System Services

Cluster-wide infrastructure. None of this is environment-specific — there is one Traefik, one cert-manager, one Prometheus, one Loki, one oauth2-proxy. All of it is installed by the dev-sys Argo CD Application (see Argo CD) and consumed by every namespace, including prod.

Each service has its own subfolder under k8s/envs/dev/sys/, and each subfolder contains an application.yaml (Argo CD Application CR) plus, where needed, a values.yaml for Helm overrides.

• Traefik

  ---

  The ingress controller. All HTTP/HTTPS traffic into the cluster lands here first. Helm chart v39.0.0, behind a GCP external LoadBalancer.

• cert-manager

  ---

  Automates TLS. One letsencrypt-prod ClusterIssuer, per-ingress certificates issued and renewed by HTTP-01 challenge.

• External-DNS

  ---

  Watches Ingress and Service resources and writes matching records to Cloudflare for the tomoda.life zone.

• External Secrets

  ---

  Syncs values from GCP Secret Manager and AWS Secrets Manager into Kubernetes Secret objects via ESO ClusterSecretStore and per-app ExternalSecret CRs.

• oauth2-proxy

  ---

  Google-OAuth gate for admin UIs (Argo CD, Grafana). Plugs into Traefik as forwardAuth middleware.

• Monitoring

  ---

  kube-prometheus-stack v61.3.2 — Prometheus, Alertmanager, Grafana, node-exporter, kube-state-metrics, the operator, default dashboards, and the custom tomoda-alerts PrometheusRule.

• Loki

  ---

  Log aggregation. Promtail tails every pod's logs; Loki is queried from Grafana.

A few cluster-wide manifests that don't belong to any single service live in k8s/envs/dev/sys/manifests/ and are installed by the separate sys-resources Argo CD Application — see External Secrets for the ClusterSecretStore definitions and Argo CD for the argocd-image-updater Deployment.