feat: enable site clusters to run Nautobot Celery workers with mTLS

Sites need to run background task processing locally to reduce
cross-cluster latency and scale worker capacity independently. Workers
connect back to the global PostgreSQL and Redis, so cross-cluster
connections require stronger auth than passwords alone.

Adds a site-scoped ArgoCD Application that deploys only the Celery
worker portion of the Nautobot Helm chart. The web server, Redis, and
PostgreSQL remain on the global cluster.

All cross-cluster connections use end-to-end mTLS:
- nautobot_config.py gains conditional SSL/mTLS logic for both
  PostgreSQL (NAUTOBOT_DB_SSLMODE) and Redis (auto-detected from
  mounted CA cert)
- nautobot-worker component values disable everything except celery
- envoy-configs gateway template supports gatewayPort on TLS
  passthrough listeners for non-443 ports (5432, 6379)
- envoy-configs schema adds gatewayPort to the tls route type
- Deploy guide documents the full architecture, step-by-step site
  onboarding, certificate infrastructure, and troubleshooting

Author: syedhaseebahmed

charts/argocd-understack/templates/application-nautobot-worker.yaml

@@ -0,0 +1,49 @@
+{{- if eq (include "understack.isEnabled" (list $.Values.site "nautobot_worker")) "true" }}
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ printf "%s-%s" $.Release.Name "nautobot-worker" }}
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+spec:
+  destination:
+    namespace: nautobot
+    server: {{ $.Values.cluster_server }}
+  project: understack
+  sources:
+  - chart: nautobot
+    helm:
+      fileParameters:
+      - name: nautobot.config
+        path: $understack/components/nautobot/nautobot_config.py
+      ignoreMissingValueFiles: true
+      releaseName: nautobot-worker
+      valueFiles:
+      - $understack/components/nautobot-worker/values.yaml
+      - $deploy/{{ include "understack.deploy_path" $ }}/nautobot-worker/values.yaml
+    repoURL: https://nautobot.github.io/helm-charts/
+    targetRevision: 2.5.6
+  - path: components/nautobot-worker
+    ref: understack
+    repoURL: {{ include "understack.understack_url" $ }}
+    targetRevision: {{ include "understack.understack_ref" $ }}
+  - path: {{ include "understack.deploy_path" $ }}/nautobot-worker
+    ref: deploy
+    repoURL: {{ include "understack.deploy_url" $ }}
+    targetRevision: {{ include "understack.deploy_ref" $ }}
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    managedNamespaceMetadata:
+      annotations:
+        argocd.argoproj.io/sync-options: Delete=false
+    syncOptions:
+    - CreateNamespace=true
+    - ServerSideApply=true
+    - RespectIgnoreDifferences=true
+    - ApplyOutOfSyncOnly=true
+{{- end }}

charts/argocd-understack/values.yaml

@@ -556,6 +556,12 @@ site:
     # @default -- false
     enabled: false
 
+  # -- Nautobot Celery workers (site-level, connects to global Nautobot)
+  nautobot_worker:
+    # -- Enable/disable deploying Nautobot workers at the site level
+    # @default -- false
+    enabled: false
+
   # -- SNMP exporter for network device monitoring
   snmp_exporter:
     # -- Enable/disable deploying SNMP exporter

components/envoy-configs/templates/gw-external.yaml.tpl

@@ -35,13 +35,11 @@ spec:
     {{- range .Values.routes.tls }}
     {{- $listenerName := .name | default (index (splitList "." .fqdn) 0) }}
     - name: {{ $listenerName }}
-      port: {{ $.Values.gateways.external.port | default 443 }}
+      port: {{ .gatewayPort | default ($.Values.gateways.external.port | default 443) }}
       protocol: TLS
       hostname: {{ .fqdn | quote }}
       tls:
         mode: Passthrough
-        certificateRefs:
-          - name: {{ $listenerName }}-tls
       allowedRoutes:
         namespaces:
           {{- if .selector }}
@@ -52,6 +50,7 @@ spec:
           from: {{ .from | default "All" }}
           {{- end }}
     {{- end }}
+
   {{- if .Values.gateways.external.serviceAnnotations }}
   infrastructure:
     parametersRef:

components/envoy-configs/values.schema.json

@@ -180,6 +180,12 @@
                 "type": "string",
                 "description": "Namespace where the httproute will be installed (same as backend service)"
               },
+              "gatewayPort": {
+                "type": "integer",
+                "minimum": 1,
+                "maximum": 65535,
+                "description": "Port exposed on the gateway for this TLS passthrough listener. Defaults to the external gateway port (443) if not specified."
+              },
               "service": {
                 "type": "object",
                 "description": "Kubernetes service backend configuration for the route",

components/nautobot-worker/values.yaml

@@ -0,0 +1,69 @@
+# Nautobot Worker (site-level)
+#
+# Deploys only Celery workers that connect back to the global Nautobot
+# database and Redis. The web server is disabled because it lives on
+# the global cluster. Redis and PostgreSQL are disabled because the
+# workers reach the global instances over the network.
+---
+
+# Disable the Nautobot web server — workers only
+nautobot:
+  enabled: false
+  replicaCount: 0
+
+  db:
+    engine: "django.db.backends.postgresql"
+    # Override in deploy repo values to point at the global CNPG service
+    host: ""
+    port: 5432
+    name: "app"
+    user: "app"
+    existingSecret: "nautobot-db"
+    existingSecretPasswordKey: "password"
+
+  django:
+    existingSecret: nautobot-django
+
+  superUser:
+    enabled: false
+
+  redis:
+    # Override in deploy repo values to point at the global Redis service
+    host: ""
+    port: 6379
+    ssl: false
+    username: ""
+
+celery:
+  enabled: true
+  concurrency: 2
+  replicaCount: 1
+  extraEnvVarsSecret:
+    - nautobot-django
+  livenessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 120
+    timeoutSeconds: 60
+  readinessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 120
+    timeoutSeconds: 60
+
+# Disable celery beat — scheduling runs on the global cluster only
+workers:
+  beat:
+    enabled: false
+
+# Do not deploy local Redis — use the global instance
+redis:
+  enabled: false
+
+# Do not deploy local PostgreSQL — use the global CNPG instance
+postgresql:
+  enabled: false
+
+ingress:
+  enabled: false
+
+metrics:
+  enabled: false

components/nautobot/nautobot_config.py

@@ -64,6 +64,55 @@
 if DATABASES["default"]["ENGINE"].endswith("mysql"):  # noqa F405
     DATABASES["default"]["OPTIONS"] = {"charset": "utf8mb4"}  # noqa F405
 
+# SSL/mTLS options for PostgreSQL connections.
+# When NAUTOBOT_DB_SSLMODE is set to "verify-ca" or "verify-full", the client
+# certificate, key, and CA root cert must be present at the configured paths.
+_db_sslcert = os.getenv("NAUTOBOT_DB_SSLCERT", "/etc/nautobot/mtls/tls.crt")
+_db_sslkey = os.getenv("NAUTOBOT_DB_SSLKEY", "/etc/nautobot/mtls/tls.key")
+_db_sslrootcert = os.getenv("NAUTOBOT_DB_SSLROOTCERT", "/etc/nautobot/mtls/ca.crt")
+_db_sslmode = os.getenv("NAUTOBOT_DB_SSLMODE", "")
+
+if _db_sslmode in ("verify-ca", "verify-full"):
+    for _path, _label in [
+        (_db_sslcert, "NAUTOBOT_DB_SSLCERT"),
+        (_db_sslkey, "NAUTOBOT_DB_SSLKEY"),
+        (_db_sslrootcert, "NAUTOBOT_DB_SSLROOTCERT"),
+    ]:
+        if not os.path.isfile(_path):
+            raise FileNotFoundError(
+                f"SSL certificate file required by {_label} not found: {_path}"
+            )
+    DATABASES["default"]["OPTIONS"] = {  # noqa F405
+        "sslmode": _db_sslmode,
+        "sslcert": _db_sslcert,
+        "sslkey": _db_sslkey,
+        "sslrootcert": _db_sslrootcert,
+    }
+
+# SSL/mTLS options for Redis connections.
+# When NAUTOBOT_REDIS_SSL env var is "true" (set by Helm `nautobot.redis.ssl`),
+# the Helm chart switches the URL scheme to rediss://.  We still need to tell
+# the Python redis client *which* certs to use for mutual TLS.
+import ssl as _ssl  # noqa: E402
+
+_redis_ca = os.getenv("NAUTOBOT_REDIS_SSL_CA_CERTS", "/etc/nautobot/mtls/ca.crt")
+_redis_cert = os.getenv("NAUTOBOT_REDIS_SSL_CERTFILE", "/etc/nautobot/mtls/tls.crt")
+_redis_key = os.getenv("NAUTOBOT_REDIS_SSL_KEYFILE", "/etc/nautobot/mtls/tls.key")
+
+if os.path.isfile(_redis_ca):
+    _redis_ssl_kwargs = {
+        "ssl_cert_reqs": _ssl.CERT_REQUIRED,
+        "ssl_ca_certs": _redis_ca,
+        "ssl_certfile": _redis_cert,
+        "ssl_keyfile": _redis_key,
+    }
+    CACHES["default"].setdefault("OPTIONS", {})  # noqa F405
+    CACHES["default"]["OPTIONS"].setdefault("CONNECTION_POOL_KWARGS", {})  # noqa F405
+    CACHES["default"]["OPTIONS"]["CONNECTION_POOL_KWARGS"].update(_redis_ssl_kwargs)  # noqa F405
+    CELERY_BROKER_USE_SSL = _redis_ssl_kwargs  # noqa F405
+    CELERY_REDIS_BACKEND_USE_SSL = _redis_ssl_kwargs  # noqa F405
+    CELERY_BROKER_TRANSPORT_OPTIONS = {"ssl": _redis_ssl_kwargs}  # noqa F405
+
 # This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file.
 # For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and
 # symbols. Nautobot will not run without this defined. For more information, see