Skip to content

Deploy releases/k8s-manifests 48f8d94#158

Merged
themightychris merged 3 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests
May 18, 2026
Merged

Deploy releases/k8s-manifests 48f8d94#158
themightychris merged 3 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions Bot commented May 18, 2026

kubectl diff reports that applying 48f8d94 will change:

diff -uN /tmp/LIVE-1969942516/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-1299109475/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-1969942516/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 05:25:08.577621917 +0000
+++ /tmp/MERGED-1299109475/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 05:25:08.588622121 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: 03c7edb6-33e3-4952-b642-01321292433f
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: 03c7edb6-33e3-4952-b642-01321292433f
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: 03c7edb6-33e3-4952-b642-01321292433f
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

themightychris and others added 3 commits May 18, 2026 01:18
@themightychris @claude
chore(ingress-nginx): exclude from projection + disable per-app Ingre…
a7eec51 
…sses

Drops ingress-nginx from the GitOps projection now that traffic has
moved to Envoy Gateway. Cluster-template still ships ingress-nginx
upstream because other clusters need to run it in parallel during
their own migrations, so the exclusion lives here per-cluster.

Also turns off Ingress generation for every app whose chart/manifests
we own in this repo:

  - choose-native-plants, grafana, metabase, paws-data-pipeline,
    prevention-point, sealed-secrets: helm `ingress.enabled: false`
  - balancer: drop manifests/ingress.yaml + Ingress patch from kustomize
  - echo-http: remove the Ingress YAML doc

Out of scope (managed by external CIs, will be cleaned up separately):
  - code-for-philly/latest, laddr/latest (laddr emergence-site chart)
  - codeforphilly-rewrite-sandbox/codeforphilly (rewrite project's CI)

Those Ingresses will be orphaned after this PR deploys (their
referenced IngressClass `nginx` goes away with the rest of
ingress-nginx) but otherwise inert.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@themightychris
Merge pull request #157 from CodeForPhilly/chore/remove-ingress-nginx
82d581c 
chore(ingress-nginx): decommission and disable per-app Ingresses
@themightychris
☀ projected k8s-manifests-github from 82d581c
48f8d94 
Source-holobranch: k8s-manifests-github
Source-commit: 82d581c
Source: 82d581c
@themightychris themightychris merged commit 1d7944e into deploys/k8s-manifests May 18, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Author

github-actions Bot commented May 18, 2026

kubectl apply output (excluding unchanged) for 1d7944e was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterimagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusters.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/databases.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/failoverquorums.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/imagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/poolers.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/publications.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/scheduledbackups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/subscriptions.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-mutating-webhook-configuration configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-validating-webhook-configuration configured
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
cluster.postgresql.cnpg.io/shared-cluster configured
configmap/cnpg-controller-manager-config configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
gateway.gateway.networking.k8s.io/codeforphilly configured
httproute.gateway.networking.k8s.io/codeforphilly configured
statefulset.apps/data-warehouse-postgresql configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/metrics-server configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
secret/promtail configured
statefulset.apps/loki configured
gateway.gateway.networking.k8s.io/metabase configured
httproute.gateway.networking.k8s.io/metabase configured
statefulset.apps/database configured
gateway.gateway.networking.k8s.io/paws-data-pipeline configured
httproute.gateway.networking.k8s.io/paws-data-pipeline configured
gateway.gateway.networking.k8s.io/prevention-point configured
httproute.gateway.networking.k8s.io/prevention-point configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured
clusterrole.rbac.authorization.k8s.io "ingress-nginx-admission" deleted
clusterrole.rbac.authorization.k8s.io "ingress-nginx" deleted
clusterrolebinding.rbac.authorization.k8s.io "ingress-nginx-admission" deleted
clusterrolebinding.rbac.authorization.k8s.io "ingress-nginx" deleted
namespace "ingress-nginx" deleted
validatingwebhookconfiguration.admissionregistration.k8s.io "ingress-nginx-admission" deleted
ingress.networking.k8s.io "balancer" deleted from balancer namespace
ingress.networking.k8s.io "choose-native-plants" deleted from choose-native-plants namespace
ingress.networking.k8s.io "echo-http" deleted from echo-http namespace
ingress.networking.k8s.io "grafana" deleted from grafana namespace
ingressclass.networking.k8s.io "nginx" deleted
ingress.networking.k8s.io "metabase" deleted from metabase namespace
ingress.networking.k8s.io "paws-dp-chart" deleted from paws-data-pipeline namespace
ingress.networking.k8s.io "prevention-point" deleted from prevention-point namespace
ingress.networking.k8s.io "sealed-secrets" deleted from sealed-secrets namespace

Errors/Warnings

=== Deleting: ingress-nginx/ConfigMap/ingress-nginx-controller ===
Error from server (NotFound): configmaps "ingress-nginx-controller" not found

=== Deleting: ingress-nginx/Deployment/ingress-nginx-controller ===
Error from server (NotFound): deployments.apps "ingress-nginx-controller" not found

=== Deleting: ingress-nginx/IngressClass/nginx ===
Warning: deleting cluster-scoped resources, not scoped to the provided namespace

=== Deleting: ingress-nginx/Job/ingress-nginx-admission-create ===
Error from server (NotFound): jobs.batch "ingress-nginx-admission-create" not found

=== Deleting: ingress-nginx/Job/ingress-nginx-admission-patch ===
Error from server (NotFound): jobs.batch "ingress-nginx-admission-patch" not found

=== Deleting: ingress-nginx/Role/ingress-nginx-admission ===
Error from server (NotFound): roles.rbac.authorization.k8s.io "ingress-nginx-admission" not found

=== Deleting: ingress-nginx/Role/ingress-nginx ===
Error from server (NotFound): roles.rbac.authorization.k8s.io "ingress-nginx" not found

=== Deleting: ingress-nginx/RoleBinding/ingress-nginx-admission ===
Error from server (NotFound): rolebindings.rbac.authorization.k8s.io "ingress-nginx-admission" not found

=== Deleting: ingress-nginx/RoleBinding/ingress-nginx ===
Error from server (NotFound): rolebindings.rbac.authorization.k8s.io "ingress-nginx" not found

=== Deleting: ingress-nginx/Service/ingress-nginx-controller-admission ===
Error from server (NotFound): services "ingress-nginx-controller-admission" not found

=== Deleting: ingress-nginx/Service/ingress-nginx-controller ===
Error from server (NotFound): services "ingress-nginx-controller" not found

=== Deleting: ingress-nginx/ServiceAccount/ingress-nginx-admission ===
Error from server (NotFound): serviceaccounts "ingress-nginx-admission" not found

=== Deleting: ingress-nginx/ServiceAccount/ingress-nginx ===
Error from server (NotFound): serviceaccounts "ingress-nginx" not found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@themightychris