openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity

fix: omit HTTPRoute sectionName across blueprint charts — match PR #1888 pattern (Closes #1902) (#1909)

Browse Source 
PR #1888 (TBD-A30) fixed catalyst-system HTTPRoutes for multi-zone
Sovereigns whose Cilium Gateway renames HTTPS listeners from `https` to
`https-<sanitised-zone>` (e.g. `https-omani-works`, `https-omani-homes`)
when more than one parent zone is enabled. Every public HTTPRoute pinned
to `sectionName: https` got `Accepted=False NoMatchingListener` and the
hosted service 404'd / connection-refused.

That fix only touched products/catalyst/chart. Per-blueprint HTTPRoutes
shipped the same `sectionName: https` default in values.yaml, so on a
multi-zone Sovereign every blueprint route — gitea, grafana, harbor,
keycloak, newapi, openbao, powerdns, stalwart-tenant — silently failed
to attach. TBD-A40 / issue #1902.

Sweep verbatim:

  $ git grep -nE 'sectionName:[[:space:]]+(https|"https")[[:space:]]*$' \
      platform/*/chart/ products/ clusters/ core/ 2>/dev/null \
      | grep -v 'platform/gateway-api/chart/templates'
  platform/gitea/chart/values.yaml:168:    sectionName: https
  platform/grafana/chart/values.yaml:124:    sectionName: https
  platform/harbor/chart/values.yaml:437:    sectionName: https
  platform/keycloak/chart/values.yaml:482:    sectionName: https
  platform/newapi/chart/values.yaml:721:      sectionName: https
  platform/openbao/chart/values.yaml:72:    sectionName: https
  platform/powerdns/chart/values.yaml:407:      sectionName: https
  platform/stalwart-tenant/chart/values.yaml:297:      sectionName: https
  products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go:802:        sectionName: https

Fix (Option C — omit sectionName, same as PR #1888):

  - 8 blueprint values.yaml defaults flipped from `sectionName: https` to
    `sectionName: ""`. The chart templates already guard with `{{- with
    .Values.gateway.parentRef.sectionName }}`, so a blank value drops the
    field entirely and Cilium Gateway matches by hostname filter.

  - platform/newapi/chart/templates/httproute.yaml was the outlier: it
    used `default "https" $parent.sectionName` which fell back to `https`
    even when values.yaml said empty. Rewritten to `{{- with
    $parent.sectionName }}` so empty drops the field — same pattern as
    the other 7 blueprints.

  - products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go
    renders a per-tenant bp-keycloak HelmRelease and injected
    `sectionName: https` into spec.values. Flipped to `sectionName: ""`
    so the bp-keycloak chart's `{{- with }}` guard drops the field.

Validation (real `helm template`, default values, gateway enabled, no
sectionName override) — Principle #15:

  gitea            : sectionName lines in rendered output = 0
  grafana          : sectionName lines in rendered output = 0
  harbor           : sectionName lines in rendered output = 0
  keycloak         : sectionName lines in rendered output = 0
  openbao          : sectionName lines in rendered output = 0
  powerdns         : sectionName lines in rendered output = 0
  newapi           : sectionName lines in rendered output = 0
  stalwart-tenant  : sectionName lines in rendered output = 0

Override path preserved — `--set ...parentRef.sectionName=https-omani-works`
on each chart renders `sectionName: "https-omani-works"` correctly,
so operators on single-zone clusters or non-Cilium gateways can still
pin explicitly via bootstrap-kit overlay.

helm lint clean on all 8 blueprint charts (newapi cnpg-cluster.yaml lint
error is pre-existing on origin/main, unrelated to this fix).

Chart bumps (each blueprint also bumps blueprint.yaml spec.version per
#817 lockstep):
  bp-gitea            1.2.7  -> 1.2.8
  bp-grafana          1.0.1  -> 1.0.2
  bp-harbor           1.2.17 -> 1.2.18
  bp-keycloak         1.4.5  -> 1.4.6
  bp-newapi           1.4.22 -> 1.4.23
  bp-openbao          1.2.16 -> 1.2.17
  bp-powerdns         1.2.3  -> 1.2.4
  bp-stalwart-tenant  0.1.2  -> 0.1.3

Refs TBD-A40.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
e3mrah 2026-05-19 07:57:12 +04:00 committed by GitHub
parent 9657448a72
commit 0a45a790e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 110 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
platform/gitea/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels: labels:
catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services
spec: spec:
version: 1.2.7 version: 1.2.8
card: card:
title: gitea title: gitea
summary: Gitea — per-Sovereign Git server. Catalyst control plane. Hosts catalog (public Blueprint mirror), catalog-sovereign (Sovereign-curated private Blueprints), one Gitea Org per Catalyst Organization, and system (sovereign-admin scope). summary: Gitea — per-Sovereign Git server. Catalyst control plane. Hosts catalog (public Blueprint mirror), catalog-sovereign (Sovereign-curated private Blueprints), one Gitea Org per Catalyst Organization, and system (sovereign-admin scope).

6
platform/gitea/chart/Chart.yaml
View File

@ -4,7 +4,11 @@ name: bp-gitea
# hook image switched from curlimages/curl:8.10.1 to # hook image switched from curlimages/curl:8.10.1 to
# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md # harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
# inviolable rule. # inviolable rule.
version: 1.2.7 # 1.2.8 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.2.8
description: | description: |
Catalyst-curated Blueprint umbrella chart for Gitea. Depends on the Catalyst-curated Blueprint umbrella chart for Gitea. Depends on the
upstream `gitea` chart (dl.gitea.com) as a Helm subchart so upstream `gitea` chart (dl.gitea.com) as a Helm subchart so

6
platform/gitea/chart/values.yaml
View File

@ -165,4 +165,8 @@ gateway:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""

2
platform/grafana/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels: labels:
catalyst.openova.io/section: pts-3-observability catalyst.openova.io/section: pts-3-observability
spec: spec:
version: 1.0.1 version: 1.0.2
card: card:
title: Grafana title: Grafana
family: insights family: insights

6
platform/grafana/chart/Chart.yaml
View File

@ -11,7 +11,11 @@ description: |
(logs), bp-tempo (traces), bp-mimir (metrics), and bp-alloy or (logs), bp-tempo (traces), bp-mimir (metrics), and bp-alloy or
bp-opentelemetry (collection). bp-opentelemetry (collection).
type: application type: application
version: 1.0.1 # 1.0.2 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.0.2
appVersion: "12.3.1" appVersion: "12.3.1"
keywords: [catalyst, blueprint, grafana, observability, dashboards] keywords: [catalyst, blueprint, grafana, observability, dashboards]
maintainers: maintainers:

6
platform/grafana/chart/values.yaml
View File

@ -121,4 +121,8 @@ gateway:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""

2
platform/harbor/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels: labels:
catalyst.openova.io/section: pts-3-5-storage-and-data catalyst.openova.io/section: pts-3-5-storage-and-data
spec: spec:
version: 1.2.17 version: 1.2.18
card: card:
title: Harbor title: Harbor
family: foundation family: foundation

6
platform/harbor/chart/Chart.yaml
View File

@ -42,7 +42,11 @@ type: application
# hook image switched from curlimages/curl:8.10.1 to # hook image switched from curlimages/curl:8.10.1 to
# harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md # harbor.openova.io/proxy-dockerhub/curlimages/curl:8.10.1 per CLAUDE.md
# inviolable rule. # inviolable rule.
version: 1.2.17 # 1.2.18 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.2.18
appVersion: "2.14.3" appVersion: "2.14.3"
keywords: [catalyst, blueprint, harbor, oci, registry, container] keywords: [catalyst, blueprint, harbor, oci, registry, container]
maintainers: maintainers:

6
platform/harbor/chart/values.yaml
View File

@ -434,7 +434,11 @@ gateway:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""
# ─── Vendor-agnostic Object Storage backend config (issue #383 / #425) ─── # ─── Vendor-agnostic Object Storage backend config (issue #383 / #425) ───
# #

2
platform/keycloak/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels: labels:
catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services
spec: spec:
version: 1.4.5 version: 1.4.6
card: card:
title: keycloak title: keycloak
summary: Keycloak — user identity. Topology decided by Sovereign CRD spec.keycloakTopology (per-organization for SME, shared-sovereign for corporate). summary: Keycloak — user identity. Topology decided by Sovereign CRD spec.keycloakTopology (per-organization for SME, shared-sovereign for corporate).

6
platform/keycloak/chart/Chart.yaml
View File

@ -1,6 +1,10 @@
apiVersion: v2 apiVersion: v2
name: bp-keycloak name: bp-keycloak
version: 1.4.5 # 1.4.6 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.4.6
description: | description: |
Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the Catalyst-curated Blueprint umbrella chart for Keycloak. Depends on the
upstream `keycloak` chart (bitnami) as a Helm subchart so upstream `keycloak` chart (bitnami) as a Helm subchart so

6
platform/keycloak/chart/values.yaml
View File

@ -479,4 +479,8 @@ gateway:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""

2
platform/newapi/blueprint.yaml
View File

@ -6,7 +6,7 @@ metadata:
catalyst.openova.io/category: ai-runtime catalyst.openova.io/category: ai-runtime
catalyst.openova.io/section: pts-4-6-llm-serving catalyst.openova.io/section: pts-4-6-llm-serving
spec: spec:
version: 1.4.22 version: 1.4.23
card: card:
title: NewAPI title: NewAPI
summary: | summary: |

9
platform/newapi/chart/Chart.yaml
View File

@ -245,7 +245,14 @@ name: bp-newapi
# composes on the next reconcile. helm template renders cleanly with # composes on the next reconcile. helm template renders cleanly with
# BOTH the missing-attestation state (no channel) AND the # BOTH the missing-attestation state (no channel) AND the
# fully-populated state (channel composed normally). # fully-populated state (channel composed normally).
version: 1.4.22 # 1.4.23 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# `default "https"` fallback in templates/httproute.yaml. The template
# now uses `{{- with $parent.sectionName }}` to drop the field entirely
# when blank, and values.yaml defaults sectionName to "". Matches the
# catalyst-system fix in PR #1888.
version: 1.4.23
appVersion: "0.13.2" appVersion: "0.13.2"
description: | description: |
Catalyst Blueprint scratch chart for NewAPI — multi-tenant LLM Catalyst Blueprint scratch chart for NewAPI — multi-tenant LLM

11
platform/newapi/chart/templates/httproute.yaml
View File

@ -38,7 +38,12 @@ operator-overridable via values.yaml.
{{- $parent := .Values.ingress.httpRoute.parentRef | default dict -}} {{- $parent := .Values.ingress.httpRoute.parentRef | default dict -}}
{{- $parentName := default "cilium-gateway" $parent.name -}} {{- $parentName := default "cilium-gateway" $parent.name -}}
{{- $parentNs := default "kube-system" $parent.namespace -}} {{- $parentNs := default "kube-system" $parent.namespace -}}
{{- $sectionName := default "https" $parent.sectionName -}} {{- /*
sectionName intentionally omitted when empty/unset — pinning to "https"
broke multi-zone Sovereigns whose Cilium Gateway renames HTTPS listeners
to https-<sanitised-zone> (PR #1888 / TBD-A40 / issue #1902). Gateway API
hostname-matching attaches the route to the right listener anyway.
*/ -}}
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
@ -50,7 +55,9 @@ spec:
parentRefs: parentRefs:
- name: {{ $parentName | quote }} - name: {{ $parentName | quote }}
namespace: {{ $parentNs | quote }} namespace: {{ $parentNs | quote }}
sectionName: {{ $sectionName | quote }} {{- with $parent.sectionName }}
sectionName: {{ . | quote }}
{{- end }}
hostnames: hostnames:
- {{ $host | quote }} - {{ $host | quote }}
rules: rules:

14
platform/newapi/chart/values.yaml
View File

@ -714,11 +714,15 @@ ingress:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
# Listener sectionName — single-zone Sovereigns use bare "https" # sectionName intentionally empty — multi-zone Sovereigns rename
# per the t20 listener-naming convention; multi-zone Sovereigns # HTTPS listeners to https-<sanitised-zone> (e.g. https-omani-works,
# override to "https-<sanitised-zone>" via the bootstrap-kit # https-omani-homes), so pinning sectionName: https breaks every
# overlay. # public HTTPRoute with NoMatchingListener. Cilium Gateway selects
sectionName: https # the listener by hostname filter when sectionName is omitted. See
# PR #1888 (catalyst-system) / TBD-A40 / issue #1902. Operators may
# still override via a bootstrap-kit overlay for non-Cilium
# gateways that REQUIRE an explicit sectionName.
sectionName: ""
# ─── NetworkPolicy ─────────────────────────────────────────────────────── # ─── NetworkPolicy ───────────────────────────────────────────────────────
# Default-allow ingress from the platform's gateway namespace; egress # Default-allow ingress from the platform's gateway namespace; egress
# to Postgres, Valkey, Keycloak, in-cluster vLLM, DNS, and the operator- # to Postgres, Valkey, Keycloak, in-cluster vLLM, DNS, and the operator-

2
platform/openbao/blueprint.yaml
View File

@ -5,7 +5,7 @@ metadata:
labels: labels:
catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services catalyst.openova.io/section: pts-2-3-per-sovereign-supporting-services
spec: spec:
version: 1.2.16 version: 1.2.17
card: card:
title: openbao title: openbao
summary: OpenBao secret backend. 3-node Raft per region (independent quorum, async perf-replication across regions). MPL 2.0 — drop-in Vault replacement. summary: OpenBao secret backend. 3-node Raft per region (independent quorum, async perf-replication across regions). MPL 2.0 — drop-in Vault replacement.

6
platform/openbao/chart/Chart.yaml
View File

@ -1,6 +1,10 @@
apiVersion: v2 apiVersion: v2
name: bp-openbao name: bp-openbao
version: 1.2.16 # 1.2.17 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.2.17
description: | description: |
Catalyst-curated Blueprint umbrella chart for OpenBao. Depends on the Catalyst-curated Blueprint umbrella chart for OpenBao. Depends on the
upstream `openbao` chart as a Helm subchart so `helm dependency build` upstream `openbao` chart as a Helm subchart so `helm dependency build`

6
platform/openbao/chart/values.yaml
View File

@ -69,7 +69,11 @@ gateway:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""
# ─── Auto-unseal flow (issue #316) ───────────────────────────────────────── # ─── Auto-unseal flow (issue #316) ─────────────────────────────────────────
# Catalyst-curated post-install Job that runs `bao operator init` on a # Catalyst-curated post-install Job that runs `bao operator init` on a

2
platform/powerdns/blueprint.yaml
View File

@ -6,7 +6,7 @@ metadata:
catalyst.openova.io/category: per-host-cluster-infrastructure catalyst.openova.io/category: per-host-cluster-infrastructure
catalyst.openova.io/section: pts-3-2-gitops-and-iac catalyst.openova.io/section: pts-3-2-gitops-and-iac
spec: spec:
version: 1.2.3 version: 1.2.4
card: card:
title: PowerDNS title: PowerDNS
summary: | summary: |

6
platform/powerdns/chart/Chart.yaml
View File

@ -1,6 +1,10 @@
apiVersion: v2 apiVersion: v2
name: bp-powerdns name: bp-powerdns
version: 1.2.3 # 1.2.4 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 1.2.4
description: | description: |
Catalyst-curated Blueprint wrapper for PowerDNS Authoritative. Catalyst-curated Blueprint wrapper for PowerDNS Authoritative.
Carries Catalyst-specific values.yaml + templates (CNPG cluster, dnsdist Carries Catalyst-specific values.yaml + templates (CNPG cluster, dnsdist

6
platform/powerdns/chart/values.yaml
View File

@ -404,7 +404,11 @@ api:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""
# Backend defaults to the existing powerdns subchart Service # Backend defaults to the existing powerdns subchart Service
backendService: "" # default: powerdns backendService: "" # default: powerdns
backendPort: 8081 # matches powerdns.powerdns.webserver.bindPort default backendPort: 8081 # matches powerdns.powerdns.webserver.bindPort default

2
platform/stalwart-tenant/blueprint.yaml
View File

@ -15,7 +15,7 @@ spec:
# `claimName`, `claimGroups`). setupJob defaults to enabled so a # `claimName`, `claimGroups`). setupJob defaults to enabled so a
# fresh tenant has working OIDC at t=0. # fresh tenant has working OIDC at t=0.
# Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version. # Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version.
version: 0.1.2 version: 0.1.3
card: card:
title: Stalwart (per-tenant) title: Stalwart (per-tenant)
summary: | summary: |

6
platform/stalwart-tenant/chart/Chart.yaml
View File

@ -51,7 +51,11 @@ name: bp-stalwart-tenant
# `stalwart-cli` + `curl` — no new image needed. # `stalwart-cli` + `curl` — no new image needed.
# #
# Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version. # Per #817 Chart.yaml version MUST equal blueprint.yaml spec.version.
version: 0.1.2 # 0.1.3 (Fix #1902, TBD-A40, 2026-05-19): omit HTTPRoute parentRef
# sectionName by default — multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone>, breaking NoMatchingListener with the prior
# pinned sectionName: https. Matches the catalyst-system fix in PR #1888.
version: 0.1.3
appVersion: "0.16.3" appVersion: "0.16.3"
description: | description: |
Catalyst Blueprint scratch chart for a per-SME (per-vcluster) dedicated Catalyst Blueprint scratch chart for a per-SME (per-vcluster) dedicated

6
platform/stalwart-tenant/chart/values.yaml
View File

@ -294,7 +294,11 @@ ingress:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName intentionally empty — multi-zone Sovereigns rename HTTPS
# listeners to https-<sanitised-zone> (e.g. https-omani-works), so
# pinning sectionName: https breaks NoMatchingListener. Cilium Gateway
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""
# cert-manager Certificate (mode=ingress only). Gateway mode relies # cert-manager Certificate (mode=ingress only). Gateway mode relies
# on the gateway's wildcard cert. # on the gateway's wildcard cert.
tls: tls:

7
products/catalyst/bootstrap/api/internal/handler/sme_tenant_gitops.go
View File

@ -799,7 +799,12 @@ spec:
parentRef: parentRef:
name: cilium-gateway name: cilium-gateway
namespace: kube-system namespace: kube-system
sectionName: https # sectionName omitted multi-zone Sovereigns rename HTTPS listeners
# to https-<sanitised-zone> (e.g. https-omani-works). The bp-keycloak
# chart template guards `{{- with .Values.gateway.parentRef.sectionName }}`
# so a blank value drops the field entirely; Cilium Gateway then
# matches by hostname filter. See PR #1888 / TBD-A40 / issue #1902.
sectionName: ""
# Outbound realm email Phase-1 mothership relay. Operator overlay # Outbound realm email Phase-1 mothership relay. Operator overlay
# (or future tenant-Stalwart sub-issue) overrides host/port once # (or future tenant-Stalwart sub-issue) overrides host/port once
# tenant-local SMTP is shipped. # tenant-local SMTP is shipped.