From 17654835e73970cb9044bdc23f7bcc589b337fb5 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <astoltz@iamwork.in>
Date: Sun, 14 Jun 2026 18:06:25 -0500
Subject: [PATCH] gx10/platform: step-ca-acme issuer + Traefik HelmChart
 (migration platform layer)

Bootstrap manifests for the GX10 cluster platform layer (NUC->GX10 migration).
Direct-applied to GX10 + LIVE: step-ca-acme ClusterIssuer Ready (ACME->noc1 step-ca),
Traefik v3.6.10 via RKE2 HelmChart CRD at MetalLB VIP 10.0.57.202 (prod-pool, temp
parallel-run; no clash with live old .200). Under gx10/ NOT apps/* to avoid the old
ApplicationSet auto-deploying GX10 manifests to the OLD cluster.
---
 gx10/platform/README.md              | 15 ++++++
 gx10/platform/step-ca-acme.yaml      | 14 +++++
 gx10/platform/traefik-helmchart.yaml | 81 ++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 gx10/platform/README.md
 create mode 100644 gx10/platform/step-ca-acme.yaml
 create mode 100644 gx10/platform/traefik-helmchart.yaml

diff --git a/gx10/platform/README.md b/gx10/platform/README.md
new file mode 100644
index 0000000..23503d4
--- /dev/null
+++ b/gx10/platform/README.md
@@ -0,0 +1,15 @@
+# GX10 cluster platform layer (NOT old-cluster ArgoCD)
+
+These manifests bootstrap the GX10 RKE2 cluster's platform layer for the NUC→GX10
+migration. They are **direct-applied** to the GX10 (its own kubectl) during
+bootstrap, and live under `gx10/` (NOT `apps/`) so the OLD cluster's bluejay-infra
+ApplicationSet (whose `apps/*` generator targets the OLD cluster) does NOT
+auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only
+ApplicationSet (`apps-gx10/*`) will own these.
+
+- `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
+- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover). APPLIED.
+
+cert-manager v1.17.2 was installed separately (upstream static manifest). See
+`docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory
+`project_gx10_ai_node_2026_06_13`.
diff --git a/gx10/platform/step-ca-acme.yaml b/gx10/platform/step-ca-acme.yaml
new file mode 100644
index 0000000..8e34291
--- /dev/null
+++ b/gx10/platform/step-ca-acme.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: step-ca-acme
+spec:
+  acme:
+    server: https://10.0.56.10:9443/acme/acme/directory
+    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lSQVBZMzU3RzZvdzZ6TUFMNSs0YlMya2t3Q2dZSUtvWkl6ajBFQXdJd1FERWEKTUJnR0ExVUVDaE1SU1VGdFYyOXlhMmx1SUVGRFRVVWdRMEV4SWpBZ0JnTlZCQU1UR1VsQmJWZHZjbXRwYmlCQgpRMDFGSUVOQklGSnZiM1FnUTBFd0hoY05Nall3TXpBNE1UZ3dOekV4V2hjTk16WXdNekExTVRnd056RXhXakJBCk1Sb3dHQVlEVlFRS0V4RkpRVzFYYjNKcmFXNGdRVU5OUlNCRFFURWlNQ0FHQTFVRUF4TVpTVUZ0VjI5eWEybHUKSUVGRFRVVWdRMEVnVW05dmRDQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSjJuMDRYMQpKWm81WmRxL2kxSWR2OCtmcXdaeUF6Qmg3d2hicWowU1dzSkw4VVdSYWJDTXFZQ3M3K2RYTzB4UlN6cWt3RkRMCngrdm9vT2FpOFJnUk5oYWpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC8KQWdFQk1CMEdBMVVkRGdRV0JCUm51UFBRUjZpTS9INnZPbHVpVTNTeWdheXo4akFLQmdncWhrak9QUVFEQWdOSQpBREJGQWlFQXJRSzlkWVBHbUFac2RZbmp6aXVGVlZFNU5LWlVjY2VZdkdmR0MrdExYVXNDSUF1ZEYyekpyQ1JxCjNtSzUwWlpFVC9md1RrSndpRUY0ODI0bWpQOHAxQ0tNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    privateKeySecretRef:
+      name: step-ca-acme-account-key
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik
diff --git a/gx10/platform/traefik-helmchart.yaml b/gx10/platform/traefik-helmchart.yaml
new file mode 100644
index 0000000..ff36c1a
--- /dev/null
+++ b/gx10/platform/traefik-helmchart.yaml
@@ -0,0 +1,81 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  chart: traefik
+  repo: https://traefik.github.io/charts
+  version: "39.0.5"
+  targetNamespace: traefik-system
+  createNamespace: true
+  valuesContent: |
+    deployment:
+      replicas: 1
+    additionalArguments:
+      - "--api.dashboard=true"
+      - "--log.level=INFO"
+      - "--providers.kubernetescrd"
+      - "--providers.kubernetesingress"
+      - "--providers.kubernetescrd.allowEmptyServices=true"
+      - "--providers.kubernetesingress.allowEmptyServices=true"
+      - "--providers.kubernetesingress.ingressendpoint.publishedservice=traefik-system/traefik"
+    ingressRoute:
+      dashboard:
+        enabled: false
+    rbac:
+      enabled: true
+    service:
+      type: LoadBalancer
+      annotations:
+        metallb.io/loadBalancerIPs: "10.0.57.202"
+        metallb.io/address-pool: "prod-pool"
+    ports:
+      web:
+        port: 8000
+        exposedPort: 80
+        protocol: TCP
+      websecure:
+        port: 8443
+        exposedPort: 443
+        protocol: TCP
+        tls:
+          enabled: true
+      irc:
+        port: 6667
+        exposedPort: 6667
+        protocol: TCP
+        expose:
+          default: true
+      irctls:
+        port: 6697
+        exposedPort: 6697
+        protocol: TCP
+        expose:
+          default: true
+      traefik:
+        port: 8080
+        exposedPort: 8080
+        protocol: TCP
+        expose:
+          default: false
+      metrics:
+        port: 9100
+        exposedPort: 9100
+        protocol: TCP
+        expose:
+          default: false
+    metrics:
+      prometheus:
+        entryPoint: metrics
+    resources:
+      requests:
+        cpu: "100m"
+        memory: "128Mi"
+      limits:
+        cpu: "500m"
+        memory: "256Mi"
+    tolerations:
+      - key: "node-role.kubernetes.io/control-plane"
+        operator: "Exists"
+        effect: "NoSchedule"