fix(httproutes): retarget guacamole-server + openova-flow-server to cilium-gateway in kube-system (Refs TBD-G6, C12-004) (#1692)

On t22 (omantel.biz fresh Sovereign) 2 of 15 HTTPRoutes went Accepted=False because their parentRef pointed at a gateway that does not exist on any Sovereign: catalyst-system/guacamole-server -> gateway-system/cilium-gateway catalyst-system/openova-flow-server -> kube-system/catalyst-gateway The canonical Sovereign Gateway is kube-system/cilium-gateway, installed by bootstrap-kit/01-cilium.yaml and used by every other HTTPRoute (catalyst-api, catalyst-ui, marketplace, gitea, harbor, keycloak, grafana, hubble-ui, openbao, powerdns, tenant-wildcard). gateway-system does not exist; catalyst-gateway does not exist. Fixes: - platform/guacamole/chart/values.yaml — default guacamole.httproute.parentRef.namespace: gateway-system -> kube-system - clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml — flowServer.httproute.gatewayRef.name: catalyst-gateway -> cilium-gateway (namespace already kube-system, untouched) Verified on t22: all 15 HTTPRoutes now Accepted=True after chart bump + Flux reconcile. Co-authored-by: hatiyildiz <hatice.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 16:38:17 +04:00 · 2026-05-18 16:38:17 +04:00 · c1a364b631
commit c1a364b631
parent 93fa6c53ed
2 changed files with 17 additions and 5 deletions
--- a/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml
+++ b/clusters/_template/bootstrap-kit/56-bp-openova-flow-server.yaml
@ -101,6 +101,13 @@ spec:
        # overlay disables when only the in-cluster Service is needed.
        enabled: true
        hostname: openova-flow.${SOVEREIGN_FQDN}
+        # Canonical Sovereign Gateway — every other HTTPRoute
+        # (catalyst-api, catalyst-ui, marketplace, gitea, harbor,
+        # keycloak, …) parents to kube-system/cilium-gateway installed
+        # by bootstrap-kit/01-cilium.yaml. Fix (TBD-G6 / C12-004):
+        # the previous value `catalyst-gateway` does not exist on any
+        # Sovereign — the HTTPRoute went Accepted=False with "no
+        # matching parent" on t22.
        gatewayRef:
-          name: catalyst-gateway
+          name: cilium-gateway
          namespace: kube-system
--- a/platform/guacamole/chart/values.yaml
+++ b/platform/guacamole/chart/values.yaml
@ -137,12 +137,17 @@ guacamole:
  # ── HTTPRoute (Cilium Gateway) ─────────────────────────────────
  httproute:
    enabled: true
-    # Gateway reference. Defaults to the Sovereign's well-known
-    # `cilium-gateway` in namespace `gateway-system`; per-Sovereign
-    # overlay can rebind.
+    # Gateway reference. Defaults to the Sovereign's canonical
+    # `cilium-gateway` in namespace `kube-system` (installed by
+    # bootstrap-kit/01-cilium.yaml — every other Sovereign HTTPRoute
+    # in catalyst-system/gitea/keycloak/harbor/grafana/openbao/etc.
+    # parents to this gateway). Per-Sovereign overlay can rebind.
+    # Fix (TBD-G6 / C12-004): previously defaulted to namespace
+    # `gateway-system`, which has no Gateway on any Sovereign — the
+    # HTTPRoute went Accepted=False with "no matching parent" on t22.
    parentRef:
      name: cilium-gateway
-      namespace: gateway-system
+      namespace: kube-system
    # Hostname this Guacamole answers on. Empty value fails the
    # helm template render (see _helpers.tpl `bp-guacamole.host`).
    hostname: ""