puppetboard.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/base/puppet/gateway_puppetboard.yaml b/apps/base/puppet/gateway_puppetboard.yaml index 78d819d..1d7d593 100644 --- a/apps/base/puppet/gateway_puppetboard.yaml +++ b/apps/base/puppet/gateway_puppetboard.yaml @@ -9,6 +9,7 @@ metadata: external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net external-dns.alpha.kubernetes.io/target: 198.18.200.0 labels: + traefik.io/instance: internal app.kubernetes.io/component: puppetboard app.kubernetes.io/instance: puppetserver app.kubernetes.io/name: puppetserver -- 2.47.3 From bb7cb1215a6271c599d657ad568d44fd147c0dad Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:20:33 +1000 Subject: [PATCH 3/3] fix: correct external-dns target IP to 198.18.200.4 --- apps/base/puppet/gateway_puppetboard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/base/puppet/gateway_puppetboard.yaml b/apps/base/puppet/gateway_puppetboard.yaml index 1d7d593..af1fc20 100644 --- a/apps/base/puppet/gateway_puppetboard.yaml +++ b/apps/base/puppet/gateway_puppetboard.yaml @@ -7,7 +7,7 @@ metadata: cert-manager.io/common-name: puppetboard.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" external-dns.alpha.kubernetes.io/hostname: puppetboard.k8s.syd1.au.unkin.net - external-dns.alpha.kubernetes.io/target: 198.18.200.0 + external-dns.alpha.kubernetes.io/target: 198.18.200.4 labels: traefik.io/instance: internal app.kubernetes.io/component: puppetboard -- 2.47.3