Context
The Istio ingress gateway is now the live edge for the demo. Every production
DNS record (*, auth, dev, gitlab, grafana, kiali .usgov.coderdemo.io)
points at the Istio gateway NLB, mesh-wide STRICT mTLS is enforced, and every
hostname is verified serving 200 through the gateway (Envoy server: istio-envoy). ingress-nginx still runs but receives no traffic; it is kept only
as an instant rollback while we validate. The Istio rollout is in PR #31.
This issue tracks removing ingress-nginx once validation is complete.
Pre-checks (before removing anything)
Decommission steps
- Remove the now-redundant nginx
Ingress objects (routing is handled by the
Istio VirtualService objects in deploy/istio/gateway/):
coder/coder, keycloak/keycloak, gitlab/gitlab, monitoring/grafana.
For chart-managed Ingresses (coder, grafana), disable the Ingress in the Helm
values so it is not recreated; for the standalone ones, delete the manifest.
- Uninstall the controller:
helm uninstall ingress-nginx -n ingress-nginx.
Because its Service is type: LoadBalancer, the AWS Load Balancer Controller
then deletes the old nginx NLB
(k8s-ingressn-ingressn-e16fe3cd33-c002102481951644.elb.us-gov-west-1.amazonaws.com).
- KEEP the
aws-load-balancer-controller: the Istio gateway NLB is also
managed by it.
- Delete the
ingress-nginx namespace once empty.
Verification after removal
Rollback
Re-install ingress-nginx from deploy/platform/ingress-nginx-values.yaml,
re-create the Ingress objects, and repoint the Route53 ALIAS records back to the
nginx NLB. Only needed if a gateway problem appears after nginx is gone.
Notes
- Do NOT remove the AWS Load Balancer Controller or the Istio gateway NLB.
- Per-host rollback during validation is just repointing that host's Route53
ALIAS back to the nginx NLB; to drop STRICT, re-apply
deploy/istio/security/peerauthentication-permissive.yaml.
Generated by Coder Agents on behalf of @ausbru87.
Context
The Istio ingress gateway is now the live edge for the demo. Every production
DNS record (
*,auth,dev,gitlab,grafana,kiali.usgov.coderdemo.io)points at the Istio gateway NLB, mesh-wide STRICT mTLS is enforced, and every
hostname is verified serving 200 through the gateway (Envoy
server: istio-envoy). ingress-nginx still runs but receives no traffic; it is kept onlyas an instant rollback while we validate. The Istio rollout is in PR #31.
This issue tracks removing ingress-nginx once validation is complete.
Pre-checks (before removing anything)
ingress-nginxshow only health checks; the old NLB target groups show nonon-health requests).
server: istio-envoy).Kiali all work in a browser, including a workspace build and a terminal or
app (the websocket path).
Decommission steps
Ingressobjects (routing is handled by theIstio
VirtualServiceobjects indeploy/istio/gateway/):coder/coder,keycloak/keycloak,gitlab/gitlab,monitoring/grafana.For chart-managed Ingresses (coder, grafana), disable the Ingress in the Helm
values so it is not recreated; for the standalone ones, delete the manifest.
helm uninstall ingress-nginx -n ingress-nginx.Because its Service is
type: LoadBalancer, the AWS Load Balancer Controllerthen deletes the old nginx NLB
(
k8s-ingressn-ingressn-e16fe3cd33-c002102481951644.elb.us-gov-west-1.amazonaws.com).aws-load-balancer-controller: the Istio gateway NLB is alsomanaged by it.
ingress-nginxnamespace once empty.Verification after removal
Rollback
Re-install ingress-nginx from
deploy/platform/ingress-nginx-values.yaml,re-create the Ingress objects, and repoint the Route53 ALIAS records back to the
nginx NLB. Only needed if a gateway problem appears after nginx is gone.
Notes
ALIAS back to the nginx NLB; to drop STRICT, re-apply
deploy/istio/security/peerauthentication-permissive.yaml.Generated by Coder Agents on behalf of @ausbru87.