Sync GX10 Traefik VIP and Intranet route

2026-06-20 07:57:23 -05:00
parent f81dcd3b36
commit a79627b72a
7 changed files with 59 additions and 15 deletions
--- a/gx10/platform/README.md
+++ b/gx10/platform/README.md
@@ -8,8 +8,8 @@ auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only
 ApplicationSet (`apps-gx10/*`) will own these.

 - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.57.202`. APPLIED.
+- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5), live as a Helm release in `traefik-system`, LoadBalancer VIP `10.0.56.200` from the active `bluejay-pool` (`10.0.56.200-10.0.56.220`). APPLIED.
+- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.56.200`. APPLIED.

 cert-manager v1.17.2 was installed separately (upstream static manifest). See
 `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory
--- a/gx10/platform/traefik-helmchart.yaml
+++ b/gx10/platform/traefik-helmchart.yaml
@@ -10,12 +10,58 @@ spec:
  targetNamespace: traefik-system
  createNamespace: true
  valuesContent: |
+    additionalArguments:
+      - --api.dashboard=true
+      - --log.level=INFO
+      - --providers.kubernetescrd
+      - --providers.kubernetesingress
+    deployment:
+      replicas: 2
    service:
      type: LoadBalancer
      spec:
-        externalTrafficPolicy: Local
-      annotations:
-        metallb.io/loadBalancerIPs: 10.0.57.202
+        externalTrafficPolicy: Cluster
+        loadBalancerIP: 10.0.56.200
+    ports:
+      irc:
+        expose:
+          default: true
+        exposedPort: 6667
+        port: 6667
+        protocol: TCP
+      irctls:
+        expose:
+          default: true
+        exposedPort: 6697
+        port: 6697
+        protocol: TCP
+      traefik:
+        expose:
+          default: false
+        exposedPort: 8080
+        port: 8080
+        protocol: TCP
+      web:
+        exposedPort: 80
+        port: 8000
+        protocol: TCP
+      websecure:
+        exposedPort: 443
+        port: 8443
+        protocol: TCP
+    rbac:
+      enabled: true
+    resources:
+      limits:
+        cpu: 500m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+    tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
    ingressClass:
      enabled: true
      isDefaultClass: false