NationTech/harmony
3
0
Fork 2
Code Issues 38 Pull Requests 29 Actions Packages Projects Releases 1 Wiki Activity

feat(fleet): expose operator UI via cert-manager TLS ingress #321

Merged
johnride merged 1 commits from feat/fleet-operator-ui-ingress into master 2026-06-01 20:26:50 +00:00
Conversation 2 Commits 1 Files Changed 11 +207 -14
johnride commented 2026-06-01 19:55:55 +00:00
Owner
Copy Link

Adds a ClusterIP Service to the operator chart and an Ingress applied
after install, exposing the UI at fleet-stg.{base_domain} — coherent
with the sso-stg./secrets-stg. staging hosts.

  • chart: ClusterIP Service on OPERATOR_HTTP_PORT (18080)
  • K8sIngressScore: optional cluster_issuer → cert-manager.io/cluster-issuer
    annotation + tls block + OKD edge-termination (no-op off OpenShift);
    None keeps plain HTTP for issuer-less k3d. Render extracted + unit-tested.
  • FleetOperatorScore.ingress(host, issuer): composes the ingress post-install;
    unset (dev/e2e) leaves the UI cluster-internal.
  • FleetDeployConfig: base_domain + cluster_issuer; CD binary derives the host.

HTTP->HTTPS redirect is unconfirmed on OKD (no portable Ingress annotation
in use here) and must be verified on staging.

Adds a ClusterIP Service to the operator chart and an Ingress applied after install, exposing the UI at fleet-stg.{base_domain} — coherent with the sso-stg./secrets-stg. staging hosts. - chart: ClusterIP Service on OPERATOR_HTTP_PORT (18080) - K8sIngressScore: optional cluster_issuer → cert-manager.io/cluster-issuer annotation + tls block + OKD edge-termination (no-op off OpenShift); None keeps plain HTTP for issuer-less k3d. Render extracted + unit-tested. - FleetOperatorScore.ingress(host, issuer): composes the ingress post-install; unset (dev/e2e) leaves the UI cluster-internal. - FleetDeployConfig: base_domain + cluster_issuer; CD binary derives the host. HTTP->HTTPS redirect is unconfirmed on OKD (no portable Ingress annotation in use here) and must be verified on staging.
johnride added 1 commit 2026-06-01 19:55:55 +00:00
feat(fleet): expose operator UI via cert-manager TLS ingress
All checks were successful
Run Check Script / check (pull_request) Successful in 2m15s
Details
72cc378088 
Adds a ClusterIP Service to the operator chart and an Ingress applied
after install, exposing the UI at fleet-stg.{base_domain} — coherent
with the sso-stg./secrets-stg. staging hosts.

- chart: ClusterIP Service on OPERATOR_HTTP_PORT (18080)
- K8sIngressScore: optional cluster_issuer → cert-manager.io/cluster-issuer
  annotation + tls block + OKD edge-termination (no-op off OpenShift);
  None keeps plain HTTP for issuer-less k3d. Render extracted + unit-tested.
- FleetOperatorScore.ingress(host, issuer): composes the ingress post-install;
  unset (dev/e2e) leaves the UI cluster-internal.
- FleetDeployConfig: base_domain + cluster_issuer; CD binary derives the host.

HTTP->HTTPS redirect is unconfirmed on OKD (no portable Ingress annotation
in use here) and must be verified on staging.
johnride reviewed 2026-06-01 20:22:19 +00:00
fleet/harmony-fleet-deploy/src/secrets.rs
@@ -56,6 +63,8 @@ impl Default for FleetDeployConfig {
openbao_namespace: "openbao-staging".to_string(),
operator_chart_registry: "hub.nationtech.io".to_string(),
operator_chart_project: "harmony".to_string(),
base_domain: "cb1.nationtech.io".to_string(),
johnride commented 2026-06-01 20:22:19 +00:00
Author
Owner
Copy Link

We need to figure out a better (more secure and less vendor-locked) way to provide sane defaults for public hostnames.

We do plan on providing a free tier for harmony users but that is not done yet.

We need to figure out a better (more secure and less vendor-locked) way to provide sane defaults for public hostnames. We do plan on providing a free tier for harmony users but that is not done yet.
johnride reviewed 2026-06-01 20:26:41 +00:00
johnride left a comment
Author
Owner
Copy Link

LTGM

LTGM
johnride merged commit c5ac725944 into master 2026-06-01 20:26:50 +00:00
johnride deleted branch feat/fleet-operator-ui-ingress 2026-06-01 20:26:51 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Architecture Decision Record
Good first issue
RFC
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
johnride jvtrudel reda stremblay
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: NationTech/harmony#321
No description provided.
Delete Branch "feat/fleet-operator-ui-ingress"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?