fix(ingress): migrate from nginx to Traefik ingress controller

- Change ingressClassName from nginx to traefik - Replace nginx configuration-snippet annotations with Traefik router annotations - Extract security headers into dedicated Traefik Middleware CRD - Update CI/CD pipeline to apply middleware manifest - Document migration decision and deployment steps in README ADR-002: Ingress Controller Migration (nginx → Traefik) Migration strategy: in-place update
2026-05-31 16:25:41 +00:00
parent f649fff223
commit 24d0ab736c
4 changed files with 86 additions and 11 deletions
@@ -82,6 +82,7 @@ jobs:
      - name: Apply Kubernetes manifests
        run: |
          kubectl apply -f k8s/namespace.yaml
          kubectl apply -f k8s/middleware.yaml
          kubectl apply -f k8s/deployment.yaml
          kubectl apply -f k8s/service.yaml
          kubectl apply -f k8s/ingress.yaml
@@ -1,3 +1,61 @@
 # signalledger.nl
-Signal Ledger news site
+Signal Ledger — an independent news publication, a subsidiary of Jopdorp.
 ## Architecture Decision Record (ADR)
 ### ADR-002: Ingress Controller Migration (nginx → Traefik)
 **Status:** Accepted
 **Context:**
 The cluster uses Traefik as its ingress controller. The initial K8s manifests were written with `ingressClassName: nginx` and nginx-specific annotations. This caused a mismatch: the Ingress resource was never picked up by any controller, leaving the site unreachable via the configured domains.
 **Decision:**
 Migrate all ingress configuration to Traefik-native resources.
 1. **Ingress class:** Changed from `nginx` to `traefik`.
 2. **Annotations:** Replaced nginx-specific `configuration-snippet` with Traefik `router.entrypoints`, `router.tls`, and `router.middlewares` annotations.
 3. **Security headers:** Extracted from inline nginx snippets into a dedicated `Middleware` CRD (`k8s/middleware.yaml`). This keeps header policy declarative and reusable.
 **Migration strategy:** In-place update
 - The namespace `openclaw-private` already exists.
 - The deployment, service, and TLS secret are unchanged.
 - We apply the new Ingress and Middleware manifests; Traefik picks them up immediately.
 - Rolling back is a single `kubectl apply` of the previous manifest version.
 **Consequences:**
 - Positive: Aligns with cluster infrastructure. No extra ingress controller needed.
 - Positive: Middleware CRD is cleaner and version-controllable than inline snippets.
 - Risk: Traefik middleware syntax errors will cause 404/500 until fixed. Mitigated by validating manifests in CI before deploy.
 ## Deployment
 ### Prerequisites
 - Kubernetes cluster with Traefik and cert-manager installed.
 - `registry.claw.jopdorp.nl` push access.
 - `KUBECONFIG_BASE64` and `REGISTRY_TOKEN` secrets configured in Gitea.
 ### CI/CD Pipeline
 Gitea Actions workflow (`.gitea/workflows/build-and-deploy.yaml`):
 1. Build and test on every PR/push.
 2. Build and push Docker image on merge to `main`.
 3. Apply K8s manifests and wait for rollout.
 ### Manual Deploy
 ```bash
 kubectl apply -f k8s/namespace.yaml
 kubectl apply -f k8s/middleware.yaml
 kubectl apply -f k8s/deployment.yaml
 kubectl apply -f k8s/service.yaml
 kubectl apply -f k8s/ingress.yaml
 kubectl rollout status deployment/signalledger -n openclaw-private --timeout=120s
 ```
 ### Domains
 - `signalledger.nl`
 - `www.signalledger.nl`
 ### Contact
 - Email: signalledger@jopdorp.nl
 - Owner: Signal Ledger is a subsidiary of Jopdorp.
@@ -9,17 +9,11 @@ metadata:
    app.kubernetes.io/part-of: signalledger
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
+    traefik.ingress.kubernetes.io/router.tls: "true"
-      more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
+    traefik.ingress.kubernetes.io/router.middlewares: "openclaw-private-security-headers@kubernetescrd"
      more_set_headers "X-Frame-Options: DENY";
      more_set_headers "X-Content-Type-Options: nosniff";
      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
      more_set_headers "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://partner.googleadservices.com https://tpc.googlesyndication.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; frame-src https://googleads.g.doubleclick.net; object-src 'none'; base-uri 'self'; form-action 'self';";
      more_set_headers "X-XSS-Protection: 1; mode=block";
      more_set_headers "Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()";
 spec:
-  ingressClassName: nginx
+  ingressClassName: traefik
  tls:
    - hosts:
        - signalledger.nl
@@ -0,0 +1,22 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: security-headers
  namespace: openclaw-private
  labels:
    app.kubernetes.io/name: signalledger
    app.kubernetes.io/component: middleware
    app.kubernetes.io/part-of: signalledger
 spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
    customResponseHeaders:
      Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
      X-Frame-Options: "DENY"
      X-Content-Type-Options: "nosniff"
      Referrer-Policy: "strict-origin-when-cross-origin"
      Content-Security-Policy: "default-src 'self'; script-src 'self' 'unsafe-inline' https://pagead2.googlesyndication.com https://partner.googleadservices.com https://tpc.googlesyndication.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; frame-src https://googleads.g.doubleclick.net; object-src 'none'; base-uri 'self'; form-action 'self';"
      X-XSS-Protection: "1; mode=block"
      Permissions-Policy: "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
    sslRedirect: true