Migrates every minimal-Sovereign-set blueprint chart from
networking.k8s.io/v1.Ingress to gateway.networking.k8s.io/v1.HTTPRoute,
replacing the legacy Traefik-on-Sovereigns assumption with the canonical
Cilium + Envoy + Gateway API path per ADR-0001 §9.4 and the WBS §2
correction note (#388).
The single per-Sovereign Gateway is added as additional documents in
the existing bootstrap-kit slot clusters/_template/bootstrap-kit/01-cilium.yaml
(NOT a new top-level slot), since Cilium owns the GatewayClass. It
includes:
- Certificate `sovereign-wildcard-tls` requesting `*.${SOVEREIGN_FQDN}`
from `letsencrypt-dns01-prod` (cert-manager + #373 webhook)
- Gateway `cilium-gateway` in `kube-system` with HTTPS (443, TLS
terminate) + HTTP (80) listeners, allowedRoutes.namespaces.from=All
Per-blueprint HTTPRoute templates (canonical seam: each wrapper chart's
existing `templates/` directory):
| Blueprint | Host pattern | Backend port |
|---------------------|---------------------------------|--------------|
| bp-keycloak | auth.<sov> | 80 |
| bp-gitea | git.<sov> | 3000 |
| bp-openbao | bao.<sov> | 8200 |
| bp-grafana | grafana.<sov> | 80 |
| bp-harbor | registry.<sov> | 80 |
| bp-powerdns | pdns.<sov>/api (dual-mode) | 8081 |
| bp-catalyst-platform| console.<sov>, api.<sov> | 80, 8080 |
bp-powerdns supports both Ingress (contabo legacy) and HTTPRoute
(Sovereign) simultaneously — the per-Sovereign overlay sets
`api.gateway.enabled=true` while leaving `api.enabled=true`. The
Ingress object is harmless on Cilium clusters with no Traefik. This
preserves contabo's existing pdns.openova.io flow per ADR-0001 §9.4.
bp-harbor flips `expose.type` from `ingress` to `clusterIP` in
platform/harbor/chart/values.yaml so the upstream chart no longer
emits its own Ingress; the HTTPRoute is the sole HTTP exposure.
TLS terminates at the Gateway (wildcard cert) rather than per-host
Certificates inside the chart.
bp-catalyst-platform's `templates/httproute.yaml` is NOT excluded by
.helmignore (unlike templates/ingress.yaml + templates/ingress-console-tls.yaml,
which remain contabo-only legacy demo infra). The contabo path keeps
serving console.openova.io/sovereign via Traefik unchanged.
Bootstrap-kit slot updates (per-Sovereign hostname interpolation):
- 08-openbao.yaml → gateway.host: bao.${SOVEREIGN_FQDN}
- 09-keycloak.yaml → gateway.host: auth.${SOVEREIGN_FQDN}
- 10-gitea.yaml → gateway.host: gitea.${SOVEREIGN_FQDN}
- 11-powerdns.yaml → api.host: pdns.${SOVEREIGN_FQDN}, api.gateway.enabled: true
- 19-harbor.yaml → gateway.host: registry.${SOVEREIGN_FQDN}
- 25-grafana.yaml → gateway.host: grafana.${SOVEREIGN_FQDN}
Server-side dry-run validation against the live Cilium Gateway API
CRDs on contabo: every HTTPRoute and the per-Sovereign Gateway
+ Certificate apply cleanly via `kubectl apply --dry-run=server`.
Contabo unaffected: clusters/contabo-mkt/* not modified. The legacy
SME ingresses (console-nova, marketplace, admin, axon, talentmesh,
stalwart, ...) continue to serve via Traefik as before. powerdns
on contabo remains on the Ingress path (api.gateway.enabled defaults
to false at the chart level).
Closes#387.
Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
abf01b6f21