move routes to authentik-private-prod for proxy auth

update web container image (CI)
remove BackendTLSPolicy
2026-02-05 10:30:33 -07:00 · 2026-02-04 23:08:05 +00:00 · 2026-02-04 16:01:58 -07:00 · 2026-02-04 22:54:31 +00:00
13 changed files with 12 additions and 94 deletions
--- a/apps/kustomize/web/base/gateway/backendtlspolicy.yaml
+++ b/apps/kustomize/web/base/gateway/backendtlspolicy.yaml
@@ -1,14 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: BackendTLSPolicy
 metadata:
  name: web-gw
 spec:
  targetRefs:
    - kind: Service
      name: web
      group: ""
  validation:
    caCertificateRefs:
      - kind: ConfigMap
        name: brds-bundle
        group: ""
--- a/apps/kustomize/web/base/gateway/routes/https-v4.yaml
+++ b/apps/kustomize/web/base/gateway/routes/https-v4.yaml
@@ -1,15 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: web-https-v4
 spec:
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: web
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /
--- a/apps/kustomize/web/base/gateway/routes/https.yaml
+++ b/apps/kustomize/web/base/gateway/routes/https.yaml
@@ -1,20 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: web-https
 spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: web-gw
      sectionName: https
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: web
          port: 443
      matches:
        - path:
            type: PathPrefix
            value: /
--- a/apps/kustomize/web/base/kustomization.yaml
+++ b/apps/kustomize/web/base/kustomization.yaml
@@ -4,9 +4,6 @@ kind: Kustomization
 resources:
  - gateway/routes/http.yaml
  - gateway/routes/http-v4.yaml
  - gateway/routes/https.yaml
  - gateway/routes/https-v4.yaml
  - gateway/backendtlspolicy.yaml
  - gateway/gateway.yaml
  - gateway/issuer.yaml
  - gateway/referencegrant.yaml
--- a/apps/kustomize/web/base/web/deployment.yaml
+++ b/apps/kustomize/web/base/web/deployment.yaml
@@ -23,6 +23,9 @@ spec:
            limits:
              memory: 512Mi
          ports:
            - containerPort: 80
              protocol: TCP
              name: http
            - containerPort: 443
              protocol: TCP
              name: https
--- a/apps/kustomize/web/base/web/service.yaml
+++ b/apps/kustomize/web/base/web/service.yaml
@@ -4,6 +4,10 @@ metadata:
  name: web
 spec:
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
--- a/apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml
+++ b/apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml
@@ -1,10 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: BackendTLSPolicy
 metadata:
  name: web-gw
 spec:
  validation:
    hostname: stage.d-b.ca
    subjectAltNames:
      - type: Hostname
        hostname: stage.d-b.ca
--- a/apps/kustomize/web/envs/stage/gateway/gateway.yaml
+++ b/apps/kustomize/web/envs/stage/gateway/gateway.yaml
@@ -19,7 +19,10 @@ spec:
      protocol: HTTPS
      allowedRoutes:
        namespaces:
-          from: Same
+          from: Selector
          selector:
            matchLabels:
              kubernetes.io/metadata.name: authentik-private-prod
      tls:
        mode: Terminate
        certificateRefs:
--- a/apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml
+++ b/apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml
@@ -1,13 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: web-https-v4
 spec:
  hostnames:
    - stage.d-b.ca
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: v4-gw
      namespace: gateway-prod
      sectionName: dbca-web-stage-https
--- a/apps/kustomize/web/envs/stage/gateway/routes/https.yaml
+++ b/apps/kustomize/web/envs/stage/gateway/routes/https.yaml
@@ -1,7 +0,0 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: web-https
 spec:
  hostnames:
    - stage.d-b.ca
--- a/apps/kustomize/web/envs/stage/kustomization.yaml
+++ b/apps/kustomize/web/envs/stage/kustomization.yaml
@@ -3,14 +3,10 @@ kind: Kustomization
 resources:
  - ../../base
  - namespace.yaml
 patches:
  - path: gateway/routes/http.yaml
  - path: gateway/routes/http-v4.yaml
  - path: gateway/routes/https.yaml
  - path: gateway/routes/https-v4.yaml
  - path: gateway/backendtlspolicy.yaml
  - path: gateway/gateway.yaml
  - path: gateway/issuer.yaml
  - path: web/web-backend-tls.yaml
--- a/apps/kustomize/web/envs/stage/namespace.yaml
+++ b/apps/kustomize/web/envs/stage/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: dbca-web-stage
  labels:
    brds.ca/localca: enabled
--- a/apps/kustomize/web/envs/stage/web/web-image.yaml
+++ b/apps/kustomize/web/envs/stage/web/web-image.yaml
@@ -7,4 +7,4 @@ spec:
    spec:
      containers:
      - name: web
-        image: core.harbor.brds.ca/d-b.ca/web:aaf6031c58a8f07df0d98877ae71ffbbbb0ee350
+        image: core.harbor.brds.ca/d-b.ca/web:3e53b359389830203b11a3cc9d2f7e63083246f4
Author	SHA1	Message	Date
Drew Bowering	59bda86be9	move routes to authentik-private-prod for proxy auth	2026-02-05 10:30:33 -07:00
BRD CI	84c8a8b6b6	update web container image (CI)	2026-02-04 23:08:05 +00:00
Drew Bowering	d31a196d87	remove BackendTLSPolicy - Cilium Gateway doesn't support TLS backends yet.	2026-02-04 16:01:58 -07:00
BRD CI	b8d41e95e4	update web container image (CI)	2026-02-04 22:54:31 +00:00