Skip to content

Deploy releases/k8s-manifests 8ef5060#155

Merged
themightychris merged 6 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests
May 18, 2026
Merged

Deploy releases/k8s-manifests 8ef5060#155
themightychris merged 6 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions Bot commented May 18, 2026
edited
Loading

kubectl diff reports that applying 8ef5060 will change:

diff -uN /tmp/LIVE-1032182217/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-520420420/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-1032182217/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 04:35:54.514365537 +0000
+++ /tmp/MERGED-520420420/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 04:35:54.525365620 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: d34d1e18-d897-4629-8dab-3813322802e7
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: d34d1e18-d897-4629-8dab-3813322802e7
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: d34d1e18-d897-4629-8dab-3813322802e7
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

themightychris and others added 6 commits May 17, 2026 23:41
@themightychris @claude
feat(gateway-tls): force HTTP→HTTPS via global redirect HTTPRoute
1eb5e2d 
Adds a single redirect HTTPRoute attached to main-gateway that 301s
all HTTP traffic to HTTPS. ACME challenge paths bypass the redirect
because cert-manager's per-challenge HTTPRoute uses pathType: Exact
on /.well-known/acme-challenge/<token> with a hostname match, beating
the redirect's catch-all per Gateway API conflict resolution.

Per-app HTTPRoutes drop their main-gateway parentRef since HTTP no
longer needs to reach the backend — they attach only to their per-app
HTTPS Gateway now.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@themightychris
Merge pull request #154 from CodeForPhilly/feat/http-to-https-redirect
9b7f686 
feat(gateway-tls): force HTTP→HTTPS via global redirect HTTPRoute
@themightychris
☀ projected k8s-manifests-github from 9b7f686
3f88235 
Source-holobranch: k8s-manifests-github
Source-commit: 9b7f686
Source: 9b7f686
@themightychris @claude
chore(deps): bump civic-cloud to v1.9.2
24452b5 
Pulls in civic-cloud/cluster-template#22 which bumps the upstream
cluster-template to v1.5.2, removing hairpin-proxy from the LKE
blueprint.

After this deploys, the hairpin-proxy namespace, deployments,
RBAC, and the coredns-custom rewrites will all drop out of the
cluster. The CoreDNS configmap data field was already cleared
live during sandbox migration, so no in-cluster traffic disruption
expected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@themightychris
Merge pull request #156 from CodeForPhilly/chore/civic-cloud-1.9.2
89807de 
chore(deps): bump civic-cloud to v1.9.2
@themightychris
☀ projected k8s-manifests-github from 89807de
8ef5060 
Source-holobranch: k8s-manifests-github
Source-commit: 89807de
Source: 89807de
@github-actions github-actions Bot changed the title Deploy releases/k8s-manifests 3f88235 Deploy releases/k8s-manifests 8ef5060 May 18, 2026
@themightychris themightychris merged commit a1255e5 into deploys/k8s-manifests May 18, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Author

github-actions Bot commented May 18, 2026

kubectl apply output (excluding unchanged) for a1255e5 was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterimagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusters.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/databases.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/failoverquorums.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/imagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/poolers.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/publications.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/scheduledbackups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/subscriptions.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-mutating-webhook-configuration configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-validating-webhook-configuration configured
validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission configured
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
cluster.postgresql.cnpg.io/shared-cluster configured
configmap/cnpg-controller-manager-config configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
gateway.gateway.networking.k8s.io/codeforphilly configured
httproute.gateway.networking.k8s.io/codeforphilly configured
statefulset.apps/data-warehouse-postgresql configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/ingress-nginx-controller configured
deployment.apps/metrics-server configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
secret/promtail configured
statefulset.apps/loki configured
gateway.gateway.networking.k8s.io/metabase configured
httproute.gateway.networking.k8s.io/metabase configured
statefulset.apps/database configured
gateway.gateway.networking.k8s.io/paws-data-pipeline configured
httproute.gateway.networking.k8s.io/paws-data-pipeline configured
gateway.gateway.networking.k8s.io/prevention-point configured
httproute.gateway.networking.k8s.io/prevention-point configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured
clusterrole.rbac.authorization.k8s.io "hairpin-proxy-controller-cr" deleted
clusterrolebinding.rbac.authorization.k8s.io "hairpin-proxy-controller-crb" deleted
namespace "hairpin-proxy" deleted
configmap "coredns-custom" deleted from kube-system namespace
role.rbac.authorization.k8s.io "hairpin-proxy-controller-r" deleted from kube-system namespace
rolebinding.rbac.authorization.k8s.io "hairpin-proxy-controller-rb" deleted from kube-system namespace

Errors/Warnings

=== Deleting: hairpin-proxy/Deployment/hairpin-proxy-controller ===
Error from server (NotFound): deployments.apps "hairpin-proxy-controller" not found

=== Deleting: hairpin-proxy/Deployment/hairpin-proxy-haproxy ===
Error from server (NotFound): deployments.apps "hairpin-proxy-haproxy" not found

=== Deleting: hairpin-proxy/Service/hairpin-proxy ===
Error from server (NotFound): services "hairpin-proxy" not found

=== Deleting: hairpin-proxy/ServiceAccount/hairpin-proxy-controller-sa ===
Error from server (NotFound): serviceaccounts "hairpin-proxy-controller-sa" not found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@themightychris