Remove the etcd+PKI persistence and whitelist-cleanup machinery. Replace
with a CronJob that dumps manager=caddy Secrets to a hostPath under
{kind-mount-root}/caddy-cert-backup/ every 5 minutes, and a Python
restore step that applies the file before the Caddy Deployment starts on
a fresh cluster.
Key changes:
- New components/ingress/caddy-cert-backup.yaml: SA/Role/RoleBinding +
CronJob pinned to the control-plane node. Atomic write via tmp+rename.
- helpers.py:
- Delete _get_etcd_host_path_from_kind_config, _clean_etcd_keeping_certs,
_capture_etcd_image, _read_etcd_image_ref, _etcd_image_ref_path, and
the etcd+PKI block in _generate_kind_mounts
- Simplify create_cluster (no pre-cleanup, no post-capture)
- install_ingress_for_kind splits YAML apply into 3 phases: namespace +
RBAC + CM + Service + IngressClass → restore caddy secrets → Caddy
Deployment → install backup CronJob. Caddy pod can't exist until
phase 3, so certs are always in place before startup.
- deploy_k8s.py: thread kind_mount_root into install_ingress_for_kind.
Feature only active when kind-mount-root is set in the spec. No new spec
keys. Backup survives kind delete via the existing /srv/kind mount point.
Net: -139 LoC in helpers.py (removes docker-in-docker shell-in-Python),
+100 LoC of YAML, +90 LoC of straightforward Python.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2535e6a3ef