diff --git a/apps-gx10/fc-apple-mdm/README.md b/apps-gx10/fc-apple-mdm/README.md index 746203d..5e89a02 100644 --- a/apps-gx10/fc-apple-mdm/README.md +++ b/apps-gx10/fc-apple-mdm/README.md @@ -50,7 +50,7 @@ IAmWorkin ACME CA; Smallstep SCEP requires an RSA intermediate/decrypter path. 1Password operator for this workload. 2. Import `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` into GX10 containerd before ArgoCD syncs. The deployment uses `imagePullPolicy: Never`. -3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.57.202` +3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.56.200` before cert-manager requests `Certificate/fc-apple-mdm-tls`. 4. Prove `https://mdm.iamworkin.lan/version` after ArgoCD converges. 5. Prove SCEP CA publication with diff --git a/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml b/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml index 8511ecb..494ea9a 100644 --- a/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml +++ b/apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml @@ -235,7 +235,7 @@ metadata: name: fc-apple-mdm-tls namespace: fc-apple-mdm annotations: - flowercore.io/dns-preflight: "mdm.iamworkin.lan must resolve to 10.0.57.202 before ACME sync" + flowercore.io/dns-preflight: "mdm.iamworkin.lan must resolve to 10.0.56.200 before ACME sync" spec: secretName: fc-apple-mdm-tls issuerRef: diff --git a/apps-gx10/intranet/ingressroute-intranet-web.json b/apps-gx10/intranet/ingressroute-intranet-web.json index 749f4c2..e7e713f 100644 --- a/apps-gx10/intranet/ingressroute-intranet-web.json +++ b/apps-gx10/intranet/ingressroute-intranet-web.json @@ -22,8 +22,6 @@ ] } ], - "tls": { - "secretName": "intranet-tls" - } - } -} + "tls": {} + } +} diff --git a/gx10/platform/README.md b/gx10/platform/README.md index d24ebd9..a237652 100644 --- a/gx10/platform/README.md +++ b/gx10/platform/README.md @@ -8,8 +8,8 @@ auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only ApplicationSet (`apps-gx10/*`) will own these. - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready. -- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED. -- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.57.202`. APPLIED. +- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5), live as a Helm release in `traefik-system`, LoadBalancer VIP `10.0.56.200` from the active `bluejay-pool` (`10.0.56.200-10.0.56.220`). APPLIED. +- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.56.200`. APPLIED. cert-manager v1.17.2 was installed separately (upstream static manifest). See `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory diff --git a/gx10/platform/traefik-helmchart.yaml b/gx10/platform/traefik-helmchart.yaml index a8c3775..9925a9f 100644 --- a/gx10/platform/traefik-helmchart.yaml +++ b/gx10/platform/traefik-helmchart.yaml @@ -10,12 +10,58 @@ spec: targetNamespace: traefik-system createNamespace: true valuesContent: | + additionalArguments: + - --api.dashboard=true + - --log.level=INFO + - --providers.kubernetescrd + - --providers.kubernetesingress + deployment: + replicas: 2 service: type: LoadBalancer spec: - externalTrafficPolicy: Local - annotations: - metallb.io/loadBalancerIPs: 10.0.57.202 + externalTrafficPolicy: Cluster + loadBalancerIP: 10.0.56.200 + ports: + irc: + expose: + default: true + exposedPort: 6667 + port: 6667 + protocol: TCP + irctls: + expose: + default: true + exposedPort: 6697 + port: 6697 + protocol: TCP + traefik: + expose: + default: false + exposedPort: 8080 + port: 8080 + protocol: TCP + web: + exposedPort: 80 + port: 8000 + protocol: TCP + websecure: + exposedPort: 443 + port: 8443 + protocol: TCP + rbac: + enabled: true + resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists ingressClass: enabled: true isDefaultClass: false diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index 68430b9..cb26ad5 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -255,8 +255,8 @@ public sealed class FleetManifestLintTests var traefikPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml"); var traefik = File.ReadAllText(traefikPath); - traefik.Should().Contain("metallb.io/loadBalancerIPs: 10.0.57.202"); - traefik.Should().Contain("spec:\n externalTrafficPolicy: Local"); + traefik.Should().Contain("loadBalancerIP: 10.0.56.200"); + traefik.Should().Contain("externalTrafficPolicy: Cluster"); var giteaPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "gitea-ssh-service.yaml"); var gitea = File.ReadAllText(giteaPath); diff --git a/tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs b/tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs index bbb0662..b58dcc8 100644 --- a/tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs +++ b/tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs @@ -120,7 +120,7 @@ public sealed class Gx10AppleMdmNanohubTests readme.Should().Contain("FlowerCore Apple MDM Runtime"); readme.Should().Contain("Secret/fc-apple-mdm-runtime"); readme.Should().Contain("imagePullPolicy: Never"); - readme.Should().Contain("10.0.57.202"); + readme.Should().Contain("10.0.56.200"); readme.Should().Contain("https://mdm.iamworkin.lan/scep/apple-mdm-scep"); readme.Should().Contain("Smallstep SCEP requires an RSA intermediate"); readme.Should().Contain("does not create an APNs MDM push certificate");