6edb8b4635
Cilium gatewayAPI.hostNetwork.enabled=true was set in values.yaml, but without nodes.matchLabels Cilium silently DISABLES hostNetwork mode. The configmap key gateway-api-hostnetwork-nodelabelselector is rendered EMPTY → eBPF redirect for the gateway NodePorts is never programmed → envoy listener has empty bind address → incoming 30443/30080 traffic dead-ends at the Hetzner LB target. Caught on prov #76 (omantel.biz, 2026-05-14): public TLS handshake to console.omantel.biz returns SSL_ERROR_SYSCALL because envoy isn't listening on the NodePort. cilium service list shows zero 30443/30080 entries. cilium proxy status shows 0 redirects active. Set nodes.matchLabels: kubernetes.io/os: linux (every k3s node carries this label) so the gateway listener is exposed on every CP. Chart: 1.3.4 → 1.3.5. bootstrap-kit slot 01 version pin bumped to match. Co-authored-by: e3mrah <catalyst@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| templates | ||
| tests | ||
| Chart.yaml | ||
| values-clustermesh.yaml | ||
| values.yaml | ||