fix: remove nginx-ingress, cert-manager and fix grafana #67
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
lorenzocorallo
commented
Oct 31, 2025
lorenzocorallo
commented
- remove nginx-ingress (previously used for other projects and for monitoring stuff)
- remove cert-manager (used by nginx-ingress and related for TLS, not needed anymore)
- remove grafana ingress config (we use CF tunnel directly on the k8s service like with argocd)
we use only CF tunnels right now, no need for nginx-ingress and related TLS services
💰 Infracost reportMonthly estimate generatedThis comment will be updated when code changes. |
💰 Infracost reportMonthly estimate generatedThis comment will be updated when code changes. |
Terraform Plan OutputClick to expandTerraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
- destroy
Terraform will perform the following actions:
# module.aks.helm_release.cert-manager will be destroyed
# (because helm_release.cert-manager is not in configuration)
- resource "helm_release" "cert-manager" {
- atomic = false -> null
- chart = "cert-manager" -> null
- cleanup_on_fail = true -> null
- create_namespace = true -> null
- dependency_update = false -> null
- disable_crd_hooks = false -> null
- disable_openapi_validation = false -> null
- disable_webhooks = false -> null
- force_update = false -> null
- id = "cert-manager" -> null
- lint = false -> null
- max_history = 0 -> null
- metadata = [
- {
- app_version = "v1.12.1"
- chart = "cert-manager"
- first_deployed = 1688502250
- last_deployed = 1688502250
- name = "cert-manager"
- namespace = "cert-manager"
- notes = <<-EOT
cert-manager v1.12.1 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
EOT
- revision = 1
- values = jsonencode(
{
- installCRDs = true
- prometheus = {
- enabled = true
- servicemonitor = {
- enabled = true
- labels = {
- release = "prometheus"
}
- namespace = "monitoring"
}
}
}
)
- version = "v1.12.1"
},
] -> null
- name = "cert-manager" -> null
- namespace = "cert-manager" -> null
- pass_credentials = false -> null
- recreate_pods = false -> null
- render_subchart_notes = true -> null
- replace = false -> null
- repository = "https://charts.jetstack.io" -> null
- reset_values = false -> null
- reuse_values = false -> null
- skip_crds = false -> null
- status = "deployed" -> null
- timeout = 300 -> null
- values = [
- <<-EOT
prometheus:
enabled: true
servicemonitor:
enabled: true
namespace: "monitoring"
labels:
release: prometheus
installCRDs: true
EOT,
] -> null
- verify = false -> null
- version = "v1.12.1" -> null
- wait = true -> null
- wait_for_jobs = false -> null
}
# module.aks.helm_release.nginx_ingress will be destroyed
# (because helm_release.nginx_ingress is not in configuration)
- resource "helm_release" "nginx_ingress" {
- atomic = false -> null
- chart = "ingress-nginx" -> null
- cleanup_on_fail = false -> null
- create_namespace = true -> null
- dependency_update = false -> null
- disable_crd_hooks = false -> null
- disable_openapi_validation = false -> null
- disable_webhooks = false -> null
- force_update = false -> null
- id = "nginx-ingress" -> null
- lint = false -> null
- max_history = 0 -> null
- metadata = [
- {
- app_version = "1.10.0"
- chart = "ingress-nginx"
- first_deployed = 1711308690
- last_deployed = 1711308690
- name = "nginx-ingress"
- namespace = "ingress-nginx"
- notes = <<-EOT
The ingress-nginx controller has been installed.
It may take a few minutes for the load balancer IP to be available.
You can watch the status by running 'kubectl get service --namespace ingress-nginx nginx-ingress-ingress-nginx-controller --output wide --watch'
An example Ingress that makes use of the controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example
namespace: foo
spec:
ingressClassName: nginx
rules:
- host: www.example.com
http:
paths:
- pathType: Prefix
backend:
service:
name: exampleService
port:
number: 80
path: /
# This section is only required if TLS is to be enabled for the Ingress
tls:
- hosts:
- www.example.com
secretName: example-tls
If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:
apiVersion: v1
kind: Secret
metadata:
name: example-tls
namespace: foo
data:
tls.crt: <base64 encoded cert>
tls.key: <base64 encoded key>
type: kubernetes.io/tls
EOT
- revision = 1
- values = jsonencode(
{
- controller = {
- enableCertManager = true
- enableCustomResources = true
- service = {
- annotations = {
- "service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path" = "/healthz"
- "service.beta.kubernetes.io/azure-load-balancer-resource-group" = "rg-polinetwork"
}
}
}
}
)
- version = "4.10.0"
},
] -> null
- name = "nginx-ingress" -> null
- namespace = "ingress-nginx" -> null
- pass_credentials = false -> null
- recreate_pods = false -> null
- render_subchart_notes = true -> null
- replace = false -> null
- repository = "https://kubernetes.github.io/ingress-nginx" -> null
- reset_values = false -> null
- reuse_values = false -> null
- skip_crds = false -> null
- status = "deployed" -> null
- timeout = 300 -> null
- values = [
- <<-EOT
---
controller:
enableCustomResources: true
enableCertManager: true
service:
annotations:
service.beta.kubernetes.io/azure-load-balancer-resource-group: rg-polinetwork
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: /healthz
EOT,
] -> null
- verify = false -> null
- version = "4.10.0" -> null
- wait = true -> null
- wait_for_jobs = false -> null
}
# module.aks.kubernetes_manifest.cluster-issuer will be destroyed
# (because kubernetes_manifest.cluster-issuer is not in configuration)
- resource "kubernetes_manifest" "cluster-issuer" {
- manifest = {
- apiVersion = "cert-manager.io/v1"
- kind = "ClusterIssuer"
- metadata = {
- name = "letsencrypt-prod-issuer"
}
- spec = {
- acme = {
- email = "adminorg@polinetwork.org"
- privateKeySecretRef = {
- name = "cert-manager-key"
}
- server = "https://acme-v02.api.letsencrypt.org/directory"
- solvers = [
- {
- http01 = {
- ingress = {
- class = "nginx"
}
}
},
]
}
}
} -> null
- object = {
- apiVersion = "cert-manager.io/v1"
- kind = "ClusterIssuer"
- metadata = {
- annotations = null
- creationTimestamp = null
- deletionGracePeriodSeconds = null
- deletionTimestamp = null
- finalizers = null
- generateName = null
- generation = null
- labels = null
- managedFields = null
- name = "letsencrypt-prod-issuer"
- namespace = null
- ownerReferences = null
- resourceVersion = null
- selfLink = null
- uid = null
}
- spec = {
- acme = {
- caBundle = null
- disableAccountKeyGeneration = null
- email = "adminorg@polinetwork.org"
- enableDurationFeature = null
- externalAccountBinding = {
- keyAlgorithm = null
- keyID = null
- keySecretRef = {
- key = null
- name = null
}
}
- preferredChain = ""
- privateKeySecretRef = {
- key = null
- name = "cert-manager-key"
}
- server = "https://acme-v02.api.letsencrypt.org/directory"
- skipTLSVerify = null
- solvers = [
- {
- dns01 = {
- acmeDNS = {
- accountSecretRef = {
- key = null
- name = null
}
- host = null
}
- akamai = {
- accessTokenSecretRef = {
- key = null
- name = null
}
- clientSecretSecretRef = {
- key = null
- name = null
}
- clientTokenSecretRef = {
- key = null
- name = null
}
- serviceConsumerDomain = null
}
- azureDNS = {
- clientID = null
- clientSecretSecretRef = {
- key = null
- name = null
}
- environment = null
- hostedZoneName = null
- managedIdentity = {
- clientID = null
- resourceID = null
}
- resourceGroupName = null
- subscriptionID = null
- tenantID = null
}
- cloudDNS = {
- hostedZoneName = null
- project = null
- serviceAccountSecretRef = {
- key = null
- name = null
}
}
- cloudflare = {
- apiKeySecretRef = {
- key = null
- name = null
}
- apiTokenSecretRef = {
- key = null
- name = null
}
- email = null
}
- cnameStrategy = null
- digitalocean = {
- tokenSecretRef = {
- key = null
- name = null
}
}
- rfc2136 = {
- nameserver = null
- tsigAlgorithm = null
- tsigKeyName = null
- tsigSecretSecretRef = {
- key = null
- name = null
}
}
- route53 = {
- accessKeyID = null
- accessKeyIDSecretRef = {
- key = null
- name = null
}
- hostedZoneID = null
- region = null
- role = null
- secretAccessKeySecretRef = {
- key = null
- name = null
}
}
- webhook = {
- config = null
- groupName = null
- solverName = null
}
}
- http01 = {
- gatewayHTTPRoute = {
- labels = null
- parentRefs = null
- serviceType = null
}
- ingress = {
- class = "nginx"
- ingressClassName = null
- ingressTemplate = {
- metadata = {
- annotations = null
- labels = null
}
}
- name = null
- podTemplate = {
- metadata = {
- annotations = null
- labels = null
}
- spec = {
- affinity = {
- nodeAffinity = {
- preferredDuringSchedulingIgnoredDuringExecution = null
- requiredDuringSchedulingIgnoredDuringExecution = {
- nodeSelectorTerms = null
}
}
- podAffinity = {
- preferredDuringSchedulingIgnoredDuringExecution = null
- requiredDuringSchedulingIgnoredDuringExecution = null
}
- podAntiAffinity = {
- preferredDuringSchedulingIgnoredDuringExecution = null
- requiredDuringSchedulingIgnoredDuringExecution = null
}
}
- imagePullSecrets = null
- nodeSelector = null
- priorityClassName = null
- serviceAccountName = null
- tolerations = null
}
}
- serviceType = null
}
}
- selector = {
- dnsNames = null
- dnsZones = null
- matchLabels = null
}
},
]
}
- ca = {
- crlDistributionPoints = null
- ocspServers = null
- secretName = null
}
- selfSigned = {
- crlDistributionPoints = null
}
- vault = {
- auth = {
- appRole = {
- path = null
- roleId = null
- secretRef = {
- key = null
- name = null
}
}
- kubernetes = {
- mountPath = null
- role = null
- secretRef = {
- key = null
- name = null
}
- serviceAccountRef = {
- name = null
}
}
- tokenSecretRef = {
- key = null
- name = null
}
}
- caBundle = null
- caBundleSecretRef = {
- key = null
- name = null
}
- namespace = null
- path = null
- server = null
}
- venafi = {
- cloud = {
- apiTokenSecretRef = {
- key = null
- name = null
}
- url = null
}
- tpp = {
- caBundle = null
- credentialsRef = {
- name = null
}
- url = null
}
- zone = null
}
}
} -> null
}
Plan: 0 to add, 0 to change, 3 to destroy. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.