fix(gateway): remove separate tls-passthrough gateway

It appears to work without a separate Gateway now. Should investigate if https://github.com/cilium/cilium/issues/32371 can be closed Signed-off-by: Vegard Hagen <vegard@stonegarden.dev>
2026-01-27 10:19:14 +00:00 · 2025-07-19 22:32:17 +02:00
parent a788e2e12c
commit a2d0e263f0
8 changed files with 10 additions and 126 deletions
--- a/k8s/apps/external/proxmox/tls-route.yaml
+++ b/k8s/apps/external/proxmox/tls-route.yaml
@@ -1,15 +1,11 @@
 apiVersion: gateway.networking.k8s.io/v1alpha2
 kind: TLSRoute
 metadata:
-  name: proxmox-tls
+  name: proxmox
  namespace: proxmox
 spec:
  parentRefs:
-    - name: tls-passthrough
-      namespace: gateway
-  hostnames:
-    - "proxmox.stonegarden.dev"
+    - { name: internal, namespace: gateway }
+  hostnames: [ proxmox.stonegarden.dev ]
  rules:
-    - backendRefs:
-        - name: proxmox
-          port: 443
+    - backendRefs: [ { name: proxmox, port: 443 } ]
--- a/k8s/apps/external/truenas/tls-route.yaml
+++ b/k8s/apps/external/truenas/tls-route.yaml
@@ -5,11 +5,7 @@ metadata:
  namespace: truenas
 spec:
  parentRefs:
-    - name: tls-passthrough
-      namespace: gateway
-  hostnames:
-    - "truenas.stonegarden.dev"
+    - { name: internal, namespace: gateway }
+  hostnames: [ truenas.stonegarden.dev ]
  rules:
-    - backendRefs:
-        - name: truenas
-          port: 443
+    - backendRefs: [ { name: truenas, port: 443 } ]
--- a/k8s/infra/controllers/argocd/http-route.yaml
+++ b/k8s/infra/controllers/argocd/http-route.yaml
@@ -1,26 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: argocd
-  namespace: argocd
-spec:
-  parentRefs:
-    - name: internal
-      namespace: gateway
-  hostnames:
-    - "argocd.stonegarden.dev"
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - name: argocd-server
-          port: 80
-#    - matches:
-#        - headers:
-#            - name: Content-Type
-#              value: application/grpc
-#      backendRefs:
-#        - name: argocd-server
-#          port: 80
--- a/k8s/infra/controllers/argocd/tls-route.yaml
+++ b/k8s/infra/controllers/argocd/tls-route.yaml
@@ -5,11 +5,7 @@ metadata:
  namespace: argocd
 spec:
  parentRefs:
-    - name: internal
-      namespace: gateway
-  hostnames:
-    - "argocd.stonegarden.dev"
+    - { name: internal, namespace: gateway }
+  hostnames: [ argocd.stonegarden.dev ]
  rules:
-    - backendRefs:
-        - name: argocd-server
-          port: 443
+    - backendRefs: [ { name: argocd-server, port: 443 } ]
--- a/k8s/infra/network/gateway/gw-tls-passthrough.yaml
+++ b/k8s/infra/network/gateway/gw-tls-passthrough.yaml
@@ -1,29 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: tls-passthrough
-  namespace: gateway
-spec:
-  gatewayClassName: cilium
-  infrastructure:
-    annotations:
-      io.cilium/lb-ipam-ips: 192.168.1.221
-  listeners:
-    - protocol: TLS
-      port: 443
-      name: proxmox
-      hostname: "proxmox.stonegarden.dev"
-      tls:
-        mode: Passthrough
-      allowedRoutes:
-        namespaces:
-          from: All
-    - protocol: TLS
-      port: 443
-      name: truenas
-      hostname: "truenas.stonegarden.dev"
-      tls:
-        mode: Passthrough
-      allowedRoutes:
-        namespaces:
-          from: All
--- a/k8s/infra/network/gateway/kustomization.yaml
+++ b/k8s/infra/network/gateway/kustomization.yaml
@@ -7,4 +7,3 @@ resources:
  - ns.yaml
  - gw-external.yaml
  - gw-internal.yaml
-  - gw-tls-passthrough.yaml
--- a/tofu/kubernetes/REMOTE_BACKEND.md
+++ b/tofu/kubernetes/REMOTE_BACKEND.md
@@ -1,42 +0,0 @@
-## GCS Remote
-
-1. Create a [Service Account](https://cloud.google.com/iam/docs/service-accounts-create) named tofu (after enabling the
-   IAM API if needed). Leave the permissions blank.
-2. Create and download the [service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating).
-3. Create a GCS bucket for tofu state with public access prevention and versioning as necessary.
-4. In the permissions tab of the bucket, give **Storage Object Admin** access to the service account.
-5. Copy backend.tf.sample to backend.tf and make necessary changes.
-
-```shell
-cp remote_backend.tf.sample remote_backend.tf
-```
-
-### Encryption key
-
-Generate the encryption key
-
-```shell
-python3 -c 'import os;import base64;print(base64.b64encode(os.urandom(32)).decode("utf-8"))'
-```
-
-`Without the encryption key, your state would not be recoverable. Store in a password manager, if not using any kms like bws.`
-
-### Environment variables
-
-```shell
-export GOOGLE_APPLICATION_CREDENTIALS="<YOUR_DOWNLOADED_KEY_PATH>"
-export GOOGLE_ENCRYPTION_KEY="<YOUR_GENERATED_ENCRYPTION_KEY>"
-```
-
-Run tofu init / plan / apply as usual.
-
-### Bitwarden Secrets Manager
-
-Store the downloaded key contents and generated encryption key into GOOGLE_CREDENTIALS and GOOGLE_ENCRYPTION_KEY
-respectively in bws.
-
-Run bws run -- tofu init / plan / apply as usual.
-
-### Beta Notice
-
-`Please treat this as beta and only use for air-gapped installations as of now. Will remove the beta tag after testing it in due course.`
--- a/tofu/kubernetes/remote_backend.tf.sample
+++ b/tofu/kubernetes/remote_backend.tf.sample
@@ -1,6 +0,0 @@
-terraform {
-  backend "gcs" {
-    bucket  = "<YOUR_GCS_BUCKET>"
-    prefix  = "prod/kubernetes"
-  }
-}