From a7ba47e30773a77fab94ad4a283b1eea52cada01 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Thu, 18 Jun 2026 16:40:50 -0500 Subject: [PATCH] platform: dedicate GX10 Gitea SSH VIP --- gx10/platform/README.md | 2 +- gx10/platform/gitea-ssh-service.yaml | 3 +-- gx10/platform/traefik-helmchart.yaml | 1 - tests/bluejay-infra-lint/FleetManifestLintTests.cs | 6 ++---- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/gx10/platform/README.md b/gx10/platform/README.md index 947324f..d24ebd9 100644 --- a/gx10/platform/README.md +++ b/gx10/platform/README.md @@ -9,7 +9,7 @@ ApplicationSet (`apps-gx10/*`) will own these. - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready. - `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED. -- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service sharing the Traefik VIP on port 22 with matching `externalTrafficPolicy: Local`; MetalLB requires the shared-IP services to use the same traffic policy. APPLIED. +- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.57.202`. APPLIED. cert-manager v1.17.2 was installed separately (upstream static manifest). See `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory diff --git a/gx10/platform/gitea-ssh-service.yaml b/gx10/platform/gitea-ssh-service.yaml index 2dea9e1..2859c02 100644 --- a/gx10/platform/gitea-ssh-service.yaml +++ b/gx10/platform/gitea-ssh-service.yaml @@ -4,8 +4,7 @@ metadata: name: gitea-ssh namespace: gitea annotations: - metallb.io/allow-shared-ip: gitea-traefik-202 - metallb.universe.tf/loadBalancerIPs: 10.0.57.202 + metallb.universe.tf/loadBalancerIPs: 10.0.57.206 spec: type: LoadBalancer externalTrafficPolicy: Local diff --git a/gx10/platform/traefik-helmchart.yaml b/gx10/platform/traefik-helmchart.yaml index 1562453..a26f34a 100644 --- a/gx10/platform/traefik-helmchart.yaml +++ b/gx10/platform/traefik-helmchart.yaml @@ -15,7 +15,6 @@ spec: spec: externalTrafficPolicy: Local annotations: - metallb.io/allow-shared-ip: gitea-traefik-202 metallb.universe.tf/address-pool: prod-pool metallb.universe.tf/loadBalancerIPs: 10.0.57.202 ingressClass: diff --git a/tests/bluejay-infra-lint/FleetManifestLintTests.cs b/tests/bluejay-infra-lint/FleetManifestLintTests.cs index 0e8aa8a..0663894 100644 --- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs +++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs @@ -250,20 +250,18 @@ public sealed class FleetManifestLintTests } [Fact] - public void Gx10SharedVipLoadBalancers_MustPreserveClientSourceIp() + public void Gx10PublicLoadBalancers_MustPreserveClientSourceIp() { var traefikPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml"); var traefik = File.ReadAllText(traefikPath); - traefik.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202"); traefik.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202"); traefik.Should().Contain("spec:\n externalTrafficPolicy: Local"); var giteaPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "gitea-ssh-service.yaml"); var gitea = File.ReadAllText(giteaPath); - gitea.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202"); - gitea.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202"); + gitea.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.206"); gitea.Should().Contain("externalTrafficPolicy: Local"); }