rackerlabs · haseebsyed12 · Apr 21, 2026 · Apr 2, 2026 · Apr 16, 2026 · Apr 16, 2026
diff --git a/charts/argocd-understack/templates/application-nautobot-worker.yaml b/charts/argocd-understack/templates/application-nautobot-worker.yaml
@@ -0,0 +1,69 @@
+{{- if eq (include "understack.isEnabled" (list $.Values.site "nautobot_worker")) "true" }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name "nautobot-worker" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+{{- include "understack.appLabelsBlock" $ | nindent 2 }}
+spec:
+  destination:
+    namespace: nautobot
+    server: {{ $.Values.cluster_server }}
+  project: understack
+  sources:
+  - chart: nautobot
+    helm:
+      fileParameters:
+      - name: nautobot.config
+        path: {{ $.Values.site.nautobot_worker.nautobot_config }}
+      ignoreMissingValueFiles: true
+      releaseName: nautobot-worker
+      valueFiles:
+      - $understack/components/nautobot-worker/values.yaml
+      - $deploy/{{ include "understack.deploy_path" $ }}/nautobot-worker/values.yaml
+      {{- with index $.Values.appLabels "understack.rackspace.com/partition" }}
+      values: |
+        workers:
+          default:
+            enabled: false
+          {{ . }}:
+            enabled: true
+            taskQueues: {{ . | quote }}
+      {{- end }}
+    repoURL: https://nautobot.github.io/helm-charts/
+    targetRevision: 2.5.6
+
+  - path: components/nautobot-worker
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+    kustomize:
+      patches:
+        - patch: |
+            - op: replace
+              path: /data/UNDERSTACK_PARTITION
+              value: "{{ index $.Values.appLabels "understack.rackspace.com/partition" | default "" }}"
+          target:
+            kind: ConfigMap
+            name: cluster-data
+  - path: {{ include "understack.deploy_path" $ }}/nautobot-worker
+    ref: deploy
+    repoURL: {{ include "understack.deploy_url" $ }}
+    targetRevision: {{ include "understack.deploy_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations:
+        argocd.argoproj.io/sync-options: Delete=false
+    syncOptions:
+    - CreateNamespace=true
+    - ServerSideApply=true
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}
diff --git a/charts/argocd-understack/templates/application-nautobot.yaml b/charts/argocd-understack/templates/application-nautobot.yaml
@@ -19,7 +19,7 @@ spec:
     helm:
       fileParameters:
       - name: nautobot.config
-        path: $understack/components/nautobot/nautobot_config.py
+        path: {{ $.Values.global.nautobot.nautobot_config }}
       ignoreMissingValueFiles: true
       releaseName: nautobot
       valueFiles:

diff --git a/charts/argocd-understack/values.yaml b/charts/argocd-understack/values.yaml
@@ -144,6 +144,9 @@ global:
     # -- Enable/disable deploying Nautobot
     # @default -- false
     enabled: false
+    # -- config file to use for Nautobot scoped to either $understack or $deploy repo
+    # @default -- $understack/components/nautobot/nautobot_config.py
+    nautobot_config: '$understack/components/nautobot/nautobot_config.py'
 
   # -- Nautobot API token generation jobs
   nautobot_api_tokens:
@@ -556,6 +559,15 @@ site:
     # @default -- false
     enabled: false
 
+  # -- Nautobot Celery workers (site-level, connects to global Nautobot)
+  nautobot_worker:
+    # -- Enable/disable deploying Nautobot workers at the site level
+    # @default -- false
+    enabled: false
+    # -- config file to use for Nautobot scoped to either $understack or $deploy repo
+    # @default -- $understack/components/nautobot/nautobot_config.py
+    nautobot_config: '$understack/components/nautobot/nautobot_config.py'
+
   # -- SNMP exporter for network device monitoring
   snmp_exporter:
     # -- Enable/disable deploying SNMP exporter

diff --git a/components/envoy-configs/templates/gw-external.yaml.tpl b/components/envoy-configs/templates/gw-external.yaml.tpl
@@ -35,13 +35,11 @@ spec:
     {{- range .Values.routes.tls }}
     {{- $listenerName := .name | default (index (splitList "." .fqdn) 0) }}
     - name: {{ $listenerName }}
-      port: {{ $.Values.gateways.external.port | default 443 }}
+      port: {{ .gatewayPort | default ($.Values.gateways.external.port | default 443) }}
       protocol: TLS
       hostname: {{ .fqdn | quote }}
       tls:
         mode: Passthrough
-        certificateRefs:
-          - name: {{ $listenerName }}-tls
       allowedRoutes:
         namespaces:
           {{- if .selector }}
@@ -52,6 +50,7 @@ spec:
           from: {{ .from | default "All" }}
           {{- end }}
     {{- end }}
+
   {{- if .Values.gateways.external.serviceAnnotations }}
   infrastructure:
     parametersRef:

diff --git a/components/envoy-configs/values.schema.json b/components/envoy-configs/values.schema.json
@@ -180,6 +180,12 @@
                 "type": "string",
                 "description": "Namespace where the httproute will be installed (same as backend service)"
               },
+              "gatewayPort": {
+                "type": "integer",
+                "minimum": 1,
+                "maximum": 65535,
+                "description": "Port exposed on the gateway for this TLS passthrough listener. Defaults to the external gateway port (443) if not specified."
+              },
               "service": {
                 "type": "object",
                 "description": "Kubernetes service backend configuration for the route",

diff --git a/components/nautobot-worker/kustomization.yaml b/components/nautobot-worker/kustomization.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: cluster-data
+    literals:
+      - UNDERSTACK_PARTITION=""
+    options:
+      disableNameSuffixHash: true
diff --git a/components/nautobot-worker/values.yaml b/components/nautobot-worker/values.yaml
@@ -0,0 +1,68 @@
+# Nautobot Worker (site-level)
+#
+# Deploys only Celery workers that connect back to the global Nautobot
+# database and Redis. The web server is disabled because it lives on
+# the global cluster. Redis and PostgreSQL are disabled because the
+# workers reach the global instances over the network.
+---
+
+# Disable the Nautobot web server — workers only
+nautobot:
+  enabled: false
+  replicaCount: 0
+
+  db:
+    engine: "django.db.backends.postgresql"
+    # Override in deploy repo values to point at the global CNPG service
+    host: ""
+    port: 5432
+    name: "app"
+    user: "app"
+    existingSecret: "nautobot-db"
+    existingSecretPasswordKey: "password"
+
+  django:
+    existingSecret: nautobot-django
+
+  superUser:
+    enabled: false
+
+  redis:
+    # Override in deploy repo values to point at the global Redis service
+    host: ""
+    port: 6379
+    ssl: false
+    username: ""
+
+celery:
+  enabled: true
+  concurrency: 2
+  replicaCount: 1
+  extraEnvVarsCM:
+    - cluster-data
+  extraEnvVarsSecret:
+    - nautobot-django
+  livenessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 120
+    timeoutSeconds: 60
+  readinessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 120
+    timeoutSeconds: 60
+
+# Disable celery beat — scheduling runs on the global cluster only
+workers:
+  beat:
+    enabled: false
+
+# Do not deploy local Redis — use the global instance
+redis:
+  enabled: false
+
+# Do not deploy local PostgreSQL — use the global CNPG instance
+postgresql:
+  enabled: false
+
+ingress:
+  enabled: false