openova

History

e3mrah cc13aec980 fix(sovereign-tls): bare https/http listener names when single parent zone (collision with chart HTTPRoutes sectionName) (#1682 ) PR #1640 renamed Cilium Gateway listeners to `https-<sanitised-zone>` / `http-<sanitised-zone>` to support multi-zone Sovereigns (primary + SME pool). That broke single-zone Sovereigns because every platform chart's HTTPRoute (harbor, keycloak, grafana, gitea, openbao, powerdns, stalwart-tenant) hardcodes `parentRefs[0].sectionName: https`. Result: every HTTPRoute reports `Accepted=False NoMatchingListener`, Sovereign Console / Harbor / Keycloak etc. unreachable through the Gateway. Fix: when `len(parent_domains_decoded) == 1` (the common case), render listener names as the bare strings `https` / `http`. When > 1 (SME pool present), keep the unique `https-<zone>` / `http-<zone>` naming so the Gateway controller doesn't hit a duplicate-name Conflicting condition. Multi-zone tenants whose HTTPRoutes must attach under a non-primary zone override `sectionName` via values.yaml — out of scope here. The per-zone certificateRefs.name (`sovereign-wildcard-tls-<sanitised-zone>`) is unchanged — independent of the listener name. Verified: kubectl kustomize clusters/_template/sovereign-tls/ clean. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 14:51:42 +04:00
..
cloudflare-worker-leases	feat(continuum): K-Cont-4 — Cloudflare Worker source + tofu wiring for lease witness (#1101 ) (#1159 )	2026-05-09 08:01:44 +04:00
hetzner	fix(sovereign-tls): bare https/http listener names when single parent zone (collision with chart HTTPRoutes sectionName) (#1682 )	2026-05-18 14:51:42 +04:00

fix(sovereign-tls): bare https/http listener names when single parent zone (collision with chart HTTPRoutes sectionName) (#1682 )

PR #1640 renamed Cilium Gateway listeners to `https-<sanitised-zone>` /
`http-<sanitised-zone>` to support multi-zone Sovereigns (primary +
SME pool). That broke single-zone Sovereigns because every platform
chart's HTTPRoute (harbor, keycloak, grafana, gitea, openbao, powerdns,
stalwart-tenant) hardcodes `parentRefs[0].sectionName: https`. Result:
every HTTPRoute reports `Accepted=False NoMatchingListener`, Sovereign
Console / Harbor / Keycloak etc. unreachable through the Gateway.

Fix: when `len(parent_domains_decoded) == 1` (the common case), render
listener names as the bare strings `https` / `http`. When > 1 (SME pool
present), keep the unique `https-<zone>` / `http-<zone>` naming so the
Gateway controller doesn't hit a duplicate-name Conflicting condition.

Multi-zone tenants whose HTTPRoutes must attach under a non-primary
zone override `sectionName` via values.yaml — out of scope here.

The per-zone certificateRefs.name (`sovereign-wildcard-tls-<sanitised-zone>`)
is unchanged — independent of the listener name.

Verified: kubectl kustomize clusters/_template/sovereign-tls/ clean.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 14:51:42 +04:00

cloudflare-worker-leases

feat(continuum): K-Cont-4 — Cloudflare Worker source + tofu wiring for lease witness (#1101 ) (#1159 )

2026-05-09 08:01:44 +04:00

hetzner

fix(sovereign-tls): bare https/http listener names when single parent zone (collision with chart HTTPRoutes sectionName) (#1682 )

2026-05-18 14:51:42 +04:00