From c1a364b63173b8a4c215eabb619271c70bb20bda Mon Sep 17 00:00:00 2001 From: e3mrah <81884938+emrahbaysal@users.noreply.github.com> Date: Mon, 18 May 2026 16:38:17 +0400 Subject: [PATCH] fix(httproutes): retarget guacamole-server + openova-flow-server to cilium-gateway in kube-system (Refs TBD-G6, C12-004) (#1692) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On t22 (omantel.biz fresh Sovereign) 2 of 15 HTTPRoutes went Accepted=False because their parentRef pointed at a gateway that does not exist on any Sovereign: catalyst-system/guacamole-server -> gateway-system/cilium-gateway catalyst-system/openova-flow-server -> kube-system/catalyst-gateway The canonical Sovereign Gateway is kube-system/cilium-gateway, installed by bootstrap-kit/01-cilium.yaml and used by every other HTTPRoute (catalyst-api, catalyst-ui, marketplace, gitea, harbor, keycloak, grafana, hubble-ui, openbao, powerdns, tenant-wildcard). gateway-system does not exist; catalyst-gateway does not exist. Fixes: - platform/guacamole/chart/values.yaml — default guacamole.httproute.parentRef.namespace: gateway-system -> kube-system - clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml — flowServer.httproute.gatewayRef.name: catalyst-gateway -> cilium-gateway (namespace already kube-system, untouched) Verified on t22: all 15 HTTPRoutes now Accepted=True after chart bump + Flux reconcile. Co-authored-by: hatiyildiz Co-authored-by: Claude Opus 4.7 (1M context) --- .../bootstrap-kit/56-bp-openova-flow-server.yaml | 9 ++++++++- platform/guacamole/chart/values.yaml | 13 +++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml b/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml index 9e2d1fbd..816e2daf 100644 --- a/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml +++ b/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml @@ -101,6 +101,13 @@ spec: # overlay disables when only the in-cluster Service is needed. enabled: true hostname: openova-flow.${SOVEREIGN_FQDN} + # Canonical Sovereign Gateway — every other HTTPRoute + # (catalyst-api, catalyst-ui, marketplace, gitea, harbor, + # keycloak, …) parents to kube-system/cilium-gateway installed + # by bootstrap-kit/01-cilium.yaml. Fix (TBD-G6 / C12-004): + # the previous value `catalyst-gateway` does not exist on any + # Sovereign — the HTTPRoute went Accepted=False with "no + # matching parent" on t22. gatewayRef: - name: catalyst-gateway + name: cilium-gateway namespace: kube-system diff --git a/platform/guacamole/chart/values.yaml b/platform/guacamole/chart/values.yaml index cf53b3c2..46c209aa 100644 --- a/platform/guacamole/chart/values.yaml +++ b/platform/guacamole/chart/values.yaml @@ -137,12 +137,17 @@ guacamole: # ── HTTPRoute (Cilium Gateway) ───────────────────────────────── httproute: enabled: true - # Gateway reference. Defaults to the Sovereign's well-known - # `cilium-gateway` in namespace `gateway-system`; per-Sovereign - # overlay can rebind. + # Gateway reference. Defaults to the Sovereign's canonical + # `cilium-gateway` in namespace `kube-system` (installed by + # bootstrap-kit/01-cilium.yaml — every other Sovereign HTTPRoute + # in catalyst-system/gitea/keycloak/harbor/grafana/openbao/etc. + # parents to this gateway). Per-Sovereign overlay can rebind. + # Fix (TBD-G6 / C12-004): previously defaulted to namespace + # `gateway-system`, which has no Gateway on any Sovereign — the + # HTTPRoute went Accepted=False with "no matching parent" on t22. parentRef: name: cilium-gateway - namespace: gateway-system + namespace: kube-system # Hostname this Guacamole answers on. Empty value fails the # helm template render (see _helpers.tpl `bp-guacamole.host`). hostname: ""