From 0a45a790e79304d176b891911ab37a7fd093d8b1 Mon Sep 17 00:00:00 2001 From: e3mrah <81884938+emrahbaysal@users.noreply.github.com> Date: Tue, 19 May 2026 07:57:12 +0400 Subject: [PATCH] =?UTF-8?q?fix:=20omit=20HTTPRoute=20sectionName=20across?= =?UTF-8?q?=20blueprint=20charts=20=E2=80=94=20match=20PR=20#1888=20patter?= =?UTF-8?q?n=20(Closes=20#1902)=20(#1909)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #1888 (TBD-A30) fixed catalyst-system HTTPRoutes for multi-zone Sovereigns whose Cilium Gateway renames HTTPS listeners from `https` to `https-` (e.g. `https-omani-works`, `https-omani-homes`) when more than one parent zone is enabled. Every public HTTPRoute pinned to `sectionName: https` got `Accepted=False NoMatchingListener` and the hosted service 404'd / connection-refused. That fix only touched products/catalyst/chart. Per-blueprint HTTPRoutes shipped the same `sectionName: https` default in values.yaml, so on a multi-zone Sovereign every blueprint route — gitea, grafana, harbor, keycloak, newapi, openbao, powerdns, stalwart-tenant — silently failed to attach. TBD-A40 / issue #1902. Sweep verbatim: $ git grep -nE 'sectionName:[[:space:]]+(https|"https")[[:space:]]*$' \ platform/*/chart/ products/ clusters/ core/ 2>/dev/null \ | grep -v 'platform/gateway-api/chart/templates' platform/gitea/chart/values.yaml:168: sectionName: https platform/grafana/chart/values.yaml:124: sectionName: https platform/harbor/chart/values.yaml:437: sectionName: https platform/keycloak/chart/values.yaml:482: sectionName: https platform/newapi/chart/values.yaml:721: sectionName: https platform/openbao/chart/values.yaml:72: sectionName: https platform/powerdns/chart/values.yaml:407: sectionName: https platform/stalwart-tenant/chart/values.yaml:297: sectionName: https products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go:802: sectionName: https Fix (Option C — omit sectionName, same as PR #1888): - 8 blueprint values.yaml defaults flipped from `sectionName: https` to `sectionName: ""`. The chart templates already guard with `{{- with .Values.gateway.parentRef.sectionName }}`, so a blank value drops the field entirely and Cilium Gateway matches by hostname filter. - platform/newapi/chart/templates/httproute.yaml was the outlier: it used `default "https" $parent.sectionName` which fell back to `https` even when values.yaml said empty. Rewritten to `{{- with $parent.sectionName }}` so empty drops the field — same pattern as the other 7 blueprints. - products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go renders a per-tenant bp-keycloak HelmRelease and injected `sectionName: https` into spec.values. Flipped to `sectionName: ""` so the bp-keycloak chart's `{{- with }}` guard drops the field. Validation (real `helm template`, default values, gateway enabled, no sectionName override) — Principle #15: gitea : sectionName lines in rendered output = 0 grafana : sectionName lines in rendered output = 0 harbor : sectionName lines in rendered output = 0 keycloak : sectionName lines in rendered output = 0 openbao : sectionName lines in rendered output = 0 powerdns : sectionName lines in rendered output = 0 newapi : sectionName lines in rendered output = 0 stalwart-tenant : sectionName lines in rendered output = 0 Override path preserved — `--set ...parentRef.sectionName=https-omani-works` on each chart renders `sectionName: "https-omani-works"` correctly, so operators on single-zone clusters or non-Cilium gateways can still pin explicitly via bootstrap-kit overlay. helm lint clean on all 8 blueprint charts (newapi cnpg-cluster.yaml lint error is pre-existing on origin/main, unrelated to this fix). Chart bumps (each blueprint also bumps blueprint.yaml spec.version per #817 lockstep): bp-gitea 1.2.7 -> 1.2.8 bp-grafana 1.0.1 -> 1.0.2 bp-harbor 1.2.17 -> 1.2.18 bp-keycloak 1.4.5 -> 1.4.6 bp-newapi 1.4.22 -> 1.4.23 bp-openbao 1.2.16 -> 1.2.17 bp-powerdns 1.2.3 -> 1.2.4 bp-stalwart-tenant 0.1.2 -> 0.1.3 Refs TBD-A40. Co-authored-by: hatiyildiz Co-authored-by: Claude Opus 4.7 (1M context) --- platform/gitea/blueprint.yaml | 2 +- platform/gitea/chart/Chart.yaml | 6 +++++- platform/gitea/chart/values.yaml | 6 +++++- platform/grafana/blueprint.yaml | 2 +- platform/grafana/chart/Chart.yaml | 6 +++++- platform/grafana/chart/values.yaml | 6 +++++- platform/harbor/blueprint.yaml | 2 +- platform/harbor/chart/Chart.yaml | 6 +++++- platform/harbor/chart/values.yaml | 6 +++++- platform/keycloak/blueprint.yaml | 2 +- platform/keycloak/chart/Chart.yaml | 6 +++++- platform/keycloak/chart/values.yaml | 6 +++++- platform/newapi/blueprint.yaml | 2 +- platform/newapi/chart/Chart.yaml | 9 ++++++++- platform/newapi/chart/templates/httproute.yaml | 11 +++++++++-- platform/newapi/chart/values.yaml | 14 +++++++++----- platform/openbao/blueprint.yaml | 2 +- platform/openbao/chart/Chart.yaml | 6 +++++- platform/openbao/chart/values.yaml | 6 +++++- platform/powerdns/blueprint.yaml | 2 +- platform/powerdns/chart/Chart.yaml | 6 +++++- platform/powerdns/chart/values.yaml | 6 +++++- platform/stalwart-tenant/blueprint.yaml | 2 +- platform/stalwart-tenant/chart/Chart.yaml | 6 +++++- platform/stalwart-tenant/chart/values.yaml | 6 +++++- .../api/internal/handler/sme_tenant_gitops.go | 7 ++++++- 26 files changed, 110 insertions(+), 31 deletions(-) diff --git a/platform/gitea/blueprint.yaml b/platform/gitea/blueprint.yaml index e2efad00..74c1d682 100644 --- a/platform/gitea/blueprint.yaml +++ b/platform/gitea/blueprint.yaml @@ -5,7 +5,7 @@ metadata: labels: catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services spec: - version: 1.2.7 + version: 1.2.8 card: title: gitea summary: Gitea — per-Sovereign Git server. Catalyst control plane. Hosts catalog (public Blueprint mirror), catalog-sovereign (Sovereign-curated private Blueprints), one Gitea Org per Catalyst Organization, and system (sovereign-admin scope). diff --git a/platform/gitea/chart/Chart.yaml b/platform/gitea/chart/Chart.yaml index 888b346e..3e5f30a4 100644 --- a/platform/gitea/chart/Chart.yaml +++ b/platform/gitea/chart/Chart.yaml @@ -4,7 +4,11 @@ name: bp-gitea # hook image switched from curlimages/curl:8.10.1 to # harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md # inviolable rule. -version: 1.2.7 +# 1.2.8 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.2.8 description: | Catalyst-curated Blueprint umbrella chart for Gitea. Depends on the upstream `gitea` chart (dl.gitea.com) as a Helm subchart so diff --git a/platform/gitea/chart/values.yaml b/platform/gitea/chart/values.yaml index 8a922c24..d8f46712 100644 --- a/platform/gitea/chart/values.yaml +++ b/platform/gitea/chart/values.yaml @@ -165,4 +165,8 @@ gateway: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" diff --git a/platform/grafana/blueprint.yaml b/platform/grafana/blueprint.yaml index 8a1d1e37..af714bf4 100644 --- a/platform/grafana/blueprint.yaml +++ b/platform/grafana/blueprint.yaml @@ -5,7 +5,7 @@ metadata: labels: catalyst.openova.io/section: pts-3-observability spec: - version: 1.0.1 + version: 1.0.2 card: title: Grafana family: insights diff --git a/platform/grafana/chart/Chart.yaml b/platform/grafana/chart/Chart.yaml index cc0c6bff..025f9e40 100644 --- a/platform/grafana/chart/Chart.yaml +++ b/platform/grafana/chart/Chart.yaml @@ -11,7 +11,11 @@ description: | (logs), bp-tempo (traces), bp-mimir (metrics), and bp-alloy or bp-opentelemetry (collection). type: application -version: 1.0.1 +# 1.0.2 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.0.2 appVersion: "12.3.1" keywords: [catalyst, blueprint, grafana, observability, dashboards] maintainers: diff --git a/platform/grafana/chart/values.yaml b/platform/grafana/chart/values.yaml index 1bcd962e..4f35eb6a 100644 --- a/platform/grafana/chart/values.yaml +++ b/platform/grafana/chart/values.yaml @@ -121,4 +121,8 @@ gateway: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" diff --git a/platform/harbor/blueprint.yaml b/platform/harbor/blueprint.yaml index 798165d2..fa2ee6fd 100644 --- a/platform/harbor/blueprint.yaml +++ b/platform/harbor/blueprint.yaml @@ -5,7 +5,7 @@ metadata: labels: catalyst.openova.io/section: pts-3-5-storage-and-data spec: - version: 1.2.17 + version: 1.2.18 card: title: Harbor family: foundation diff --git a/platform/harbor/chart/Chart.yaml b/platform/harbor/chart/Chart.yaml index 8e9b85ca..72efa7bc 100644 --- a/platform/harbor/chart/Chart.yaml +++ b/platform/harbor/chart/Chart.yaml @@ -42,7 +42,11 @@ type: application # hook image switched from curlimages/curl:8.10.1 to # harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md # inviolable rule. -version: 1.2.17 +# 1.2.18 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.2.18 appVersion: "2.14.3" keywords: [catalyst, blueprint, harbor, oci, registry, container] maintainers: diff --git a/platform/harbor/chart/values.yaml b/platform/harbor/chart/values.yaml index f2c93efc..e11052a2 100644 --- a/platform/harbor/chart/values.yaml +++ b/platform/harbor/chart/values.yaml @@ -434,7 +434,11 @@ gateway: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" # ─── Vendor-agnostic Object Storage backend config (issue #383 / #425) ─── # diff --git a/platform/keycloak/blueprint.yaml b/platform/keycloak/blueprint.yaml index f3840fa5..394735fe 100644 --- a/platform/keycloak/blueprint.yaml +++ b/platform/keycloak/blueprint.yaml @@ -5,7 +5,7 @@ metadata: labels: catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services spec: - version: 1.4.5 + version: 1.4.6 card: title: keycloak summary: Keycloak — user identity. Topology decided by Sovereign CRD spec.keycloakTopology (per-organization for SME, shared-sovereign for corporate). diff --git a/platform/keycloak/chart/Chart.yaml b/platform/keycloak/chart/Chart.yaml index cb851981..edb38dc3 100644 --- a/platform/keycloak/chart/Chart.yaml +++ b/platform/keycloak/chart/Chart.yaml @@ -1,6 +1,10 @@ apiVersion: v2 name: bp-keycloak -version: 1.4.5 +# 1.4.6 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.4.6 description: | Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the upstream `keycloak` chart (bitnami) as a Helm subchart so diff --git a/platform/keycloak/chart/values.yaml b/platform/keycloak/chart/values.yaml index 34d2afcd..76a7af2d 100644 --- a/platform/keycloak/chart/values.yaml +++ b/platform/keycloak/chart/values.yaml @@ -479,4 +479,8 @@ gateway: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" diff --git a/platform/newapi/blueprint.yaml b/platform/newapi/blueprint.yaml index 858d49b9..c70a8e28 100644 --- a/platform/newapi/blueprint.yaml +++ b/platform/newapi/blueprint.yaml @@ -6,7 +6,7 @@ metadata: catalyst.openova.io/category: ai-runtime catalyst.openova.io/section: pts-4-6-llm-serving spec: - version: 1.4.22 + version: 1.4.23 card: title: NewAPI summary: | diff --git a/platform/newapi/chart/Chart.yaml b/platform/newapi/chart/Chart.yaml index a7c3b4a3..fc921e30 100644 --- a/platform/newapi/chart/Chart.yaml +++ b/platform/newapi/chart/Chart.yaml @@ -245,7 +245,14 @@ name: bp-newapi # composes on the next reconcile. helm template renders cleanly with # BOTH the missing-attestation state (no channel) AND the # fully-populated state (channel composed normally). -version: 1.4.22 +# 1.4.23 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# `default "https"` fallback in templates/httproute.yaml. The template +# now uses `{{- with $parent.sectionName }}` to drop the field entirely +# when blank, and values.yaml defaults sectionName to "". Matches the +# catalyst-system fix in PR #1888. +version: 1.4.23 appVersion: "0.13.2" description: | Catalyst Blueprint scratch chart for NewAPI — multi-tenant LLM diff --git a/platform/newapi/chart/templates/httproute.yaml b/platform/newapi/chart/templates/httproute.yaml index b4ed4dce..6ba71801 100644 --- a/platform/newapi/chart/templates/httproute.yaml +++ b/platform/newapi/chart/templates/httproute.yaml @@ -38,7 +38,12 @@ operator-overridable via values.yaml. {{- $parent := .Values.ingress.httpRoute.parentRef | default dict -}} {{- $parentName := default "cilium-gateway" $parent.name -}} {{- $parentNs := default "kube-system" $parent.namespace -}} -{{- $sectionName := default "https" $parent.sectionName -}} +{{- /* +sectionName intentionally omitted when empty/unset — pinning to "https" +broke multi-zone Sovereigns whose Cilium Gateway renames HTTPS listeners +to https- (PR #1888 / TBD-A40 / issue #1902). Gateway API +hostname-matching attaches the route to the right listener anyway. +*/ -}} apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: @@ -50,7 +55,9 @@ spec: parentRefs: - name: {{ $parentName | quote }} namespace: {{ $parentNs | quote }} - sectionName: {{ $sectionName | quote }} + {{- with $parent.sectionName }} + sectionName: {{ . | quote }} + {{- end }} hostnames: - {{ $host | quote }} rules: diff --git a/platform/newapi/chart/values.yaml b/platform/newapi/chart/values.yaml index 113d273f..f6346d56 100644 --- a/platform/newapi/chart/values.yaml +++ b/platform/newapi/chart/values.yaml @@ -714,11 +714,15 @@ ingress: parentRef: name: cilium-gateway namespace: kube-system - # Listener sectionName — single-zone Sovereigns use bare "https" - # per the t20 listener-naming convention; multi-zone Sovereigns - # override to "https-" via the bootstrap-kit - # overlay. - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename + # HTTPS listeners to https- (e.g. https-omani-works, + # https-omani-homes), so pinning sectionName: https breaks every + # public HTTPRoute with NoMatchingListener. Cilium Gateway selects + # the listener by hostname filter when sectionName is omitted. See + # PR #1888 (catalyst-system) / TBD-A40 / issue #1902. Operators may + # still override via a bootstrap-kit overlay for non-Cilium + # gateways that REQUIRE an explicit sectionName. + sectionName: "" # ─── NetworkPolicy ─────────────────────────────────────────────────────── # Default-allow ingress from the platform's gateway namespace; egress # to Postgres, Valkey, Keycloak, in-cluster vLLM, DNS, and the operator- diff --git a/platform/openbao/blueprint.yaml b/platform/openbao/blueprint.yaml index 9e2d73b2..bfc21765 100644 --- a/platform/openbao/blueprint.yaml +++ b/platform/openbao/blueprint.yaml @@ -5,7 +5,7 @@ metadata: labels: catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services spec: - version: 1.2.16 + version: 1.2.17 card: title: openbao summary: OpenBao secret backend. 3-node Raft per region (independent quorum, async perf-replication across regions). MPL 2.0 — drop-in Vault replacement. diff --git a/platform/openbao/chart/Chart.yaml b/platform/openbao/chart/Chart.yaml index ad4be49b..b54ca7a2 100644 --- a/platform/openbao/chart/Chart.yaml +++ b/platform/openbao/chart/Chart.yaml @@ -1,6 +1,10 @@ apiVersion: v2 name: bp-openbao -version: 1.2.16 +# 1.2.17 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.2.17 description: | Catalyst-curated Blueprint umbrella chart for OpenBao. Depends on the upstream `openbao` chart as a Helm subchart so `helm dependency build` diff --git a/platform/openbao/chart/values.yaml b/platform/openbao/chart/values.yaml index 5ecead1b..ed9e252e 100644 --- a/platform/openbao/chart/values.yaml +++ b/platform/openbao/chart/values.yaml @@ -69,7 +69,11 @@ gateway: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" # ─── Auto-unseal flow (issue #316) ───────────────────────────────────────── # Catalyst-curated post-install Job that runs `bao operator init` on a diff --git a/platform/powerdns/blueprint.yaml b/platform/powerdns/blueprint.yaml index 2963df8b..70f70c79 100644 --- a/platform/powerdns/blueprint.yaml +++ b/platform/powerdns/blueprint.yaml @@ -6,7 +6,7 @@ metadata: catalyst.openova.io/category: per-host-cluster-infrastructure catalyst.openova.io/section: pts-3-2-gitops-and-iac spec: - version: 1.2.3 + version: 1.2.4 card: title: PowerDNS summary: | diff --git a/platform/powerdns/chart/Chart.yaml b/platform/powerdns/chart/Chart.yaml index b6c4b643..db26d0cf 100644 --- a/platform/powerdns/chart/Chart.yaml +++ b/platform/powerdns/chart/Chart.yaml @@ -1,6 +1,10 @@ apiVersion: v2 name: bp-powerdns -version: 1.2.3 +# 1.2.4 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 1.2.4 description: | Catalyst-curated Blueprint wrapper for PowerDNS Authoritative. Carries Catalyst-specific values.yaml + templates (CNPG cluster, dnsdist diff --git a/platform/powerdns/chart/values.yaml b/platform/powerdns/chart/values.yaml index 93c48803..c6f5f2ca 100644 --- a/platform/powerdns/chart/values.yaml +++ b/platform/powerdns/chart/values.yaml @@ -404,7 +404,11 @@ api: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" # Backend defaults to the existing powerdns subchart Service backendService: "" # default: powerdns backendPort: 8081 # matches powerdns.powerdns.webserver.bindPort default diff --git a/platform/stalwart-tenant/blueprint.yaml b/platform/stalwart-tenant/blueprint.yaml index 551556c3..0665df43 100644 --- a/platform/stalwart-tenant/blueprint.yaml +++ b/platform/stalwart-tenant/blueprint.yaml @@ -15,7 +15,7 @@ spec: # `claimName`, `claimGroups`). setupJob defaults to enabled so a # fresh tenant has working OIDC at t=0. # Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version. - version: 0.1.2 + version: 0.1.3 card: title: Stalwart (per-tenant) summary: | diff --git a/platform/stalwart-tenant/chart/Chart.yaml b/platform/stalwart-tenant/chart/Chart.yaml index 199c6415..17688fd0 100644 --- a/platform/stalwart-tenant/chart/Chart.yaml +++ b/platform/stalwart-tenant/chart/Chart.yaml @@ -51,7 +51,11 @@ name: bp-stalwart-tenant # `stalwart-cli` + `curl` — no new image needed. # # Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version. -version: 0.1.2 +# 0.1.3 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef +# sectionName by default — multi-zone Sovereigns rename HTTPS listeners +# to https-, breaking NoMatchingListener with the prior +# pinned sectionName: https. Matches the catalyst-system fix in PR #1888. +version: 0.1.3 appVersion: "0.16.3" description: | Catalyst Blueprint scratch chart for a per-SME (per-vcluster) dedicated diff --git a/platform/stalwart-tenant/chart/values.yaml b/platform/stalwart-tenant/chart/values.yaml index ec8763a1..9a5a788d 100644 --- a/platform/stalwart-tenant/chart/values.yaml +++ b/platform/stalwart-tenant/chart/values.yaml @@ -294,7 +294,11 @@ ingress: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS + # listeners to https- (e.g. https-omani-works), so + # pinning sectionName: https breaks NoMatchingListener. Cilium Gateway + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" # cert-manager Certificate (mode=ingress only). Gateway mode relies # on the gateway's wildcard cert. tls: diff --git a/products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go b/products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go index 7be73be1..2cb73950 100644 --- a/products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go +++ b/products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go @@ -799,7 +799,12 @@ spec: parentRef: name: cilium-gateway namespace: kube-system - sectionName: https + # sectionName omitted — multi-zone Sovereigns rename HTTPS listeners + # to https- (e.g. https-omani-works). The bp-keycloak + # chart template guards `{{- with .Values.gateway.parentRef.sectionName }}` + # so a blank value drops the field entirely; Cilium Gateway then + # matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902. + sectionName: "" # Outbound realm email — Phase-1 mothership relay. Operator overlay # (or future tenant-Stalwart sub-issue) overrides host/port once # tenant-local SMTP is shipped.