separate into webapp and registry ingress

Author: nicktrn

hosting/k8s/helm/README.md

@@ -113,14 +113,13 @@ This chart deploys the following components:
 ### Basic Configuration
 
 ```yaml
-# Application URLs
-config:
+webapp:
+  # Application URLs
   appOrigin: "https://trigger.example.com"
   loginOrigin: "https://trigger.example.com" 
   apiOrigin: "https://trigger.example.com"
 
-# Bootstrap mode (auto-creates worker group)
-config:
+  # Bootstrap mode (auto-creates worker group)
   bootstrap:
     enabled: true  # Enable for combined setups
     workerGroupName: "bootstrap"
@@ -133,8 +132,7 @@ Use external managed services instead of bundled components:
 ```yaml
 # External PostgreSQL
 postgres:
-  enabled: false
-  external: true
+  deploy: false
   external:
     host: "your-postgres.rds.amazonaws.com"
     port: 5432
@@ -144,17 +142,15 @@ postgres:
 
 # External Redis  
 redis:
-  enabled: false
-  external: true
+  deploy: false
   external:
     host: "your-redis.cache.amazonaws.com"
     port: 6379
     password: "your-password"
 
 # External Docker Registry (e.g., Kind local registry)
 registry:
-  enabled: true
-  external: true
+  deploy: true
   external:
     host: "localhost"
     port: 5001
@@ -165,20 +161,39 @@ registry:
 ### Ingress Configuration
 
 ```yaml
-ingress:
-  enabled: true
-  className: "nginx"
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  hosts:
-    - host: trigger.example.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: trigger-tls
-      hosts:
-        - trigger.example.com
+# Webapp ingress
+webapp:
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    hosts:
+      - host: trigger.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: trigger-tls
+        hosts:
+          - trigger.example.com
+
+# Registry ingress
+registry:
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    hosts:
+      - host: registry.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: registry-tls
+        hosts:
+          - registry.example.com
 ```
 
 ### Resource Configuration

hosting/k8s/helm/templates/NOTES.txt

@@ -24,10 +24,10 @@ To get started:
    kubectl get pods --namespace {{ .Release.Namespace }} -w
 
 2. Access the webapp:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
+{{- if .Values.webapp.ingress.enabled }}
+{{- range $host := .Values.webapp.ingress.hosts }}
   {{- range .paths }}
-   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+   http{{ if $.Values.webapp.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.webapp.service.type }}

hosting/k8s/helm/templates/_helpers.tpl

@@ -306,20 +306,37 @@ Generate docker config for image pull secret
 {{- end }}
 
 {{/*
-Merge ingress annotations to avoid duplicates
+Merge webapp ingress annotations to avoid duplicates
 */}}
-{{- define "trigger-v4.ingress.annotations" -}}
+{{- define "trigger-v4.webapp.ingress.annotations" -}}
 {{- $annotations := dict -}}
-{{- if .Values.ingress.annotations -}}
-{{- $annotations = .Values.ingress.annotations -}}
+{{- if .Values.webapp.ingress.annotations -}}
+{{- $annotations = .Values.webapp.ingress.annotations -}}
 {{- end -}}
-{{- if .Values.ingress.certManager.enabled -}}
-{{- $_ := set $annotations "cert-manager.io/cluster-issuer" .Values.ingress.certManager.clusterIssuer -}}
+{{- if .Values.webapp.ingress.certManager.enabled -}}
+{{- $_ := set $annotations "cert-manager.io/cluster-issuer" .Values.webapp.ingress.certManager.clusterIssuer -}}
 {{- end -}}
-{{- if .Values.ingress.externalDns.enabled -}}
-{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/hostname" .Values.ingress.externalDns.hostname -}}
-{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/ttl" (.Values.ingress.externalDns.ttl | toString) -}}
+{{- if .Values.webapp.ingress.externalDns.enabled -}}
+{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/hostname" .Values.webapp.ingress.externalDns.hostname -}}
+{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/ttl" (.Values.webapp.ingress.externalDns.ttl | toString) -}}
 {{- end -}}
 {{- toYaml $annotations -}}
 {{- end }}
 
+{{/*
+Merge registry ingress annotations to avoid duplicates
+*/}}
+{{- define "trigger-v4.registry.ingress.annotations" -}}
+{{- $annotations := dict -}}
+{{- if .Values.registry.ingress.annotations -}}
+{{- $annotations = .Values.registry.ingress.annotations -}}
+{{- end -}}
+{{- if .Values.registry.ingress.certManager.enabled -}}
+{{- $_ := set $annotations "cert-manager.io/cluster-issuer" .Values.registry.ingress.certManager.clusterIssuer -}}
+{{- end -}}
+{{- if .Values.registry.ingress.externalDns.enabled -}}
+{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/hostname" .Values.registry.ingress.externalDns.hostname -}}
+{{- $_ := set $annotations "external-dns.alpha.kubernetes.io/ttl" (.Values.registry.ingress.externalDns.ttl | toString) -}}
+{{- end -}}
+{{- toYaml $annotations -}}
+{{- end }}

hosting/k8s/helm/templates/registry-ingress.yaml

@@ -0,0 +1,52 @@
+{{- if and .Values.registry.deploy .Values.registry.ingress.enabled -}}
+{{- $fullName := include "trigger-v4.fullname" . -}}
+{{- $svcPort := .Values.registry.service.port -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-registry
+  labels:
+    {{- $component := "registry" }}
+    {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
+  annotations:
+    {{- include "trigger-v4.registry.ingress.annotations" . | nindent 4 }}
+spec:
+  {{- if .Values.registry.ingress.className }}
+  ingressClassName: {{ .Values.registry.ingress.className }}
+  {{- end }}
+  {{- if .Values.registry.ingress.tls }}
+  tls:
+    {{- range .Values.registry.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.registry.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- if .paths }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType | default "Prefix" }}
+            backend:
+              service:
+                name: {{ $fullName }}-registry
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+          {{- else }}
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}-registry
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+{{- end }}

hosting/k8s/helm/templates/ingress.yaml renamed to hosting/k8s/helm/templates/webapp-ingress.yaml

@@ -1,21 +1,22 @@
-{{- if .Values.ingress.enabled -}}
+{{- if .Values.webapp.ingress.enabled -}}
 {{- $fullName := include "trigger-v4.fullname" . -}}
 {{- $svcPort := .Values.webapp.service.port -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ $fullName }}
+  name: {{ $fullName }}-webapp
   labels:
-    {{- include "trigger-v4.labels" . | nindent 4 }}
+    {{- $component := "webapp" }}
+    {{- include "trigger-v4.componentLabels" (dict "Chart" .Chart "Release" .Release "Values" .Values "component" $component) | nindent 4 }}
   annotations:
-    {{- include "trigger-v4.ingress.annotations" . | nindent 4 }}
+    {{- include "trigger-v4.webapp.ingress.annotations" . | nindent 4 }}
 spec:
-  {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.webapp.ingress.className }}
+  ingressClassName: {{ .Values.webapp.ingress.className }}
   {{- end }}
-  {{- if .Values.ingress.tls }}
+  {{- if .Values.webapp.ingress.tls }}
   tls:
-    {{- range .Values.ingress.tls }}
+    {{- range .Values.webapp.ingress.tls }}
     - hosts:
         {{- range .hosts }}
         - {{ . | quote }}
@@ -24,7 +25,7 @@ spec:
     {{- end }}
   {{- end }}
   rules:
-    {{- range .Values.ingress.hosts }}
+    {{- range .Values.webapp.ingress.hosts }}
     - host: {{ .host | quote }}
       http:
         paths:

hosting/k8s/helm/templates/webapp.yaml

@@ -172,11 +172,11 @@ spec:
             {{- toYaml .Values.webapp.resources | nindent 12 }}
           env:
             - name: APP_ORIGIN
-              value: {{ .Values.config.appOrigin | quote }}
+              value: {{ .Values.webapp.appOrigin | quote }}
             - name: LOGIN_ORIGIN
-              value: {{ .Values.config.loginOrigin | quote }}
+              value: {{ .Values.webapp.loginOrigin | quote }}
             - name: API_ORIGIN
-              value: {{ .Values.config.apiOrigin | quote }}
+              value: {{ .Values.webapp.apiOrigin | quote }}
             - name: ELECTRIC_ORIGIN
               value: {{ include "trigger-v4.electric.url" . | quote }}
             - name: DATABASE_URL
@@ -194,7 +194,7 @@ spec:
             - name: APP_LOG_LEVEL
               value: {{ .Values.webapp.logLevel | quote }}
             - name: DEV_OTEL_EXPORTER_OTLP_ENDPOINT
-              value: "{{ .Values.config.appOrigin }}/otel"
+              value: "{{ .Values.webapp.appOrigin }}/otel"
             - name: DEPLOY_REGISTRY_HOST
               value: {{ include "trigger-v4.registry.host" . | quote }}
             - name: DEPLOY_REGISTRY_NAMESPACE

hosting/k8s/helm/values-production-example.yaml

@@ -12,33 +12,30 @@ secrets:
     accessKeyId: "your-access-key"
     secretAccessKey: "your-secret-key"
 
-# Production configuration
-config:
+# Production webapp configuration
+webapp:
+  # Origin configuration
   appOrigin: "https://trigger.example.com"
   loginOrigin: "https://trigger.example.com"
   apiOrigin: "https://trigger.example.com"
 
-# Production ingress
-ingress:
-  enabled: true
-  className: "nginx"
-  annotations:
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-  hosts:
-    - host: trigger.example.com
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: trigger-tls
-      hosts:
-        - trigger.example.com
+  # Production ingress
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    hosts:
+      - host: trigger.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: trigger-tls
+        hosts:
+          - trigger.example.com
 
-# Production webapp configuration
-webapp:
-  bootstrap:
-    enabled: false # Usually disabled in production
   resources:
     limits:
       cpu: 2000m
@@ -114,6 +111,23 @@ registry:
     size: 100Gi
     storageClass: "standard"
 
+  # Production ingress
+  ingress:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    hosts:
+      - host: registry.example.com
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: registry-tls
+        hosts:
+          - registry.example.com
+
 # Production Supervisor (Kubernetes worker orchestrator)
 supervisor:
   resources: