bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

platform: keep GX10 shared VIP traffic policy aligned

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-18 16:30:24 -05:00
parent 3948350ac2
commit 2e8cabcd63
4 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
gx10/platform/README.md
View File

@@ -9,6 +9,7 @@ ApplicationSet (`apps-gx10/*`) will own these.
- `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready. - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED. - `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service sharing the Traefik VIP on port 22 with matching `externalTrafficPolicy: Local`; MetalLB requires the shared-IP services to use the same traffic policy. APPLIED.
cert-manager v1.17.2 was installed separately (upstream static manifest). See cert-manager v1.17.2 was installed separately (upstream static manifest). See
`docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory

18
gx10/platform/gitea-ssh-service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: gitea-ssh
namespace: gitea
annotations:
metallb.io/allow-shared-ip: gitea-traefik-202
metallb.universe.tf/loadBalancerIPs: 10.0.57.202
spec:
type: LoadBalancer
externalTrafficPolicy: Local
selector:
app: gitea
ports:
- name: ssh
port: 22
protocol: TCP
targetPort: 2222

1
gx10/platform/traefik-helmchart.yaml
View File

@@ -15,6 +15,7 @@ spec:
spec: spec:
externalTrafficPolicy: Local externalTrafficPolicy: Local
annotations: annotations:
metallb.io/allow-shared-ip: gitea-traefik-202
metallb.universe.tf/address-pool: prod-pool metallb.universe.tf/address-pool: prod-pool
metallb.universe.tf/loadBalancerIPs: 10.0.57.202 metallb.universe.tf/loadBalancerIPs: 10.0.57.202
ingressClass: ingressClass:

18
tests/bluejay-infra-lint/FleetManifestLintTests.cs
View File

@@ -250,13 +250,21 @@ public sealed class FleetManifestLintTests
} }
[Fact] [Fact]
public void Gx10TraefikLoadBalancer_MustPreserveClientSourceIp() public void Gx10SharedVipLoadBalancers_MustPreserveClientSourceIp()
{ {
var path = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml"); var traefikPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml");
var manifest = File.ReadAllText(path); var traefik = File.ReadAllText(traefikPath);
manifest.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202"); traefik.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202");
manifest.Should().Contain("spec:\n externalTrafficPolicy: Local"); traefik.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202");
traefik.Should().Contain("spec:\n externalTrafficPolicy: Local");
var giteaPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "gitea-ssh-service.yaml");
var gitea = File.ReadAllText(giteaPath);
gitea.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202");
gitea.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202");
gitea.Should().Contain("externalTrafficPolicy: Local");
} }
[Fact] [Fact]