diff --git a/apps/nginx-weighted/application.yaml b/apps/nginx-weighted/application.yaml new file mode 100644 index 0000000..84bfcbb --- /dev/null +++ b/apps/nginx-weighted/application.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nginx-weighted + namespace: argocd +spec: + project: default + source: + repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/k3s-gitops + path: apps/nginx-weighted + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: nginx-mcp + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/nginx-weighted/canary-proxy-svc.yaml b/apps/nginx-weighted/canary-proxy-svc.yaml new file mode 100644 index 0000000..1afe9ee --- /dev/null +++ b/apps/nginx-weighted/canary-proxy-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx-canary-proxy + namespace: nginx-mcp + labels: + app: nginx-canary-proxy + annotations: + description: > + ExternalName proxy required because Traefik v3 does not allow + cross-namespace service references inside TraefikService weighted config. + This service bridges nginx-mcp namespace → nginx-canary namespace. +spec: + type: ExternalName + externalName: nginx-canary.nginx-canary.svc.cluster.local + ports: + - port: 80 + targetPort: 80 diff --git a/apps/nginx-weighted/certificate.yaml b/apps/nginx-weighted/certificate.yaml new file mode 100644 index 0000000..1c2ccf9 --- /dev/null +++ b/apps/nginx-weighted/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nginx-weighted-tls + namespace: nginx-mcp +spec: + secretName: nginx-weighted-tls + issuerRef: + name: letsencrypt-http + kind: ClusterIssuer + dnsNames: + - nginx.thedevops.dev diff --git a/apps/nginx-weighted/ingressroute.yaml b/apps/nginx-weighted/ingressroute.yaml new file mode 100644 index 0000000..5e2c31f --- /dev/null +++ b/apps/nginx-weighted/ingressroute.yaml @@ -0,0 +1,38 @@ +--- +# HTTPS entrypoint — routes nginx.thedevops.dev through weighted TraefikService +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: nginx-weighted + namespace: nginx-mcp +spec: + entryPoints: + - websecure + routes: + - match: Host(`nginx.thedevops.dev`) + kind: Rule + services: + - name: nginx-weighted + namespace: nginx-mcp + kind: TraefikService + tls: + secretName: nginx-weighted-tls +--- +# HTTP entrypoint — redirects all HTTP traffic to HTTPS via middleware +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: nginx-weighted-http + namespace: nginx-mcp +spec: + entryPoints: + - web + routes: + - match: Host(`nginx.thedevops.dev`) + kind: Rule + middlewares: + - name: redirect-https + namespace: nginx-mcp + services: + - name: nginx-mcp + port: 80 diff --git a/apps/nginx-weighted/middleware.yaml b/apps/nginx-weighted/middleware.yaml new file mode 100644 index 0000000..554375c --- /dev/null +++ b/apps/nginx-weighted/middleware.yaml @@ -0,0 +1,9 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: redirect-https + namespace: nginx-mcp +spec: + redirectScheme: + scheme: https + permanent: true diff --git a/apps/nginx-weighted/traefikservice.yaml b/apps/nginx-weighted/traefikservice.yaml new file mode 100644 index 0000000..912f3fe --- /dev/null +++ b/apps/nginx-weighted/traefikservice.yaml @@ -0,0 +1,25 @@ +--- +# TraefikService — weighted load balancer between stable and canary. +# THIS IS THE ONLY FILE YOU NEED TO EDIT to shift traffic weights. +# +# Weight scenarios: +# Initial canary test → stable: 90 canary: 10 +# Extended testing → stable: 50 canary: 50 +# Full promote to canary → stable: 0 canary: 100 +# Emergency rollback → stable: 100 canary: 0 +apiVersion: traefik.io/v1alpha1 +kind: TraefikService +metadata: + name: nginx-weighted + namespace: nginx-mcp +spec: + weighted: + services: + - name: nginx-mcp + namespace: nginx-mcp + port: 80 + weight: 90 + - name: nginx-canary-proxy + namespace: nginx-mcp + port: 80 + weight: 10