# signalledger.nl

Signal Ledger — an independent news publication, a subsidiary of Jopdorp.

## Architecture Decision Record (ADR)

### ADR-002: Ingress Controller Migration (nginx → Traefik)

**Status:** Accepted

**Context:**
The cluster uses Traefik as its ingress controller. The initial K8s manifests were written with `ingressClassName: nginx` and nginx-specific annotations. This caused a mismatch: the Ingress resource was never picked up by any controller, leaving the site unreachable via the configured domains.

**Decision:**
Migrate all ingress configuration to Traefik-native resources.

1. **Ingress class:** Changed from `nginx` to `traefik`.
2. **Annotations:** Replaced nginx-specific `configuration-snippet` with Traefik `router.entrypoints`, `router.tls`, and `router.middlewares` annotations.
3. **Security headers:** Extracted from inline nginx snippets into a dedicated `Middleware` CRD (`k8s/middleware.yaml`). This keeps header policy declarative and reusable.

**Migration strategy:** In-place update
- The namespace `openclaw-private` already exists.
- The deployment, service, and TLS secret are unchanged.
- We apply the new Ingress and Middleware manifests; Traefik picks them up immediately.
- Rolling back is a single `kubectl apply` of the previous manifest version.

**Consequences:**
- Positive: Aligns with cluster infrastructure. No extra ingress controller needed.
- Positive: Middleware CRD is cleaner and version-controllable than inline snippets.
- Risk: Traefik middleware syntax errors will cause 404/500 until fixed. Mitigated by validating manifests in CI before deploy.

## Deployment

### Prerequisites
- Kubernetes cluster with Traefik and cert-manager installed.
- `registry.claw.jopdorp.nl` push access.
- `KUBECONFIG_BASE64` and `REGISTRY_TOKEN` secrets configured in Gitea.

### CI/CD Pipeline
Gitea Actions workflow (`.gitea/workflows/build-and-deploy.yaml`):
1. Build and test on every PR/push.
2. Build and push Docker image on merge to `main`.
3. Apply K8s manifests and wait for rollout.

### Manual Deploy
```bash
kubectl apply -f k8s/namespace.yaml
kubectl apply -f k8s/middleware.yaml
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml
kubectl apply -f k8s/ingress.yaml
kubectl rollout status deployment/signalledger -n openclaw-private --timeout=120s
```

### Domains
- `signalledger.nl`
- `www.signalledger.nl`

### Contact
- Email: signalledger@jopdorp.nl
- Owner: Signal Ledger is a subsidiary of Jopdorp.