Update .gitignore to include generated noble-lab-ui-urls.md and enhance README.md with new role documentation. Refactor noble.yml to incorporate noble_landing_urls role for improved URL management. Add ingress configurations for alertmanager, prometheus, longhorn, and vault to support TLS termination via Traefik. Update network policies and values.yaml for vault to allow traffic from Traefik. These changes aim to streamline deployment and enhance service accessibility.

2026-03-28 16:32:21 -04:00
parent a48ac16c14
commit 0e8eaa2f0d
15 changed files with 284 additions and 3 deletions
--- a/clusters/noble/apps/kube-prometheus-stack/values.yaml
+++ b/clusters/noble/apps/kube-prometheus-stack/values.yaml
@@ -35,6 +35,20 @@ alertmanager:
          resources:
            requests:
              storage: 5Gi
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - alertmanager.apps.noble.lab.pcenicni.dev
+    paths:
+      - /
+    pathType: Prefix
+    tls:
+      - secretName: alertmanager-apps-noble-tls
+        hosts:
+          - alertmanager.apps.noble.lab.pcenicni.dev

 prometheus:
  prometheusSpec:
@@ -48,6 +62,20 @@ prometheus:
          resources:
            requests:
              storage: 30Gi
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - prometheus.apps.noble.lab.pcenicni.dev
+    paths:
+      - /
+    pathType: Prefix
+    tls:
+      - secretName: prometheus-apps-noble-tls
+        hosts:
+          - prometheus.apps.noble.lab.pcenicni.dev

 grafana:
  persistence:
@@ -78,5 +106,7 @@ grafana:
    server:
      domain: grafana.apps.noble.lab.pcenicni.dev
      root_url: https://grafana.apps.noble.lab.pcenicni.dev/
+      # Traefik sets X-Forwarded-*; required for correct redirects and cookies behind the ingress.
+      use_proxy_headers: true

  # Loki datasource: apply `clusters/noble/apps/grafana-loki-datasource/loki-datasource.yaml` (sidecar ConfigMap) instead of additionalDataSources here.
--- a/clusters/noble/apps/longhorn/values.yaml
+++ b/clusters/noble/apps/longhorn/values.yaml
@@ -16,6 +16,19 @@ defaultSettings:
  # Default 30% reserved often makes small data disks look "full" to the scheduler.
  storageReservedPercentageForDefaultDisk: "10"

+# Longhorn UI — same *.apps.noble.lab.pcenicni.dev pattern as Grafana / Headlamp (Traefik LB → cert-manager TLS).
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  host: longhorn.apps.noble.lab.pcenicni.dev
+  path: /
+  pathType: Prefix
+  tls: true
+  tlsSecret: longhorn-apps-noble-tls
+  secureBackends: false
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+
 # Pre-upgrade Job: keep enabled for normal Helm upgrades (disable only if GitOps sync fights the Job).
 preUpgradeChecker:
  jobEnabled: true
--- a/clusters/noble/apps/vault/cilium-network-policy.yaml
+++ b/clusters/noble/apps/vault/cilium-network-policy.yaml
@@ -24,6 +24,13 @@ spec:
        - ports:
            - port: "8200"
              protocol: TCP
+    - fromEndpoints:
+        - matchLabels:
+            "k8s:io.kubernetes.pod.namespace": traefik
+      toPorts:
+        - ports:
+            - port: "8200"
+              protocol: TCP
    - fromEndpoints:
        - matchLabels:
            "k8s:io.kubernetes.pod.namespace": vault
--- a/clusters/noble/apps/vault/values.yaml
+++ b/clusters/noble/apps/vault/values.yaml
@@ -44,5 +44,19 @@ server:
    path: "/v1/sys/health?uninitcode=204&sealedcode=204&standbyok=true"
    port: 8200

+  # LAN: TLS terminates at Traefik + cert-manager; listener stays HTTP (global.tlsDisable).
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: vault.apps.noble.lab.pcenicni.dev
+        paths: []
+    tls:
+      - secretName: vault-apps-noble-tls
+        hosts:
+          - vault.apps.noble.lab.pcenicni.dev
+
 ui:
  enabled: true
--- a/clusters/noble/bootstrap/argocd/README.md
+++ b/clusters/noble/bootstrap/argocd/README.md
@@ -35,6 +35,17 @@ echo

 Change the password in the UI or via `argocd account update-password`.

+### TLS: changing ClusterIssuer (e.g. staging → prod)
+
+If **`helm upgrade --wait`** fails with *Secret was previously issued by `letsencrypt-staging`* (or another issuer), cert-manager will not replace the TLS Secret in place. Remove the old cert material once, then upgrade again:
+
+```bash
+kubectl -n argocd delete certificate argocd-server --ignore-not-found
+kubectl -n argocd delete secret argocd-server-tls --ignore-not-found
+helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
+  --version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait
+```
+
 ## 3. Register this repo (if private)

 Use **Settings → Repositories** in the UI, or `argocd repo add` / a `Secret` of type `repository`.
--- a/clusters/noble/bootstrap/argocd/values.yaml
+++ b/clusters/noble/bootstrap/argocd/values.yaml
@@ -32,17 +32,20 @@ server:
  certificate:
    enabled: true
    domain: argo.apps.noble.lab.pcenicni.dev
+    # If you change issuer.name, delete Certificate/Secret once so cert-manager can re-issue (see README.md).
    issuer:
      group: cert-manager.io
      kind: ClusterIssuer
-      name: letsencrypt-staging
+      name: letsencrypt-prod

  ingress:
    enabled: true
    ingressClassName: traefik
    hostname: argo.apps.noble.lab.pcenicni.dev
    tls: true
-    annotations: {}
+    # Traefik terminates TLS; Argo serves HTTP/2 cleartext (insecure). Without h2c, UI/API can 404 or fail gRPC.
+    annotations:
+      traefik.ingress.kubernetes.io/service.serversscheme: h2c

  service:
    type: ClusterIP