feat: enable site clusters to run Nautobot Celery workers on site clusters#1908
Merged
haseebsyed12 merged 9 commits intomainfrom Apr 21, 2026
Merged
feat: enable site clusters to run Nautobot Celery workers on site clusters#1908haseebsyed12 merged 9 commits intomainfrom
haseebsyed12 merged 9 commits intomainfrom
Conversation
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
9 times, most recently
from
f49206f to
f47fced
Compare
haseebsyed12
changed the title
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
7 times, most recently
from
b5e37b0 to
16e016a
Compare
cardoe
reviewed
Apr 14, 2026
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
8 times, most recently
from
b3c0d4b to
67436e4
Compare
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
from
d4915ed to
b8d2d0a
Compare
skrobul
reviewed
Apr 20, 2026
Collaborator
skrobul
left a comment
skrobul
left a comment
There was a problem hiding this comment.
left few comments inline
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
9 times, most recently
from
7828885 to
7d71b6e
Compare
Sites need to run background task processing locally to reduce cross-cluster latency and scale worker capacity independently. Workers connect back to the global PostgreSQL and Redis, so cross-cluster connections require stronger auth than passwords alone. Adds a site-scoped ArgoCD Application that deploys only the Celery worker portion of the Nautobot Helm chart. The web server, Redis, and PostgreSQL remain on the global cluster. All cross-cluster connections use end-to-end mTLS: - nautobot_config.py gains conditional SSL/mTLS logic for both PostgreSQL (NAUTOBOT_DB_SSLMODE) and Redis (auto-detected from mounted CA cert) - nautobot-worker component values disable everything except celery - envoy-configs gateway template supports gatewayPort on TLS passthrough listeners for non-443 ports (5432, 6379) - envoy-configs schema adds gatewayPort to the tls route type - Deploy guide documents the full architecture, step-by-step site onboarding, certificate infrastructure, and troubleshooting
… issued cert+key to sites via the external secrets provider.
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
from
8c34aca to
7423e9a
Compare
Allows for a different nautobot config file to be stored in the deploy repo and supplied to Nautobot.
skrobul
reviewed
Apr 21, 2026
Collaborator
skrobul
left a comment
skrobul
left a comment
There was a problem hiding this comment.
This looks almost ready, added few comments in another review
Comment on lines
+299
to
+321
| tls.crt: >- | ||
| {{ .client_password | ||
| | regexFind "-----BEGIN CERTIFICATE-----[\\s\\S]*?-----END CERTIFICATE-----" | ||
| | replace "\r" "" }} | ||
| tls.key: >- | ||
| {{ .client_password | ||
| | regexFind "-----BEGIN EC PRIVATE KEY-----[\\s\\S]*?-----END EC PRIVATE KEY-----" | ||
| | replace "\r" "" }} | ||
| ca.crt: >- | ||
| {{ .ca_password | replace "\r" "" }} | ||
| dataFrom: | ||
| - extract: | ||
| key: "<client-cert-credential-id>" | ||
| rewrite: | ||
| - regexp: | ||
| source: "(.*)" | ||
| target: "client_$1" | ||
| - extract: | ||
| key: "<ca-cert-credential-id>" | ||
| rewrite: | ||
| - regexp: | ||
| source: "(.*)" | ||
| target: "ca_$1" |
Collaborator
There was a problem hiding this comment.
This expects very specific type of key/certificate and can be fragile.
Consider switching from a freeform text field to a JSON.
For example, if you store the credentials as JSON:
{
"tls.crt":"LS0tLS1CRUdJTiBDRVJ...",
"tls.key":"LS0tLS1CRUdJTiBFQyB...."
}then you can use simpler and more robust template that does not need regular expressions:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: nautobot-mtls-client-marektest
namespace: nautobot
spec:
dataFrom:
- extract:
key: "602777"
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: pwsafe
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
data:
tls.crt: '{{ index (.password | fromJson) "tls.crt" | b64dec }}'
tls.key: '{{ index (.password | fromJson) "tls.key" | b64dec }}'
engineVersion: v2
metadata: {}
type: kubernetes.io/tlsAlternatively, if you really want to store those as plaintext, please consider using PEM block filters provided by ESO instead of regexes.
Contributor
Author
There was a problem hiding this comment.
done. using PEM block filters
Collaborator
There was a problem hiding this comment.
Nice, thanks. If you want to eliminate the regex and simplify the dataFrom section, sourcing data from multiple credentials like here is possible too, just need to assign secretKey for each remoteRef.
It's okay to leave it as is - your call.
haseebsyed12
force-pushed
the
site-nautobot-worker
branch
from
7a26828 to
f67b30f
Compare
skrobul
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Nautobot currently runs entirely on the global cluster, including its Celery workers. Sites that generate heavy background task load have no way to offload that processing closer to where the work originates, and a single global worker pool becomes a bottleneck as sites scale.
This adds a site-scoped ArgoCD Application that deploys only the Celery worker portion of the Nautobot helm chart. The web server, Redis, and PostgreSQL are all disabled because they remain on the global cluster — site workers connect back to those shared services.
This lets operators scale worker capacity per-site independently, run queue-specific workers closer to the hardware they manage, and reduce cross-cluster task latency for site-driven automation.
application-nautobot-worker.yaml) gated behindsite.nautobot_worker.enablednautobotnamespace on the site cluster.