From b330b60c05b0495b3eec8f6c2816dd9d06fe3bc9 Mon Sep 17 00:00:00 2001
From: Chris Alfano <chris@jarv.us>
Date: Mon, 18 May 2026 01:48:09 -0400
Subject: [PATCH] feat(balancer): clean design with shared-cluster cnpg + Envoy
 Gateway
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Restructures balancer to the design we settled on before the
Envoy/Gateway migration:

  balancer/
    kustomization.yaml         — wrapper, resources: [app, cnpg]
    app/
      kustomization.yaml       — namespace: balancer, references mapped base
      manifests/               — mapped from balancer-main base via hologit
    cnpg/
      kustomization.yaml       — no namespace
      database.yaml            — Database CR in cloudnative-pg namespace

Why this layout:
  - Single hololens (no `balancer-cnpg.toml`)
  - `Database` CR lives next to the balancer config in this repo but
    cnpg requires it to live in the cluster's namespace (cloudnative-pg).
    The cnpg sub-kustomization sets no namespace; database.yaml carries
    its own; k8s-normalize routes by resource at deploy time.
  - Replaces and supersedes PR #143 (TineoC's two-lens approach with the
    sort-order hack and mutable `develop` source ref).

Holosource bumped v1.1.3 → v1.1.5 (latest balancer-main release).
Holomapping filters out `ingress.yaml` (replaced by `_gateways/balancer.yaml`)
and the upstream `kustomization.yaml` (we compose our own).

Also adds `_gateways/balancer.yaml`: per-app Gateway + HTTPRoute on
`balancer.sandbox.k8s.phl.io`. Hostname matches what `secret.template.yaml`
documents and aligns with the per-app pattern used by the other sandbox
apps post-PR-#152.

Database resource will be applied but only fully usable after the
`balancer-db-credentials` SealedSecret is created in the cloudnative-pg
namespace and the balancer app's `balancer-config` is updated to point
SQL_HOST at `shared-cluster-rw.cloudnative-pg.svc.cluster.local` with
the new credentials. That cutover (data migration from the current RDS
host) is a separate follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../k8s-manifests/balancer/app/manifests.toml | 11 ++++++
 .../k8s-manifests/balancer/manifests.toml     |  4 ---
 .holo/sources/balancer.toml                   |  2 +-
 _gateways/balancer.yaml                       | 36 +++++++++++++++++++
 balancer/app/kustomization.yaml               | 13 +++++++
 balancer/cnpg/database.yaml                   | 10 ++++++
 balancer/cnpg/kustomization.yaml              |  8 +++++
 balancer/kustomization.yaml                   | 25 ++++---------
 8 files changed, 86 insertions(+), 23 deletions(-)
 create mode 100644 .holo/branches/k8s-manifests/balancer/app/manifests.toml
 delete mode 100644 .holo/branches/k8s-manifests/balancer/manifests.toml
 create mode 100644 _gateways/balancer.yaml
 create mode 100644 balancer/app/kustomization.yaml
 create mode 100644 balancer/cnpg/database.yaml
 create mode 100644 balancer/cnpg/kustomization.yaml

diff --git a/.holo/branches/k8s-manifests/balancer/app/manifests.toml b/.holo/branches/k8s-manifests/balancer/app/manifests.toml
new file mode 100644
index 0000000..ad915d7
--- /dev/null
+++ b/.holo/branches/k8s-manifests/balancer/app/manifests.toml
@@ -0,0 +1,11 @@
+[holomapping]
+holosource = "balancer"
+root = "deploy/manifests/balancer/base"
+files = [
+    "namespace.yaml",
+    "deployment.yaml",
+    "service.yaml",
+]
+# Excludes the upstream `ingress.yaml` (replaced by per-cluster
+# _gateways/balancer.yaml) and `kustomization.yaml` (we compose our
+# own at balancer/app/kustomization.yaml).
diff --git a/.holo/branches/k8s-manifests/balancer/manifests.toml b/.holo/branches/k8s-manifests/balancer/manifests.toml
deleted file mode 100644
index 8e3f3dc..0000000
--- a/.holo/branches/k8s-manifests/balancer/manifests.toml
+++ /dev/null
@@ -1,4 +0,0 @@
-[holomapping]
-holosource = "balancer"
-root = "deploy/manifests/balancer/base"
-files = "**"
diff --git a/.holo/sources/balancer.toml b/.holo/sources/balancer.toml
index e0c6690..f0ca80f 100644
--- a/.holo/sources/balancer.toml
+++ b/.holo/sources/balancer.toml
@@ -1,3 +1,3 @@
 [holosource]
 url = "https://github.com/CodeForPhilly/balancer-main.git"
-ref = "refs/tags/v1.1.3"
+ref = "refs/tags/v1.1.5"
diff --git a/_gateways/balancer.yaml b/_gateways/balancer.yaml
new file mode 100644
index 0000000..38d256d
--- /dev/null
+++ b/_gateways/balancer.yaml
@@ -0,0 +1,36 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: balancer
+  namespace: balancer
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  gatewayClassName: eg
+  listeners:
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: balancer.sandbox.k8s.phl.io
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: balancer-gw-tls
+      allowedRoutes:
+        namespaces:
+          from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: balancer
+  namespace: balancer
+spec:
+  parentRefs:
+    - name: balancer
+  hostnames:
+    - balancer.sandbox.k8s.phl.io
+  rules:
+    - backendRefs:
+        - name: balancer
+          port: 8000
diff --git a/balancer/app/kustomization.yaml b/balancer/app/kustomization.yaml
new file mode 100644
index 0000000..f532c47
--- /dev/null
+++ b/balancer/app/kustomization.yaml
@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: balancer
+
+resources:
+  - manifests/namespace.yaml
+  - manifests/deployment.yaml
+  - manifests/service.yaml
+
+images:
+  - name: ghcr.io/codeforphilly/balancer-main/app
+    newTag: "0.0.0-dev.20260211012449"
diff --git a/balancer/cnpg/database.yaml b/balancer/cnpg/database.yaml
new file mode 100644
index 0000000..4676c6b
--- /dev/null
+++ b/balancer/cnpg/database.yaml
@@ -0,0 +1,10 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: balancer
+  namespace: cloudnative-pg
+spec:
+  name: balancer
+  owner: balancer
+  cluster:
+    name: shared-cluster
diff --git a/balancer/cnpg/kustomization.yaml b/balancer/cnpg/kustomization.yaml
new file mode 100644
index 0000000..e6e3346
--- /dev/null
+++ b/balancer/cnpg/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# No namespace — database.yaml declares its own (cloudnative-pg). cnpg
+# requires the Database CR to live in the same namespace as the Cluster
+# it targets, so we keep it out of the balancer-app rewrite.
+resources:
+  - database.yaml
diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml
index a65cd73..676c435 100644
--- a/balancer/kustomization.yaml
+++ b/balancer/kustomization.yaml
@@ -1,22 +1,11 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-namespace: balancer
-
+# No namespace here — each sub-kustomization sets its own:
+#   - app/ rewrites resources to `balancer`
+#   - cnpg/ leaves Database CR in its own `cloudnative-pg` namespace
+# kustomize emits a single stream; k8s-normalize routes by each
+# resource's metadata.namespace at deploy time.
 resources:
-  - manifests/namespace.yaml
-  - manifests/deployment.yaml
-  - manifests/service.yaml
-
-images:
-  - name: ghcr.io/codeforphilly/balancer-main/app
-    newTag: "0.0.0-dev.20260211012449"
-
-patches:
-  - target:
-      kind: Namespace
-      name: balancer
-    patch: |-
-      - op: replace
-        path: /metadata/name
-        value: dev
+  - app
+  - cnpg