Merge pull request 'feat: deploy nginx-weighted traffic layer (TraefikService 90/10, TLS, HTTP redirect)' (#4) from feat/nginx-weighted into main

Reviewed-on: #4

apps/nginx-weighted/application.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx-weighted
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/k3s-gitops
+    path: apps/nginx-weighted
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: nginx-mcp
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

apps/nginx-weighted/canary-proxy-svc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-canary-proxy
+  namespace: nginx-mcp
+  labels:
+    app: nginx-canary-proxy
+  annotations:
+    description: >
+      ExternalName proxy required because Traefik v3 does not allow
+      cross-namespace service references inside TraefikService weighted config.
+      This service bridges nginx-mcp namespace → nginx-canary namespace.
+spec:
+  type: ExternalName
+  externalName: nginx-canary.nginx-canary.svc.cluster.local
+  ports:
+    - port: 80
+      targetPort: 80

apps/nginx-weighted/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-weighted-tls
+  namespace: nginx-mcp
+spec:
+  secretName: nginx-weighted-tls
+  issuerRef:
+    name: letsencrypt-http
+    kind: ClusterIssuer
+  dnsNames:
+    - nginx.thedevops.dev

apps/nginx-weighted/ingressroute.yaml

@@ -0,0 +1,38 @@
+---
+# HTTPS entrypoint — routes nginx.thedevops.dev through weighted TraefikService
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-weighted
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nginx.thedevops.dev`)
+      kind: Rule
+      services:
+        - name: nginx-weighted
+          namespace: nginx-mcp
+          kind: TraefikService
+  tls:
+    secretName: nginx-weighted-tls
+---
+# HTTP entrypoint — redirects all HTTP traffic to HTTPS via middleware
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-weighted-http
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nginx.thedevops.dev`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: nginx-mcp
+      services:
+        - name: nginx-mcp
+          port: 80

apps/nginx-weighted/middleware.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: nginx-mcp
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

apps/nginx-weighted/traefikservice.yaml

@@ -0,0 +1,25 @@
+---
+# TraefikService — weighted load balancer between stable and canary.
+# THIS IS THE ONLY FILE YOU NEED TO EDIT to shift traffic weights.
+#
+# Weight scenarios:
+#   Initial canary test    → stable: 90  canary: 10
+#   Extended testing       → stable: 50  canary: 50
+#   Full promote to canary → stable:  0  canary: 100
+#   Emergency rollback     → stable: 100 canary:  0
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: nginx-weighted
+  namespace: nginx-mcp
+spec:
+  weighted:
+    services:
+      - name: nginx-mcp
+        namespace: nginx-mcp
+        port: 80
+        weight: 90
+      - name: nginx-canary-proxy
+        namespace: nginx-mcp
+        port: 80
+        weight: 10