Deploy monitoring stack
This commit is contained in:
@@ -273,3 +273,89 @@ Once ingress-nginx and cert-manager are synced:
|
||||
- Authentik OIDC: uncomment `oidc.config` in `cluster/argocd/values.yaml` once
|
||||
the ArgoCD provider is configured in Authentik
|
||||
- Migrate `gitea-repo` secret to ESO once 1Password Connect is healthy
|
||||
|
||||
---
|
||||
|
||||
## Operational Runbook — Adding a New Application
|
||||
|
||||
When deploying a new application that needs HTTPS access via the Cilium Gateway,
|
||||
follow this checklist:
|
||||
|
||||
### 1. Add the namespace to the ReferenceGrant
|
||||
|
||||
Edit `cluster/platform/gateway/referencegrant.yaml` and add a new `from` entry:
|
||||
|
||||
```yaml
|
||||
- group: gateway.networking.k8s.io
|
||||
kind: HTTPRoute
|
||||
namespace: <your-app-namespace>
|
||||
```
|
||||
|
||||
This is **required** by the Gateway API spec — without it, the HTTPRoute will
|
||||
fail to attach to the Gateway and traffic won't route. The ReferenceGrant must
|
||||
live in the `gateway` namespace, so this file is the one place to update.
|
||||
|
||||
### 2. Create the application directory
|
||||
|
||||
```
|
||||
cluster/applications/<app-name>/
|
||||
├── application.yaml ← ArgoCD Application, wave 10+
|
||||
├── values.yaml ← Helm values (if Helm-based)
|
||||
├── externalsecret.yaml ← ESO resource if secrets needed
|
||||
└── httproute.yaml ← Certificate + HTTPRoute for Gateway access
|
||||
```
|
||||
|
||||
### 3. HTTPRoute pattern
|
||||
|
||||
Every HTTPRoute needs two annotations for DNS and routing to work:
|
||||
|
||||
```yaml
|
||||
annotations:
|
||||
external-dns.alpha.kubernetes.io/hostname: <service>.local.mk-labs.cloud
|
||||
external-dns.alpha.kubernetes.io/target: "10.1.71.90"
|
||||
```
|
||||
|
||||
And a parentRef pointing at the platform Gateway:
|
||||
|
||||
```yaml
|
||||
spec:
|
||||
parentRefs:
|
||||
- name: fastpass-gateway
|
||||
namespace: gateway
|
||||
sectionName: https
|
||||
```
|
||||
|
||||
### 4. Per-service certificate
|
||||
|
||||
Each service gets its own cert via cert-manager. Add to `httproute.yaml`:
|
||||
|
||||
```yaml
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: <service>-tls
|
||||
namespace: <app-namespace>
|
||||
spec:
|
||||
secretName: <service>-tls
|
||||
issuerRef:
|
||||
name: letsencrypt-prod
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- <service>.local.mk-labs.cloud
|
||||
```
|
||||
|
||||
### 5. Push and verify
|
||||
|
||||
```bash
|
||||
# Watch ArgoCD sync
|
||||
kubectl -n argocd get applications --watch
|
||||
|
||||
# Verify cert issued
|
||||
kubectl get certificate -n <app-namespace> -w
|
||||
|
||||
# Verify DNS record created
|
||||
nslookup <service>.local.mk-labs.cloud 10.1.71.32
|
||||
|
||||
# Test
|
||||
curl https://<service>.local.mk-labs.cloud
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user