will.anderson/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: will.anderson/infrastructure:revert/runner-url
Branches Tags
will.anderson/infrastructure:main will.anderson/infrastructure:fix/remove-duplicate-runner-deployment will.anderson/infrastructure:fix/marketing-hpa-min-replicas will.anderson/infrastructure:feature/runner-public-url-cf-access will.anderson/infrastructure:fix/dharma-network-policy will.anderson/infrastructure:feature/runner-cf-access-service-token will.anderson/infrastructure:revert/runner-url will.anderson/infrastructure:fix/gitea-runner-public-url will.anderson/infrastructure:fix/dharma-prod-502 will.anderson/infrastructure:feature/dharma-pinned-image-tag
...
pull from: will.anderson/infrastructure:fix/dharma-network-policy
Branches Tags
will.anderson/infrastructure:main will.anderson/infrastructure:fix/remove-duplicate-runner-deployment will.anderson/infrastructure:fix/marketing-hpa-min-replicas will.anderson/infrastructure:feature/runner-public-url-cf-access will.anderson/infrastructure:fix/dharma-network-policy will.anderson/infrastructure:feature/runner-cf-access-service-token will.anderson/infrastructure:revert/runner-url will.anderson/infrastructure:fix/gitea-runner-public-url will.anderson/infrastructure:fix/dharma-prod-502 will.anderson/infrastructure:feature/dharma-pinned-image-tag

2 Commits
revert/runner-url ... fix/dharma-network-policy

Author SHA1 Message Date
Will Anderson 7aa56dcb1e fix(neuron-prod): add allow-dharma-ingress NetworkPolicy 
The neuron-prod namespace runs a default-deny-all NetworkPolicy and
explicit allow-ingress policies for every legitimate service:
allow-mcp-ingress, allow-rest-ingress, allow-marketing-ingress,
allow-daemon-ingress, allow-engram-ingress. There was no equivalent
for dharma — so every request that arrived at Traefik in kube-system
got 502'd at the Service-to-pod hop, even though the dharma pod
itself was healthy and the IngressRoute was correctly defined.

The previous attempt to fix the 502 (PR #1) removed an unrelated
nonexistent certResolver from the IngressRoute. That was real but
not sufficient — the Traefik routing layer was healthy after that
change, but the Service-to-pod NetworkPolicy hop was still denied.

This adds allow-dharma-ingress mirroring allow-mcp-ingress: accepts
traffic from kube-system (Traefik) and from the neuron-prod
namespace itself.
 2026-05-04 16:15:38 -05:00
will.anderson cbb564ccf5 revert(ci): runner public URL — CF Access blocks registration (#4) 2026-05-04 21:05:29 +00:00
3 changed files with 32 additions and 13 deletions
Expand all files Collapse all files
servers/legion/k8s/gitea-runner/deployment.yaml
+4 -4
View File
@@ -8,7 +8,7 @@ metadata:
labels:
app: gitea-runner
annotations:
config-version: "2026-05-04-public-instance-url"
config-version: "2026-05-04-docker-sock-fix"
spec:
replicas: 1
selector:
@@ -19,7 +19,7 @@ spec:
labels:
app: gitea-runner
annotations:
config-version: "2026-05-04-public-instance-url"
config-version: "2026-05-04-docker-sock-fix"
spec:
securityContext:
runAsNonRoot: false
@@ -92,7 +92,7 @@ metadata:
labels:
app: neuron-technologies-runner
annotations:
config-version: "2026-05-04-public-instance-url"
config-version: "2026-05-04-docker-sock-fix"
spec:
replicas: 2
selector:
@@ -103,7 +103,7 @@ spec:
labels:
app: neuron-technologies-runner
annotations:
config-version: "2026-05-04-public-instance-url"
config-version: "2026-05-04-docker-sock-fix"
spec:
securityContext:
runAsNonRoot: false
servers/legion/k8s/gitea-runner/external-secrets.yaml
+2 -9
View File
@@ -17,13 +17,7 @@ spec:
creationPolicy: Owner
template:
data:
# Public URL — the in-cluster name (gitea.git.svc.cluster.local) is
# not resolvable from build containers running with `network: host`,
# which causes `git fetch` to fail at the very first checkout step.
# The runner polls Gitea over Cloudflare; the latency cost is small
# and the build container's clone URL is derived from this instance,
# so it has to be a name the build container can resolve.
GITEA_INSTANCE_URL: "https://git.neuralplatform.ai"
GITEA_INSTANCE_URL: "http://gitea.git.svc.cluster.local:3000"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ .runner_token }}"
data:
- secretKey: runner_token
@@ -47,8 +41,7 @@ spec:
creationPolicy: Owner
template:
data:
# Public URL — see commentary on the gitea-runner-secret above.
GITEA_INSTANCE_URL: "https://git.neuralplatform.ai"
GITEA_INSTANCE_URL: "http://gitea.git.svc.cluster.local:3000"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ .runner_token }}"
data:
- secretKey: runner_token
servers/legion/k8s/neuron-technologies/prod/network-policy.yaml
+26
View File
@@ -117,6 +117,32 @@ spec:
matchLabels:
kubernetes.io/metadata.name: neuron-prod
---
# ── dharma: accept from Traefik (kube-system) and neuron-prod namespace ──────
# The dharma pod was healthy and the IngressRoute was correct, but cross-
# namespace ingress from kube-system (Traefik) was denied by default-deny-all,
# so every external request landed at Traefik and bounced back as 502. This
# allow rule mirrors `allow-mcp-ingress` and brings dharma into line with the
# other neuron-prod services.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-dharma-ingress
namespace: neuron-prod
spec:
podSelector:
matchLabels:
app: dharma
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: neuron-prod
---
# ── Egress: all prod pods may reach platform (postgres/redis), vault,
# monitoring (alloy OTLP), kube-dns, and the internet (external APIs) ─
apiVersion: networking.k8s.io/v1