From a7eec51e0f8c28645bcbb12845f6a6d4d91729a5 Mon Sep 17 00:00:00 2001 From: Chris Alfano Date: Mon, 18 May 2026 01:08:53 -0400 Subject: [PATCH] chore(ingress-nginx): exclude from projection + disable per-app Ingresses Drops ingress-nginx from the GitOps projection now that traffic has moved to Envoy Gateway. Cluster-template still ships ingress-nginx upstream because other clusters need to run it in parallel during their own migrations, so the exclusion lives here per-cluster. Also turns off Ingress generation for every app whose chart/manifests we own in this repo: - choose-native-plants, grafana, metabase, paws-data-pipeline, prevention-point, sealed-secrets: helm `ingress.enabled: false` - balancer: drop manifests/ingress.yaml + Ingress patch from kustomize - echo-http: remove the Ingress YAML doc Out of scope (managed by external CIs, will be cleaned up separately): - code-for-philly/latest, laddr/latest (laddr emergence-site chart) - codeforphilly-rewrite-sandbox/codeforphilly (rewrite project's CI) Those Ingresses will be orphaned after this PR deploys (their referenced IngressClass `nginx` goes away with the rest of ingress-nginx) but otherwise inert. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../branches/k8s-manifests/_civic-cloud.toml | 6 ++++- balancer/kustomization.yaml | 17 ------------ choose-native-plants/release-values.yaml | 12 +-------- echo-http.yaml | 27 ------------------- grafana/release-values.yaml | 13 +++++---- metabase/release-values.yaml | 15 +++-------- paws-data-pipeline/release-values.yaml | 17 +----------- prevention-point/release-values.yaml | 12 +-------- sealed-secrets/release-values.yaml | 7 +---- 9 files changed, 19 insertions(+), 107 deletions(-) diff --git a/.holo/branches/k8s-manifests/_civic-cloud.toml b/.holo/branches/k8s-manifests/_civic-cloud.toml index f995346..ec483be 100644 --- a/.holo/branches/k8s-manifests/_civic-cloud.toml +++ b/.holo/branches/k8s-manifests/_civic-cloud.toml @@ -1,4 +1,8 @@ [holomapping] holosource = "=>k8s-blueprint-lke" -files = "**" +files = [ + "**", + "!ingress-nginx/**", + "!.holo/lenses/ingress-nginx.toml", +] before = "*" diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml index 6a32015..a65cd73 100644 --- a/balancer/kustomization.yaml +++ b/balancer/kustomization.yaml @@ -7,29 +7,12 @@ resources: - manifests/namespace.yaml - manifests/deployment.yaml - manifests/service.yaml - - manifests/ingress.yaml images: - name: ghcr.io/codeforphilly/balancer-main/app newTag: "0.0.0-dev.20260211012449" patches: - - target: - kind: Ingress - name: balancer - patch: |- - - op: add - path: /metadata/annotations/cert-manager.io~1cluster-issuer - value: letsencrypt-prod - - op: add - path: /metadata/annotations/kubernetes.io~1ingress.class - value: nginx - - op: replace - path: /spec/tls/0/hosts/0 - value: sandbox.balancerproject.org - - op: replace - path: /spec/rules/0/host - value: sandbox.balancerproject.org - target: kind: Namespace name: balancer diff --git a/choose-native-plants/release-values.yaml b/choose-native-plants/release-values.yaml index 9d9da84..7cdac4b 100644 --- a/choose-native-plants/release-values.yaml +++ b/choose-native-plants/release-values.yaml @@ -28,14 +28,4 @@ resources: # (removed existingService and existingIngress configuration) ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: choose-native-plants.sandbox.k8s.phl.io - paths: [ '/' ] - tls: - - secretName: choose-native-plants-tls - hosts: - - choose-native-plants.sandbox.k8s.phl.io + enabled: false diff --git a/echo-http.yaml b/echo-http.yaml index 0e2c30f..cf28cf4 100644 --- a/echo-http.yaml +++ b/echo-http.yaml @@ -43,30 +43,3 @@ spec: targetPort: http selector: app: echo-http - ---- - -kind: Ingress -apiVersion: networking.k8s.io/v1 -metadata: - name: echo-http - namespace: echo-http - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod - kubernetes.io/ingress.class: nginx -spec: - tls: - - hosts: - - echo-http.sandbox.k8s.phl.io - secretName: echo-http-tls - rules: - - host: echo-http.sandbox.k8s.phl.io - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: echo-http - port: - number: 80 diff --git a/grafana/release-values.yaml b/grafana/release-values.yaml index 2e247f5..483e206 100644 --- a/grafana/release-values.yaml +++ b/grafana/release-values.yaml @@ -1,11 +1,10 @@ # These values as applied last as downstream overrides # See https://github.com/grafana/helm-charts/blob/grafana-6.2.1/charts/grafana/values.yaml ingress: + enabled: false - enabled: true - hosts: - - metrics.sandbox.k8s.phl.io - tls: - - secretName: grafana-tls - hosts: - - metrics.sandbox.k8s.phl.io +# Public hostname previously inferred from ingress.hosts. Set directly +# now that the Ingress is gone (HTTPS is served by per-app Envoy Gateway). +grafana.ini: + server: + domain: metrics.sandbox.k8s.phl.io diff --git a/metabase/release-values.yaml b/metabase/release-values.yaml index 64fc4f4..5d33e1d 100644 --- a/metabase/release-values.yaml +++ b/metabase/release-values.yaml @@ -25,6 +25,9 @@ configs: MB_DB_USER: metabase MB_DB_PASS: Qp8VX7I3rbFRs3s58ubi0rM9GQilaYFP MB_DB_HOST: database + # Public hostname previously inferred from ingress.hosts. Set directly + # now that the Ingress is gone (HTTPS is served by per-app Envoy Gateway). + MB_SITE_URL: https://metabase.sandbox.k8s.phl.io volumes: database: @@ -32,14 +35,4 @@ volumes: size: 10Gi ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: metabase.sandbox.k8s.phl.io - paths: [ '/' ] - tls: - - secretName: metabase-tls - hosts: - - metabase.sandbox.k8s.phl.io + enabled: false diff --git a/paws-data-pipeline/release-values.yaml b/paws-data-pipeline/release-values.yaml index 9d805ea..9c60e56 100644 --- a/paws-data-pipeline/release-values.yaml +++ b/paws-data-pipeline/release-values.yaml @@ -1,17 +1,2 @@ ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - nginx.ingress.kubernetes.io/proxy-body-size: '50m' - nginx.ingress.kubernetes.io/proxy-read-timeout: '300' - hosts: - - host: paws-data-pipeline.sandbox.k8s.phl.io - paths: [ '/' ] - - host: test.pawsdp.org - paths: [ '/' ] - tls: - - secretName: paws-data-pipeline-tls - hosts: - - paws-data-pipeline.sandbox.k8s.phl.io - - test.pawsdp.org + enabled: false diff --git a/prevention-point/release-values.yaml b/prevention-point/release-values.yaml index 67664bb..f4b030e 100644 --- a/prevention-point/release-values.yaml +++ b/prevention-point/release-values.yaml @@ -5,14 +5,4 @@ frontend: image: tag: 0.3.3 ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - hosts: - - host: prevention-point.sandbox.k8s.phl.io - paths: [ '/' ] - tls: - - secretName: prevention-point-tls - hosts: - - prevention-point.sandbox.k8s.phl.io + enabled: false diff --git a/sealed-secrets/release-values.yaml b/sealed-secrets/release-values.yaml index 89d0d62..74c9e7e 100644 --- a/sealed-secrets/release-values.yaml +++ b/sealed-secrets/release-values.yaml @@ -2,9 +2,4 @@ # See https://github.com/bitnami-labs/sealed-secrets/blob/main/helm/sealed-secrets/values.yaml ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: nginx - cert-manager.io/cluster-issuer: letsencrypt-prod - hostname: sealed-secrets.sandbox.k8s.phl.io - tls: true + enabled: false