Skip to content

fix: add HTTP redirect route to ListenerSet for apex domain#517

Merged
TineoC merged 1 commit into
developfrom
fix/balancerproject-org-envoy-http-redirect
Jul 14, 2026
Merged

fix: add HTTP redirect route to ListenerSet for apex domain#517
TineoC merged 1 commit into
developfrom
fix/balancerproject-org-envoy-http-redirect

Conversation

@TineoC

@TineoC TineoC commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Description

Fixes the HTTP 404 issue for balancerproject.org apex when DNS points at the Envoy LB. The per-app ListenerSet claimed the apex hostname for HTTPS only, which prevented the shared main-gateway's HTTP→HTTPS redirect from applying.

Changes

  • base/httproute.yaml — Added balancer-http-redirect HTTPRoute attached to the sectionName: http listener, returning 301→HTTPS
  • base/gateway-listeners.yaml — Updated ClusterIssuer annotation to letsencrypt-prod-gateway (matches the cluster's Gateway-specific issuer)
  • base/kustomization.yaml — Added generatorOptions.disableNameSuffixHash: true to prevent ConfigMap hash suffix causing ArgoCD drift
  • overlays/production/kustomization.yaml — Added patch for new balancer-http-redirect hostname
  • overlays/sandbox/kustomization.yaml — Added patch for new balancer-http-redirect hostname

Related

Verification

kustomize build deploy/manifests/balancer/overlays/production/  # PASS
kustomize build deploy/manifests/balancer/overlays/sandbox/    # PASS

Both builds include the redirect HTTPRoute with correct hostname.

- Add balancer-http-redirect HTTPRoute attached to http sectionName
  in the ListenerSet, returning 301→HTTPS for balancerproject.org
- Set disableNameSuffixHash to prevent ConfigMap hash suffix drift
- Update ClusterIssuer annotation to letsencrypt-prod-gateway
- Add overlay patches for both production and sandbox hostnames

Refs: CodeForPhilly/cfp-live-cluster#160
@TineoC TineoC merged commit 1b93133 into develop Jul 14, 2026
1 check passed
@TineoC TineoC deleted the fix/balancerproject-org-envoy-http-redirect branch July 14, 2026 16:59
themightychris added a commit that referenced this pull request Jul 14, 2026
This repo cannot know the cluster it lands in, and gateway-listeners.yaml was
trying to. Between them, the ListenerSet and its routes hardcoded four facts
about cfp-live-cluster — the shared Gateway's name and namespace, the
ClusterIssuer, the TLS Secret name, and the ListenerSet API itself — and three
were wrong there:

  - cert-manager.io/cluster-issuer: letsencrypt-prod is dead. It solves ACME
    over ingress-nginx, which requires PROXY protocol on every connection and
    is therefore unreachable from inside the cluster. No certificate has issued
    through it since May.
  - certificateRefs: balancer-tls is the legacy Ingress Secret. Gateway certs
    are <app>-gw-tls.
  - ListenerSet is not reconciled by Envoy Gateway v1.7.3. It watches
    XListenerSet and logs "XListenerSet CRD not found, skipping XListenerSet
    watch". The object applies cleanly and is then ignored — the app just has
    no listener, with nothing in any log to say why.

None of that is a mistake anyone could have avoided from this repo. It isn't
knowable here. So stop trying to know it.

Split on what each side actually knows:

  this repo -> HTTPRoute: paths, backend Services, ports. App facts. They
               change when the app changes, in the same commit.
  cluster   -> Gateway: listeners, hostnames, TLS, issuers. Cluster facts. They
               differ per environment and are shared with every other app.

The route now attaches to a Gateway the cluster provides, named after the app,
and declares no hostnames — a route that omits hostnames inherits them from the
listeners it attaches to. So one file serves balancerproject.org in live and
balancer.sandbox.k8s.phl.io in sandbox, with no patches and no placeholders.
The HOSTNAME_PLACEHOLDER substitutions and the overlay routing patches are gone.

Drops balancer-http-redirect too: the cluster already redirects every hostname
reaching it on port 80. Worse than redundant — a route claiming an exact
hostname on the shared HTTP listener outranks the catch-all redirect and can
shadow cert-manager's ACME solver route, which is what produced the apex 404
that #517 set out to fix. That 404 was a stuck certificate, and it cleared the
moment the cert issued.

Adds a README stating the contract, so the next person doesn't have to infer it.

Refs CodeForPhilly/cfp-live-cluster#166, #168
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant