fix: PipCache | MUST be singleton

cache-infrastructure/pip/index.ts

@@ -34,7 +34,6 @@ export class PipCache extends Construct {
       namespace,
       name,
       size: "128Gi",
-      accessModes: ["ReadWriteMany"],
     });
 
     new DeploymentV1(this, "deployment", {
@@ -44,7 +43,10 @@ export class PipCache extends Construct {
         namespace,
       },
       spec: {
-        replicas: "3",
+        replicas: "1",
+        strategy: {
+          type: "Recreate",
+        },
         selector: {
           matchLabels: {
             app: name,
@@ -60,40 +62,6 @@ export class PipCache extends Construct {
             nodeSelector: {
               nodepool: "worker",
             },
-            topologySpreadConstraint: [
-              {
-                maxSkew: 1,
-                topologyKey: "kubernetes.io/hostname",
-                whenUnsatisfiable: "ScheduleAnyway",
-                labelSelector: [
-                  {
-                    matchLabels: {
-                      app: name,
-                    },
-                  },
-                ],
-              },
-            ],
-            affinity: {
-              podAntiAffinity: {
-                requiredDuringSchedulingIgnoredDuringExecution: [
-                  {
-                    topologyKey: "kubernetes.io/hostname",
-                    labelSelector: [
-                      {
-                        matchExpressions: [
-                          {
-                            key: "app",
-                            operator: "In",
-                            values: [name],
-                          },
-                        ],
-                      },
-                    ],
-                  },
-                ],
-              },
-            },
             volume: [
               {
                 name: "data",

core-services/metallb/index.ts

@@ -1,3 +1,5 @@
+import * as fs from "fs";
+import * as path from "path";
 import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
 import { Release } from "@cdktf/provider-helm/lib/release";
 import { Construct } from "constructs";
@@ -17,6 +19,7 @@ export class MetalLB extends Construct {
       repository: "https://metallb.github.io/metallb",
       chart: "metallb",
       createNamespace: true,
+      values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
     });
   }
 }

core-services/metallb/values.yaml

@@ -0,0 +1,6 @@
+controller:
+  nodeSelector:
+    nodepool: worker
+speaker:
+  nodeSelector:
+    nodepool: worker

core-services/traefik/values.yaml

@@ -12,10 +12,13 @@ deployment:
     app: traefik
 nodeSelector:
   nodepool: worker
+service:
+  spec:
+    externalTrafficPolicy: Local
 topologySpreadConstraints:
   - maxSkew: 1
     topologyKey: "kubernetes.io/hostname"
-    whenUnsatisfiable: "ScheduleAnyway"
+    whenUnsatisfiable: "DoNotSchedule"
     labelSelector:
       matchLabels:
         app: traefik

network-security/index.ts

@@ -71,7 +71,7 @@ export class NetworkSecurity extends TerraformStack {
       provider: kubernetes,
       namespace,
       name: "ip-allow-list",
-      sourceRanges: ["192.168.18.0/24", "10.43.0.0/16"],
+      sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
     });
 
     new IpAllowListMiddlewareTCP(this, "tcp-internal-ip-allow-list", {