Skip to content

feat(base): add gateway_public_load_balancer_type and fix public gateway name#392

Merged
gdrojas merged 4 commits into
nullplatform:mainfrom
serialito74:feat/gateway-public-internal-lb-support
Jun 16, 2026
Merged

feat(base): add gateway_public_load_balancer_type and fix public gateway name#392
gdrojas merged 4 commits into
nullplatform:mainfrom
serialito74:feat/gateway-public-internal-lb-support

Conversation

@serialito74

@serialito74 serialito74 commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Context

Three issues were found when deploying nullplatform on AKS with a Cloudflare Zero Trust tunnel:

  1. Wrong public gateway name: The nullplatform-base chart was creating the Gateway resource as gateway-public, but the NP agent resolves the gateway name from container-orchestration.gateway.public_name registered via the container_orchestration/aks module, which defaults to internet-facing. The mismatch caused HTTPRoutes to have an unresolvable parentRefstatus.parents was always empty and traffic never reached the gateway.

  2. No way to deploy gateway-public as internal LB: Some setups (e.g. Cloudflare Tunnel, VPN) require the public gateway LB to be internal. There was no variable to control this.

  3. helm upgrade aborts with "cannot import" on nullplatform-tools namespace: When Terraform pre-creates the namespace without Helm ownership labels, Helm refuses to take ownership during upgrade and aborts — silently deleting all managed resources including the gateways namespace.

Test plan

  • tofu validate passes
  • Fresh apply → no changes on subsequent plan
  • Apply with gateway_public_load_balancer_type = "internal" → LB provisioned as internal
  • Apply with gateway_public_load_balancer_type = "external" (default) → behavior unchanged from before
  • helm upgrade on existing install → does not abort, gateways namespace preserved

serialito74 and others added 4 commits June 12, 2026 11:26
@serialito74
feat(base): add gateway_public_load_balancer_type and fix public gate…
95ffa96 
…way name
@gdrojas
fix(base): parameterize public gateway name instead of hardcoded rename
fd12944 
The hardcoded rename of the public Gateway from "gateway-public" to
"internet-facing" is a breaking change for every existing install: on
the next helm upgrade, Helm deletes the old Gateway and creates the new
one, orphaning every HTTPRoute whose parentRef points to
"gateway-public" and cutting traffic until routes are regenerated. This
module is used in production by 100+ customers, so the name must stay
backward compatible by default.

This keeps the AKS / Cloudflare Tunnel fix available: setups where the
agent resolves the gateway name from
container-orchestration.gateway.public_name can now pass
gateway_public_name = "internet-facing" explicitly, while everyone else
keeps the current Gateway untouched.

Also adds tofu tests covering the default and override of both
gateway_public_name and gateway_public_load_balancer_type.
@gdrojas
Merge branch 'main' into feat/gateway-public-internal-lb-support
37cb2af
@gdrojas
Merge branch 'main' into feat/gateway-public-internal-lb-support
d9b9c75
sebastiancorrea81
sebastiancorrea81 approved these changes Jun 16, 2026
View reviewed changes

@sebastiancorrea81 sebastiancorrea81 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@gdrojas gdrojas merged commit 116fc70 into nullplatform:main Jun 16, 2026
43 checks passed
@github-actions github-actions Bot mentioned this pull request Jun 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastiancorrea81 sebastiancorrea81 sebastiancorrea81 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@serialito74 @sebastiancorrea81 @gdrojas