Skip to content

Deploy releases/k8s-manifests f32fdb6#166

Merged
themightychris merged 3 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests
May 19, 2026
Merged

Deploy releases/k8s-manifests f32fdb6#166
themightychris merged 3 commits into
deploys/k8s-manifestsfrom
releases/k8s-manifests

Conversation

@github-actions
Copy link
Copy Markdown

@github-actions github-actions Bot commented May 19, 2026

kubectl diff reports that applying f32fdb6 will change:

diff -uN /tmp/LIVE-2328130577/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen /tmp/MERGED-2164309380/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen
--- /tmp/LIVE-2328130577/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-19 15:03:30.235093343 +0000
+++ /tmp/MERGED-2164309380/batch.v1.Job.envoy-gateway-system.envoy-gateway-gateway-helm-certgen	2026-05-19 15:03:30.246093265 +0000
@@ -1 +1,70 @@
-{}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade
+  labels:
+    app.kubernetes.io/instance: envoy-gateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: gateway-helm
+    app.kubernetes.io/version: v1.7.3
+    helm.sh/chart: gateway-helm-v1.7.3
+  name: envoy-gateway-gateway-helm-certgen
+  namespace: envoy-gateway-system
+spec:
+  backoffLimit: 1
+  completionMode: NonIndexed
+  completions: 1
+  manualSelector: false
+  parallelism: 1
+  podReplacementPolicy: TerminatingOrFailed
+  selector:
+    matchLabels:
+      batch.kubernetes.io/controller-uid: 789b494d-9415-47a9-8a7d-c6b18ffbcf86
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: certgen
+        batch.kubernetes.io/controller-uid: 789b494d-9415-47a9-8a7d-c6b18ffbcf86
+        batch.kubernetes.io/job-name: envoy-gateway-gateway-helm-certgen
+        controller-uid: 789b494d-9415-47a9-8a7d-c6b18ffbcf86
+        job-name: envoy-gateway-gateway-helm-certgen
+    spec:
+      containers:
+      - command:
+        - envoy-gateway
+        - certgen
+        env:
+        - name: ENVOY_GATEWAY_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: docker.io/envoyproxy/gateway:v1.7.3
+        imagePullPolicy: IfNotPresent
+        name: envoy-gateway-certgen
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          privileged: false
+          readOnlyRootFilesystem: true
+          runAsGroup: 65532
+          runAsNonRoot: true
+          runAsUser: 65532
+          seccompProfile:
+            type: RuntimeDefault
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+      dnsPolicy: ClusterFirst
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      serviceAccount: envoy-gateway-gateway-helm-certgen
+      serviceAccountName: envoy-gateway-gateway-helm-certgen
+      terminationGracePeriodSeconds: 30
+  ttlSecondsAfterFinished: 30

Errors/Warnings

=== Directory: ./codeforphilly-rewrite-sandbox ===
The Deployment "codeforphilly" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/name":"codeforphilly"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

@themightychris
codeforphilly-ng: seal CFP_DATA_RELOAD_SECRET for hot-reload webhook
45fa964 
The codeforphilly-ng API exposes `POST /api/_internal/reload-data`
(CodeForPhilly/codeforphilly-ng#70) for the
`codeforphilly-data` repo's `Notify deployments` GH Action to call on
push to `published`. The bearer secret on both sides must match. This
seals the cluster-side copy; the data-repo-side copy is added as a
GitHub repository secret on `codeforphilly-data`.
@themightychris
Merge pull request #165 from CodeForPhilly/add-data-reload-secret
9f8670f 
codeforphilly-ng: seal CFP_DATA_RELOAD_SECRET for hot-reload webhook
@themightychris
☀ projected k8s-manifests-github from 9f8670f
f32fdb6 
Source-holobranch: k8s-manifests-github
Source-commit: 9f8670f
Source: 9f8670f
@themightychris themightychris merged commit e2feca1 into deploys/k8s-manifests May 19, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Author

github-actions Bot commented May 19, 2026

kubectl apply output (excluding unchanged) for e2feca1 was:

customresourcedefinition.apiextensions.k8s.io/backends.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtlspolicies.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backendtrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/backups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clienttrafficpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterimagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/clusters.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/databases.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyextensionpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoypatchpolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/envoyproxies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/failoverquorums.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutefilters.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/imagecatalogs.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/listenersets.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/poolers.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/publications.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/referencegrants.gateway.networking.k8s.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/scheduledbackups.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/sealedsecrets.bitnami.com serverside-applied
customresourcedefinition.apiextensions.k8s.io/securitypolicies.gateway.envoyproxy.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/subscriptions.postgresql.cnpg.io serverside-applied
customresourcedefinition.apiextensions.k8s.io/tlsroutes.gateway.networking.k8s.io serverside-applied
clusterrole.rbac.authorization.k8s.io/envoy-gateway-gateway-helm-envoy-gateway-role configured
clusterrole.rbac.authorization.k8s.io/grafana-clusterrole configured
clusterrole.rbac.authorization.k8s.io/prometheus-alertmanager configured
clusterrole.rbac.authorization.k8s.io/prometheus-pushgateway configured
clusterrolebinding.rbac.authorization.k8s.io/sealed-secrets configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-mutating-webhook-configuration configured
mutatingwebhookconfiguration.admissionregistration.k8s.io/envoy-gateway-topology-injector.envoy-gateway-system configured
validatingadmissionpolicy.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingadmissionpolicybinding.admissionregistration.k8s.io/safe-upgrades.gateway.networking.k8s.io configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured
validatingwebhookconfiguration.admissionregistration.k8s.io/cnpg-validating-webhook-configuration configured
gateway.gateway.networking.k8s.io/balancer configured
httproute.gateway.networking.k8s.io/balancer configured
deployment.apps/choose-native-plants configured
gateway.gateway.networking.k8s.io/choose-native-plants configured
httproute.gateway.networking.k8s.io/choose-native-plants configured
cluster.postgresql.cnpg.io/shared-cluster configured
configmap/cnpg-controller-manager-config configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
configmap/codeforphilly-env configured
gateway.gateway.networking.k8s.io/codeforphilly configured
httproute.gateway.networking.k8s.io/codeforphilly configured
persistentvolumeclaim/codeforphilly-data configured
persistentvolumeclaim/codeforphilly-private configured
sealedsecret.bitnami.com/codeforphilly-secrets configured
service/codeforphilly configured
serviceaccount/codeforphilly configured
statefulset.apps/data-warehouse-postgresql configured
gateway.gateway.networking.k8s.io/echo-http configured
httproute.gateway.networking.k8s.io/echo-http configured
deployment.apps/envoy-gateway configured
httproute.gateway.networking.k8s.io/http-redirect configured
job.batch/envoy-gateway-gateway-helm-certgen created
configmap/grafana-dashboards-default configured
deployment.apps/grafana configured
gateway.gateway.networking.k8s.io/grafana configured
httproute.gateway.networking.k8s.io/grafana configured
deployment.apps/metrics-server configured
gateway.gateway.networking.k8s.io/latest configured
httproute.gateway.networking.k8s.io/latest configured
secret/promtail configured
statefulset.apps/loki configured
gateway.gateway.networking.k8s.io/metabase configured
httproute.gateway.networking.k8s.io/metabase configured
statefulset.apps/database configured
gateway.gateway.networking.k8s.io/paws-data-pipeline configured
httproute.gateway.networking.k8s.io/paws-data-pipeline configured
gateway.gateway.networking.k8s.io/prevention-point configured
httproute.gateway.networking.k8s.io/prevention-point configured
deployment.apps/prometheus-alertmanager configured
deployment.apps/prometheus-kube-state-metrics configured
deployment.apps/prometheus-pushgateway configured
deployment.apps/prometheus-server configured
serviceaccount/prometheus-kube-state-metrics configured
deployment.apps/sealed-secrets configured
gateway.gateway.networking.k8s.io/sealed-secrets configured
httproute.gateway.networking.k8s.io/sealed-secrets configured
rolebinding.rbac.authorization.k8s.io/sealed-secrets-key-admin configured
service/sealed-secrets configured

Errors/Warnings

=== Directory: ./codeforphilly-rewrite-sandbox ===
The Deployment "codeforphilly" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/name":"codeforphilly"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@themightychris