Traefik is problematic. It has abnormally high CPU consumption for the load profile, if fails to adequately detect the introduction of new domains, and has in past failed to propagate renewed certificates to all running pods.

nginx ingress controller and cert-manager will reproduce the functionality that Traefik provides and potentially do so in a more k8s way (the use of CRDs), and do so with lower cpu load.

Nginx Ingress Controller is currently deployed in the production cluster and described by: https://github.com/greenpeace/planet4-nginx-ingress

Cert manager is not yet described by any repository

Tasks:

• describe cert-manager with IAC : https://hub.kubeapps.com/charts/jetstack/cert-manager
• configure and deploy cert-manager as per https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/
• confirm functionality, by modifying Helm Wordpress to use the new ingress annotation
• load test development, eg via several locust instances - https://github.com/greenpeace/planet4-locust
• deploy to production
• transfer several P4 production sites to the new ingress, monitor performance and stability for X days
• Deploy new stable Helm chart with ingress annotation defaults updated
• Update p4-builder to use the new chart version