claw/signalledger.nl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
24d0ab736ca09680a47523e8626a71111a04a959
signalledger.nl/README.md
T
claw 24d0ab736c fix(ingress): migrate from nginx to Traefik ingress controller 
- Change ingressClassName from nginx to traefik
- Replace nginx configuration-snippet annotations with Traefik router annotations
- Extract security headers into dedicated Traefik Middleware CRD
- Update CI/CD pipeline to apply middleware manifest
- Document migration decision and deployment steps in README

ADR-002: Ingress Controller Migration (nginx → Traefik)
Migration strategy: in-place update
2026-05-31 16:25:41 +00:00

2.4 KiB
Raw Blame History

signalledger.nl

Signal Ledger — an independent news publication, a subsidiary of Jopdorp.

Architecture Decision Record (ADR)

ADR-002: Ingress Controller Migration (nginx → Traefik)

Status: Accepted

Context: The cluster uses Traefik as its ingress controller. The initial K8s manifests were written with ingressClassName: nginx and nginx-specific annotations. This caused a mismatch: the Ingress resource was never picked up by any controller, leaving the site unreachable via the configured domains.

Decision: Migrate all ingress configuration to Traefik-native resources.

  1. Ingress class: Changed from nginx to traefik.
  2. Annotations: Replaced nginx-specific configuration-snippet with Traefik router.entrypoints, router.tls, and router.middlewares annotations.
  3. Security headers: Extracted from inline nginx snippets into a dedicated Middleware CRD (k8s/middleware.yaml). This keeps header policy declarative and reusable.

Migration strategy: In-place update

  • The namespace openclaw-private already exists.
  • The deployment, service, and TLS secret are unchanged.
  • We apply the new Ingress and Middleware manifests; Traefik picks them up immediately.
  • Rolling back is a single kubectl apply of the previous manifest version.

Consequences:

  • Positive: Aligns with cluster infrastructure. No extra ingress controller needed.
  • Positive: Middleware CRD is cleaner and version-controllable than inline snippets.
  • Risk: Traefik middleware syntax errors will cause 404/500 until fixed. Mitigated by validating manifests in CI before deploy.

Deployment

Prerequisites

  • Kubernetes cluster with Traefik and cert-manager installed.
  • registry.claw.jopdorp.nl push access.
  • KUBECONFIG_BASE64 and REGISTRY_TOKEN secrets configured in Gitea.

CI/CD Pipeline

Gitea Actions workflow (.gitea/workflows/build-and-deploy.yaml):

  1. Build and test on every PR/push.
  2. Build and push Docker image on merge to main.
  3. Apply K8s manifests and wait for rollout.

Manual Deploy

kubectl apply -f k8s/namespace.yaml
kubectl apply -f k8s/middleware.yaml
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml
kubectl apply -f k8s/ingress.yaml
kubectl rollout status deployment/signalledger -n openclaw-private --timeout=120s

Domains

  • signalledger.nl
  • www.signalledger.nl

Contact

Reference in New Issue View Git Blame Copy Permalink