Terrapod v0.28.0 — minor release introducing a first-class split-networking deployment model for the Helm chart, plus HSTS-by-default on the BFF.
Highlights
internalIngress(third optional Ingress) — chart now ships a three-Ingress model. Operators can keep the management plane (ingress) on a private/VPN hostname, expose the public-must-reach surface (webhookIngress, GitHub/GitLab webhooks + run-task callbacks) via a separate public Ingress, and add a third internal-only Ingress for listener pods + runner Jobs from other clusters. All three terminate at the same BFF.listener.publicApiUrlfirst-class concept — the listener Deployment now distinguishes "the URL I actually call" (apiUrl, internal) from "the URL users see in their browsers andsource = "..."registry URLs" (publicApiUrl, canonical). Defaults toapi.config.external_url. Forwarded to runner Job pods asTP_PUBLIC_API_URL; the runner entrypoint auto-generates a terraform CLIhost{}block redirecting public → internal so user code can keep referring to the canonical hostname while runners traverse the internal route.- HSTS on by default — the BFF now sends
Strict-Transport-Security: max-age=63072000on every response, so browsers auto-upgradehttp://<hostname>tohttps://. NoincludeSubDomains(operator's call), nopreload. Configurable viaweb.hsts.value; set to""to disable. - New documentation: Split-networking deployments — three-Ingress diagram, the dual-hostname runner pattern, three recipe configurations, and operational checks. Cross-linked from the main deployment and webhook-ingress docs.
Status
Beta — all new chart values are additive. Existing single-Ingress deployments are unaffected; both new Ingress blocks default to disabled, and HSTS can be turned off with web.hsts.value: "".
Full Changelog: v0.27.0...v0.28.0