From 43081f8e7488474a95a3ed529b2b9667e8341ff7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Fri, 22 May 2026 00:11:47 +1000 Subject: [PATCH 1/3] feat(paperclip): migrate Ingress to Gateway API Replace nginx Ingress with Gateway + HTTPRoute using the traefik-internal GatewayClass. TLS is terminated at the Gateway listener via cert-manager. --- apps/base/paperclip/gateway.yaml | 27 ++++++++++++++++++++++++ apps/base/paperclip/httproute.yaml | 20 ++++++++++++++++++ apps/base/paperclip/ingress.yaml | 29 -------------------------- apps/base/paperclip/kustomization.yaml | 3 ++- 4 files changed, 49 insertions(+), 30 deletions(-) create mode 100644 apps/base/paperclip/gateway.yaml create mode 100644 apps/base/paperclip/httproute.yaml delete mode 100644 apps/base/paperclip/ingress.yaml diff --git a/apps/base/paperclip/gateway.yaml b/apps/base/paperclip/gateway.yaml new file mode 100644 index 0000000..a7dcfee --- /dev/null +++ b/apps/base/paperclip/gateway.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.0 + name: paperclip + namespace: paperclip +spec: + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: paperclip.k8s.syd1.au.unkin.net + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - kind: Secret + name: paperclip-tls + mode: Terminate diff --git a/apps/base/paperclip/httproute.yaml b/apps/base/paperclip/httproute.yaml new file mode 100644 index 0000000..98939f9 --- /dev/null +++ b/apps/base/paperclip/httproute.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: paperclip + namespace: paperclip +spec: + hostnames: + - paperclip.k8s.syd1.au.unkin.net + parentRefs: + - name: paperclip + sectionName: https + rules: + - backendRefs: + - name: paperclip + port: 3100 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/paperclip/ingress.yaml b/apps/base/paperclip/ingress.yaml deleted file mode 100644 index 0025544..0000000 --- a/apps/base/paperclip/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net - external-dns.alpha.kubernetes.io/target: 198.18.200.0 - cert-manager.io/cluster-issuer: vault-issuer - cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net - cert-manager.io/private-key-size: "4096" - name: paperclip - namespace: paperclip -spec: - rules: - - host: paperclip.k8s.syd1.au.unkin.net - http: - paths: - - backend: - service: - name: paperclip - port: - number: 3100 - path: / - pathType: Prefix - tls: - - hosts: - - paperclip.k8s.syd1.au.unkin.net - secretName: paperclip-tls diff --git a/apps/base/paperclip/kustomization.yaml b/apps/base/paperclip/kustomization.yaml index 5a7527d..0d16222 100644 --- a/apps/base/paperclip/kustomization.yaml +++ b/apps/base/paperclip/kustomization.yaml @@ -6,7 +6,8 @@ resources: - cnpg_cluster.yaml - cnpg_pooler.yaml - deployment.yaml - - ingress.yaml + - gateway.yaml + - httproute.yaml - namespace.yaml - services.yaml - vaultauth.yaml -- 2.47.3 From d787ebd1178d7ec96b31e91bc6eaeb0d06af1d10 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:19:08 +1000 Subject: [PATCH 2/3] fix(paperclip): add traefik.io/instance label to Gateway --- apps/base/paperclip/gateway.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apps/base/paperclip/gateway.yaml b/apps/base/paperclip/gateway.yaml index a7dcfee..a6a5ce9 100644 --- a/apps/base/paperclip/gateway.yaml +++ b/apps/base/paperclip/gateway.yaml @@ -2,6 +2,8 @@ apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: + labels: + traefik.io/instance: internal annotations: cert-manager.io/cluster-issuer: vault-issuer cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net -- 2.47.3 From 6b6aa5fd489f6ec252807de80b8222e9aac302e9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sat, 23 May 2026 00:20:42 +1000 Subject: [PATCH 3/3] fix: correct external-dns target IP to 198.18.200.4 --- apps/base/paperclip/gateway.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/base/paperclip/gateway.yaml b/apps/base/paperclip/gateway.yaml index a6a5ce9..38ab7af 100644 --- a/apps/base/paperclip/gateway.yaml +++ b/apps/base/paperclip/gateway.yaml @@ -9,7 +9,7 @@ metadata: cert-manager.io/common-name: paperclip.k8s.syd1.au.unkin.net cert-manager.io/private-key-size: "4096" external-dns.alpha.kubernetes.io/hostname: paperclip.k8s.syd1.au.unkin.net - external-dns.alpha.kubernetes.io/target: 198.18.200.0 + external-dns.alpha.kubernetes.io/target: 198.18.200.4 name: paperclip namespace: paperclip spec: -- 2.47.3