From 95ffa96f604709360e5c30152659d30b0c15f9f6 Mon Sep 17 00:00:00 2001
From: Matias <matias.casoli@ingenia.la>
Date: Fri, 12 Jun 2026 11:26:51 -0300
Subject: [PATCH 1/2] feat(base): add gateway_public_load_balancer_type and fix
 public gateway name

---
 nullplatform/base/locals.tf                            |  1 +
 nullplatform/base/main.tf                              |  5 ++++-
 .../base/templates/nullplatform_base_values.tmpl.yaml  |  4 ++--
 nullplatform/base/variables.tf                         | 10 ++++++++++
 4 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/nullplatform/base/locals.tf b/nullplatform/base/locals.tf
index a1e4a496..1710dcce 100644
--- a/nullplatform/base/locals.tf
+++ b/nullplatform/base/locals.tf
@@ -27,6 +27,7 @@ locals {
       gateway_internal_enabled                    = var.gateway_internal_enabled ? "true" : "false"
       gateway_public_enabled                      = var.gateway_public_enabled ? "true" : "false"
       gateway_internal_azure_load_balancer_subnet = var.internal_azure_load_balancer_subnet
+      gateway_public_load_balancer_type           = var.gateway_public_load_balancer_type
       gateway_public_aws_name                     = var.gateway_public_aws_name
       gateway_internal_aws_name                   = var.gateway_internal_aws_name
       gateway_public_aws_dns_name                 = var.gateway_public_aws_dns_name
diff --git a/nullplatform/base/main.tf b/nullplatform/base/main.tf
index 1e83558e..4b7e06fe 100644
--- a/nullplatform/base/main.tf
+++ b/nullplatform/base/main.tf
@@ -8,10 +8,13 @@ resource "kubernetes_namespace_v1" "nullplatform_tools" {
   metadata {
     name = var.namespace
     labels = {
-      name = var.namespace
+      name                           = var.namespace
+      "app.kubernetes.io/managed-by" = "Helm"
     }
     annotations = {
       "openshift.io/cluster-monitoring" = "true"
+      "meta.helm.sh/release-name"       = "nullplatform-base"
+      "meta.helm.sh/release-namespace"  = var.namespace
     }
   }
 }
diff --git a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
index 09d54804..2400539f 100644
--- a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
+++ b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
@@ -54,7 +54,7 @@ gateway:
       maxReplicas: 10
     loadBalancerType: "internal"  # internal, external
   public:
-    name: "gateway-public"
+    name: "internet-facing"
     enabled: ${gateway_public_enabled}
     aws:
       name: ${gateway_public_aws_name}
@@ -72,7 +72,7 @@ gateway:
     autoscaling:
       minReplicas: 2
       maxReplicas: 10
-    loadBalancerType: "external"  # internal, external
+    loadBalancerType: "${gateway_public_load_balancer_type}"
 # Nullplatform configurations
 nullplatform:
   apiKey: "${np_api_key}"
diff --git a/nullplatform/base/variables.tf b/nullplatform/base/variables.tf
index 46bba233..6286eccf 100644
--- a/nullplatform/base/variables.tf
+++ b/nullplatform/base/variables.tf
@@ -75,6 +75,16 @@ variable "internal_azure_load_balancer_subnet" {
   default     = "load_balancer"
 }
 
+variable "gateway_public_load_balancer_type" {
+  type        = string
+  description = "Load balancer type for the public gateway. Use 'internal' for Cloudflare Tunnel / VPN setups where public access is proxied through the private network. Use 'external' for direct internet exposure."
+  default     = "external"
+  validation {
+    condition     = contains(["internal", "external"], var.gateway_public_load_balancer_type)
+    error_message = "Must be 'internal' or 'external'."
+  }
+}
+
 variable "gateway_use_cluster_ip" {
   description = ""
   type        = bool

From fd129448f7054e66748e601f521dc252fddfdb17 Mon Sep 17 00:00:00 2001
From: Gonzalo Rojas <gonzalo.rojas@nullplatform.io>
Date: Fri, 12 Jun 2026 13:29:04 -0300
Subject: [PATCH 2/2] fix(base): parameterize public gateway name instead of
 hardcoded rename

The hardcoded rename of the public Gateway from "gateway-public" to
"internet-facing" is a breaking change for every existing install: on
the next helm upgrade, Helm deletes the old Gateway and creates the new
one, orphaning every HTTPRoute whose parentRef points to
"gateway-public" and cutting traffic until routes are regenerated. This
module is used in production by 100+ customers, so the name must stay
backward compatible by default.

This keeps the AKS / Cloudflare Tunnel fix available: setups where the
agent resolves the gateway name from
container-orchestration.gateway.public_name can now pass
gateway_public_name = "internet-facing" explicitly, while everyone else
keeps the current Gateway untouched.

Also adds tofu tests covering the default and override of both
gateway_public_name and gateway_public_load_balancer_type.
---
 nullplatform/base/locals.tf                   |  1 +
 .../nullplatform_base_values.tmpl.yaml        |  2 +-
 .../base/tests/base_values.tftest.hcl         | 48 +++++++++++++++++++
 nullplatform/base/variables.tf                |  6 +++
 4 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/nullplatform/base/locals.tf b/nullplatform/base/locals.tf
index 1710dcce..e0034ba9 100644
--- a/nullplatform/base/locals.tf
+++ b/nullplatform/base/locals.tf
@@ -26,6 +26,7 @@ locals {
       gateway_enabled                             = var.gateway_enabled ? "true" : "false"
       gateway_internal_enabled                    = var.gateway_internal_enabled ? "true" : "false"
       gateway_public_enabled                      = var.gateway_public_enabled ? "true" : "false"
+      gateway_public_name                         = var.gateway_public_name
       gateway_internal_azure_load_balancer_subnet = var.internal_azure_load_balancer_subnet
       gateway_public_load_balancer_type           = var.gateway_public_load_balancer_type
       gateway_public_aws_name                     = var.gateway_public_aws_name
diff --git a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
index 2400539f..5711269d 100644
--- a/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
+++ b/nullplatform/base/templates/nullplatform_base_values.tmpl.yaml
@@ -54,7 +54,7 @@ gateway:
       maxReplicas: 10
     loadBalancerType: "internal"  # internal, external
   public:
-    name: "internet-facing"
+    name: "${gateway_public_name}"
     enabled: ${gateway_public_enabled}
     aws:
       name: ${gateway_public_aws_name}
diff --git a/nullplatform/base/tests/base_values.tftest.hcl b/nullplatform/base/tests/base_values.tftest.hcl
index 3f3bc0a7..12dbf1b3 100644
--- a/nullplatform/base/tests/base_values.tftest.hcl
+++ b/nullplatform/base/tests/base_values.tftest.hcl
@@ -222,3 +222,51 @@ run "newrelic_metrics_disabled" {
     error_message = "newrelic metricsEnabled should be false"
   }
 }
+
+############################################
+# public gateway name + load balancer type
+############################################
+
+run "gateway_public_name_defaults_to_gateway_public" {
+  command = plan
+
+  assert {
+    condition     = strcontains(output.rendered_values, "name: \"gateway-public\"")
+    error_message = "public gateway name should default to gateway-public so existing installs keep their Gateway and HTTPRoute parentRefs"
+  }
+}
+
+run "gateway_public_name_override" {
+  command = plan
+
+  variables {
+    gateway_public_name = "internet-facing"
+  }
+
+  assert {
+    condition     = strcontains(output.rendered_values, "name: \"internet-facing\"")
+    error_message = "public gateway name should be overridable to match container-orchestration.gateway.public_name"
+  }
+}
+
+run "gateway_public_load_balancer_type_defaults_to_external" {
+  command = plan
+
+  assert {
+    condition     = strcontains(output.rendered_values, "loadBalancerType: \"external\"")
+    error_message = "public gateway loadBalancerType should default to external"
+  }
+}
+
+run "gateway_public_load_balancer_type_internal" {
+  command = plan
+
+  variables {
+    gateway_public_load_balancer_type = "internal"
+  }
+
+  assert {
+    condition     = strcontains(output.rendered_values, "loadBalancerType: \"internal\"\n")
+    error_message = "public gateway loadBalancerType should be settable to internal for Cloudflare Tunnel / VPN setups"
+  }
+}
diff --git a/nullplatform/base/variables.tf b/nullplatform/base/variables.tf
index 6286eccf..29d68f8b 100644
--- a/nullplatform/base/variables.tf
+++ b/nullplatform/base/variables.tf
@@ -69,6 +69,12 @@ variable "gateway_public_enabled" {
   default     = true
 }
 
+variable "gateway_public_name" {
+  type        = string
+  description = "Name of the public Gateway resource created by the chart. Must match the gateway name the nullplatform agent resolves from container-orchestration.gateway.public_name (e.g. 'internet-facing' on AKS), otherwise HTTPRoutes are created with an unresolvable parentRef. Defaults to 'gateway-public' for backward compatibility: changing it on an existing install recreates the Gateway and orphans every HTTPRoute referencing the old name, causing a traffic outage until routes are regenerated."
+  default     = "gateway-public"
+}
+
 variable "internal_azure_load_balancer_subnet" {
   description = "The name of the subnet to use in azure private load balancer"
   type        = string