OpenMS · t0mdavid-m · Apr 4, 2026 · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/.github/workflows/k8s-manifests-ci.yml b/.github/workflows/k8s-manifests-ci.yml
@@ -21,7 +21,10 @@ jobs:
 
       - name: Validate K8s manifests (base)
         run: |
-          kubeconform -summary -strict -kubernetes-version 1.28.0 -ignore-filename-pattern 'kustomization.yaml' k8s/base/*.yaml
+          kubeconform -summary -strict -kubernetes-version 1.28.0 \
+            -ignore-filename-pattern 'kustomization.yaml' \
+            -ignore-filename-pattern 'traefik-ingressroute.yaml' \
+            k8s/base/*.yaml
 
       - name: Install kubectl
         uses: azure/setup-kubectl@v3
@@ -33,7 +36,7 @@ jobs:
 
       - name: Validate kustomized output
         run: |
-          kubectl kustomize k8s/overlays/template-app/ | kubeconform -summary -strict -kubernetes-version 1.28.0
+          kubectl kustomize k8s/overlays/template-app/ | kubeconform -summary -strict -kubernetes-version 1.28.0 -skip IngressRoute
 
   integration-test:
     runs-on: ubuntu-latest
@@ -83,7 +86,9 @@ jobs:
       - name: Deploy with Kustomize
         if: steps.check.outputs.exists == 'true'
         run: |
+          # Filter out Traefik CRDs (kind cluster uses nginx, not Traefik)
           kubectl kustomize k8s/overlays/template-app/ | \
+            yq 'select(.kind != "IngressRoute")' | \
             sed 's|imagePullPolicy: IfNotPresent|imagePullPolicy: Never|g' > /tmp/manifests.yaml
           for i in 1 2 3 4 5; do
             if kubectl apply -f /tmp/manifests.yaml; then

diff --git a/k8s/base/configmap.yaml b/k8s/base/configmap.yaml
@@ -3,37 +3,7 @@ kind: ConfigMap
 metadata:
   name: streamlit-config
 data:
-  settings.json: |
+  settings-overrides.json: |
     {
-      "app-name": "OpenMS WebApp Template",
-      "online_deployment": true,
-      "enable_workspaces": true,
-      "workspaces_dir": "..",
-      "queue_settings": {
-        "default_timeout": 7200,
-        "result_ttl": 86400
-      },
-      "demo_workspaces": {
-        "enabled": true,
-        "source_dirs": ["example-data/workspaces"]
-      },
-      "max_threads": {
-        "local": 4,
-        "online": 2
-      },
-      "analytics": {
-        "matomo": {
-          "enabled": true,
-          "url": "https://cdn.matomo.cloud/openms.matomo.cloud",
-          "tag": "yDGK8bfY"
-        },
-        "google-analytics": {
-          "enabled": false,
-          "tag": ""
-        },
-        "piwik-pro": {
-          "enabled": false,
-          "tag": ""
-        }
-      }
+      "online_deployment": true
     }
diff --git a/k8s/base/kustomization.yaml b/k8s/base/kustomization.yaml
@@ -12,4 +12,5 @@ resources:
   - streamlit-service.yaml
   - rq-worker-deployment.yaml
   - ingress.yaml
+  - traefik-ingressroute.yaml
   - cleanup-cronjob.yaml
diff --git a/k8s/base/rq-worker-deployment.yaml b/k8s/base/rq-worker-deployment.yaml
@@ -33,6 +33,7 @@ spec:
           args:
             - |
               source /root/miniforge3/bin/activate streamlit-env
+              jq -s '.[0] * .[1]' /app/settings.json /app/settings-overrides.json > /tmp/settings-merged.json && mv /tmp/settings-merged.json /app/settings.json
               exec rq worker openms-workflows --url $REDIS_URL
           env:
             - name: REDIS_URL
@@ -41,8 +42,8 @@ spec:
             - name: workspaces
               mountPath: /workspaces-streamlit-template
             - name: config
-              mountPath: /app/settings.json
-              subPath: settings.json
+              mountPath: /app/settings-overrides.json
+              subPath: settings-overrides.json
               readOnly: true
           resources:
             requests:

diff --git a/k8s/base/streamlit-deployment.yaml b/k8s/base/streamlit-deployment.yaml
@@ -33,6 +33,7 @@ spec:
           args:
             - |
               source /root/miniforge3/bin/activate streamlit-env
+              jq -s '.[0] * .[1]' /app/settings.json /app/settings-overrides.json > /tmp/settings-merged.json && mv /tmp/settings-merged.json /app/settings.json
               exec streamlit run app.py --server.address 0.0.0.0
           ports:
             - containerPort: 8501
@@ -43,8 +44,8 @@ spec:
             - name: workspaces
               mountPath: /workspaces-streamlit-template
             - name: config
-              mountPath: /app/settings.json
-              subPath: settings.json
+              mountPath: /app/settings-overrides.json
+              subPath: settings-overrides.json
               readOnly: true
           readinessProbe:
             httpGet:

diff --git a/k8s/base/traefik-ingressroute.yaml b/k8s/base/traefik-ingressroute.yaml
@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: streamlit-traefik
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: streamlit
+          port: 8501
+          sticky:
+            cookie:
+              name: stroute
+              httpOnly: true
+              sameSite: lax
diff --git a/k8s/overlays/template-app/kustomization.yaml b/k8s/overlays/template-app/kustomization.yaml
@@ -22,3 +22,24 @@ patches:
       - op: replace
         path: /spec/rules/0/host
         value: template.openms.example.de
+  - target:
+      kind: Deployment
+      name: streamlit
+    patch: |
+      - op: replace
+        path: /spec/template/spec/containers/0/env/0/value
+        value: "redis://template-app-redis:6379/0"
+  - target:
+      kind: Deployment
+      name: rq-worker
+    patch: |
+      - op: replace
+        path: /spec/template/spec/containers/0/env/0/value
+        value: "redis://template-app-redis:6379/0"
+  - target:
+      kind: IngressRoute
+      name: streamlit-traefik
+    patch: |
+      - op: replace
+        path: /spec/routes/0/services/0/name
+        value: "template-app-streamlit"