claw
fc2b0c9b53
Align new manifest names with the live deployment so CI replaces the existing news-site deployment instead of creating a parallel signalledger one. Changes: - deployment name: signalledger -> news-site - service name: signalledger -> news-site - ingress name: signalledger -> news-site - selector labels: app.kubernetes.io/name -> app: news-site - ingress backend service: signalledger -> news-site - ingress hosts: add news.claw.jopdorp.nl, keep signalledger.nl + www - TLS secret: signalledger-tls -> news-site-tls (existing live secret) - CI rollout target: deployment/signalledger -> deployment/news-site
signalledger.nl
Signal Ledger — an independent news publication, a subsidiary of Jopdorp.
Architecture Decision Record (ADR)
ADR-002: Ingress Controller Migration (nginx → Traefik)
Status: Accepted
Context:
The cluster uses Traefik as its ingress controller. The initial K8s manifests were written with ingressClassName: nginx and nginx-specific annotations. This caused a mismatch: the Ingress resource was never picked up by any controller, leaving the site unreachable via the configured domains.
Decision: Migrate all ingress configuration to Traefik-native resources.
- Ingress class: Changed from
nginxtotraefik. - Annotations: Replaced nginx-specific
configuration-snippetwith Traefikrouter.entrypoints,router.tls, androuter.middlewaresannotations. - Security headers: Extracted from inline nginx snippets into a dedicated
MiddlewareCRD (k8s/middleware.yaml). This keeps header policy declarative and reusable.
Migration strategy: In-place update
- The namespace
openclaw-privatealready exists. - The deployment, service, and TLS secret are unchanged.
- We apply the new Ingress and Middleware manifests; Traefik picks them up immediately.
- Rolling back is a single
kubectl applyof the previous manifest version.
Consequences:
- Positive: Aligns with cluster infrastructure. No extra ingress controller needed.
- Positive: Middleware CRD is cleaner and version-controllable than inline snippets.
- Risk: Traefik middleware syntax errors will cause 404/500 until fixed. Mitigated by validating manifests in CI before deploy.
Deployment
Prerequisites
- Kubernetes cluster with Traefik and cert-manager installed.
registry.claw.jopdorp.nlpush access.KUBECONFIG_BASE64andREGISTRY_TOKENsecrets configured in Gitea.
CI/CD Pipeline
Gitea Actions workflow (.gitea/workflows/build-and-deploy.yaml):
- Build and test on every PR/push.
- Build and push Docker image on merge to
main. - Apply K8s manifests and wait for rollout.
Manual Deploy
kubectl apply -f k8s/namespace.yaml
kubectl apply -f k8s/middleware.yaml
kubectl apply -f k8s/deployment.yaml
kubectl apply -f k8s/service.yaml
kubectl apply -f k8s/ingress.yaml
kubectl rollout status deployment/news-site -n openclaw-private --timeout=120s
Domains
signalledger.nlwww.signalledger.nl
Contact
- Email: signalledger@jopdorp.nl
- Owner: Signal Ledger is a subsidiary of Jopdorp.