Replace LB with Traefik ingress for TLS + basic auth

- Remove m3coordinator LoadBalancer service (was using deprecated AutoSSL) - Add Traefik ingress controller with Let's Encrypt ACME - Add basic auth middleware for external access - Update test scripts with auth support and fixed protobuf encoding - Add multi-tenancy documentation (label-based isolation) - Update README with Traefik deployment instructions
2026-04-01 05:19:14 +00:00
parent 5eb58d1864
commit a6c59d6a65
6 changed files with 368 additions and 197 deletions
--- a/05-m3coordinator.yaml
+++ b/05-m3coordinator.yaml
@@ -115,36 +115,3 @@ spec:
      protocol: TCP
  selector:
    app.kubernetes.io/name: m3coordinator
-
---
-
-##############################################################################
-# M3 Coordinator LoadBalancer Service
-# External endpoint for cross-region/cross-cluster access
-# Vultr CCM provisions a managed load balancer automatically
-#
-# remote_write → http://<LB-IP>:7201/api/v1/prom/remote/write
-# remote_read  → http://<LB-IP>:7201/api/v1/prom/remote/read
-# query (Grafana) → http://<LB-IP>:7201
-##############################################################################
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: m3coordinator-lb
-  namespace: m3db
-  labels:
-    app.kubernetes.io/name: m3coordinator
-    app.kubernetes.io/part-of: m3db
-  annotations:
-    # Backend speaks HTTP so LB can do health checks and proper proxying
-    service.beta.kubernetes.io/vultr-loadbalancer-backend-protocol: "http"
-spec:
-  type: LoadBalancer
-  ports:
-    - name: api
-      port: 7201
-      targetPort: 7201
-      protocol: TCP
-  selector:
-    app.kubernetes.io/name: m3coordinator