Deploy releases/k8s-manifests ce53118 by github-actions[bot] · Pull Request #161 · CodeForPhilly/cfp-sandbox-cluster

github-actions · 2026-05-18T05:54:53Z

kubectl diff reports that applying ce53118 will change:

diff -uN /tmp/LIVE-3578341941/gateway.networking.k8s.io.v1.Gateway.balancer.balancer /tmp/MERGED-1434055470/gateway.networking.k8s.io.v1.Gateway.balancer.balancer
--- /tmp/LIVE-3578341941/gateway.networking.k8s.io.v1.Gateway.balancer.balancer	2026-05-18 05:54:34.087823947 +0000
+++ /tmp/MERGED-1434055470/gateway.networking.k8s.io.v1.Gateway.balancer.balancer	2026-05-18 05:54:34.092823951 +0000
@@ -1 +1,22 @@
-{}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  name: balancer
+  namespace: balancer
+spec:
+  gatewayClassName: eg
+  listeners:
+  - allowedRoutes:
+      namespaces:
+        from: Same
+    hostname: balancer.sandbox.k8s.phl.io
+    name: https
+    port: 443
+    protocol: HTTPS
+    tls:
+      certificateRefs:
+      - kind: Secret
+        name: balancer-gw-tls
+      mode: Terminate
diff -uN /tmp/LIVE-3578341941/gateway.networking.k8s.io.v1.HTTPRoute.balancer.balancer /tmp/MERGED-1434055470/gateway.networking.k8s.io.v1.HTTPRoute.balancer.balancer
--- /tmp/LIVE-3578341941/gateway.networking.k8s.io.v1.HTTPRoute.balancer.balancer	2026-05-18 05:54:34.087823947 +0000
+++ /tmp/MERGED-1434055470/gateway.networking.k8s.io.v1.HTTPRoute.balancer.balancer	2026-05-18 05:54:34.093823952 +0000
@@ -1 +1,22 @@
-{}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: balancer
+  namespace: balancer
+spec:
+  hostnames:
+  - balancer.sandbox.k8s.phl.io
+  parentRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: balancer
+  rules:
+  - backendRefs:
+    - kind: Service
+      name: balancer
+      port: 8000
+      weight: 1
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
diff -uN /tmp/LIVE-697769884/postgresql.cnpg.io.v1.Database.cloudnative-pg.balancer /tmp/MERGED-3950802937/postgresql.cnpg.io.v1.Database.cloudnative-pg.balancer
--- /tmp/LIVE-697769884/postgresql.cnpg.io.v1.Database.cloudnative-pg.balancer	2026-05-18 05:54:37.848826666 +0000
+++ /tmp/MERGED-3950802937/postgresql.cnpg.io.v1.Database.cloudnative-pg.balancer	2026-05-18 05:54:37.858826674 +0000
@@ -1 +1,12 @@
-{}
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: balancer
+  namespace: cloudnative-pg
+spec:
+  cluster:
+    name: shared-cluster
+  databaseReclaimPolicy: retain
+  ensure: present
+  name: balancer
+  owner: balancer
diff -uN /tmp/LIVE-1608242085/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-2624944342/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-1608242085/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 05:54:41.824829480 +0000
+++ /tmp/MERGED-2624944342/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-18 05:54:41.836829488 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: 013302ee-2c43-4204-a672-ddbcbcb54a0f
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: 013302ee-2c43-4204-a672-ddbcbcb54a0f
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: 013302ee-2c43-4204-a672-ddbcbcb54a0f
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

Restructures balancer to the design we settled on before the Envoy/Gateway migration: balancer/ kustomization.yaml — wrapper, resources: [app, cnpg] app/ kustomization.yaml — namespace: balancer, references mapped base manifests/ — mapped from balancer-main base via hologit cnpg/ kustomization.yaml — no namespace database.yaml — Database CR in cloudnative-pg namespace Why this layout: - Single hololens (no `balancer-cnpg.toml`) - `Database` CR lives next to the balancer config in this repo but cnpg requires it to live in the cluster's namespace (cloudnative-pg). The cnpg sub-kustomization sets no namespace; database.yaml carries its own; k8s-normalize routes by resource at deploy time. - Replaces and supersedes PR #143 (TineoC's two-lens approach with the sort-order hack and mutable `develop` source ref). Holosource bumped v1.1.3 → v1.1.5 (latest balancer-main release). Holomapping filters out `ingress.yaml` (replaced by `_gateways/balancer.yaml`) and the upstream `kustomization.yaml` (we compose our own). Also adds `_gateways/balancer.yaml`: per-app Gateway + HTTPRoute on `balancer.sandbox.k8s.phl.io`. Hostname matches what `secret.template.yaml` documents and aligns with the per-app pattern used by the other sandbox apps post-PR-#152. Database resource will be applied but only fully usable after the `balancer-db-credentials` SealedSecret is created in the cloudnative-pg namespace and the balancer app's `balancer-config` is updated to point SQL_HOST at `shared-cluster-rw.cloudnative-pg.svc.cluster.local` with the new credentials. That cutover (data migration from the current RDS host) is a separate follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

feat(balancer): clean design with shared-cluster cnpg + Envoy Gateway

Source-holobranch: k8s-manifests-github Source-commit: 58f2d46 Source: 58f2d46

github-actions · 2026-05-18T05:57:24Z

kubectl apply output (excluding unchanged) for 3fb470d was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterimagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusters.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/databases.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/failoverquorums.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/imagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/poolers.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/publications.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/scheduledbackups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/subscriptions.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-mutating-webhook-configuration configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-validating-webhook-configuration configured
gateway.gateway.networking.k8s.io/balancer created
httproute.gateway.networking.k8s.io/balancer created
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
cluster.postgresql.cnpg.io/shared-cluster configured
configmap/cnpg-controller-manager-config configured
database.postgresql.cnpg.io/balancer created
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
gateway.gateway.networking.k8s.io/codeforphilly configured
httproute.gateway.networking.k8s.io/codeforphilly configured
statefulset.apps/data-warehouse-postgresql configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/metrics-server configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
secret/promtail configured
statefulset.apps/loki configured
gateway.gateway.networking.k8s.io/metabase configured
httproute.gateway.networking.k8s.io/metabase configured
statefulset.apps/database configured
gateway.gateway.networking.k8s.io/paws-data-pipeline configured
httproute.gateway.networking.k8s.io/paws-data-pipeline configured
gateway.gateway.networking.k8s.io/prevention-point configured
httproute.gateway.networking.k8s.io/prevention-point configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured

themightychris and others added 3 commits May 18, 2026 01:48

Merge pull request #160 from CodeForPhilly/feat/balancer-clean-design

58f2d46

feat(balancer): clean design with shared-cluster cnpg + Envoy Gateway

☀ projected k8s-manifests-github from 58f2d46

ce53118

Source-holobranch: k8s-manifests-github Source-commit: 58f2d46 Source: 58f2d46

themightychris merged commit 3fb470d into deploys/k8s-manifests May 18, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deploy releases/k8s-manifests ce53118#161

Deploy releases/k8s-manifests ce53118#161
themightychris merged 3 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

github-actions Bot commented May 18, 2026

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

github-actions Bot commented May 18, 2026

Uh oh!

Uh oh!

github-actions Bot commented May 18, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant