feat(chart): single-hostname TLSRoutes for app.boilstream.com

dforsber · claude · dforsber · commit 0c22de50f3d6 · 2026-04-19T14:19:05.000+03:00
Adds TLSRoutes matching the bare {{ .Values.domain }} SNI for all four
protocols (pgwire/kafka/flight/auth), round-robin across all pod
backends. Keeps per-pod SNI routes for debugging and explicit pinning.
Wildcard cert already covers the bare hostname.

Chart: 0.3.0 -&gt; 0.3.1

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/charts/boilstream/Chart.yaml b/charts/boilstream/Chart.yaml
@@ -6,7 +6,7 @@ description: |
   support. Each pod participates in S3-based leader election and serves
   per-user catalogs; failed pods are recovered from S3 backups.
 type: application
-version: 0.3.0
+version: 0.3.1
 appVersion: "0.10.0"
 kubeVersion: ">=1.27.0"
 keywords:
diff --git a/charts/boilstream/templates/gateway.yaml b/charts/boilstream/templates/gateway.yaml
@@ -46,6 +46,11 @@ spec:
         kinds: [ { kind: TLSRoute } ]
 ---
 {{- $vals := . -}}
+{{- /*
+  Per-pod SNI TLSRoutes — kept for debugging and for clients that want to
+  pin a specific pod (e.g. long-lived Kafka consumers that care about
+  session stickiness across reconnects).
+*/}}
 {{- range $i, $_ := until (int .Values.replicas) }}
 {{- range $listener := list "pgwire" "kafka" "flight" "auth" }}
 {{- $port := index (dict "pgwire" 5432 "kafka" 9092 "flight" 50050 "auth" 8443) $listener }}
@@ -66,5 +71,39 @@ spec:
 ---
 {{- end }}
 {{- end }}
+
+{{- /*
+  Bare-hostname TLSRoutes — the default entry point users hit.
+  SNI matches {{ .Values.domain }} and Envoy round-robins new TCP
+  connections across all per-pod ClusterIP backends.
+
+  Safe because every pod serves the same *.{{ .Values.domain }} wildcard
+  cert, and boilstream's cluster mode lets any pod handle data-plane ops
+  directly while brokers transparently forward catalog mutations to the
+  leader over the :8444 internal API. PGWire sessions are TCP-sticky so
+  prepared statements / transactions stay on the pod you landed on; a
+  reconnect simply picks a new pod.
+*/}}
+{{- range $listener := list "pgwire" "kafka" "flight" "auth" }}
+{{- $port := index (dict "pgwire" 5432 "kafka" 9092 "flight" 50050 "auth" 8443) $listener }}
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: boilstream-any-{{ $listener }}
+  namespace: {{ $vals.Values.namespace }}
+spec:
+  parentRefs:
+    - { name: boilstream, sectionName: {{ $listener }} }
+  hostnames:
+    - {{ $vals.Values.domain }}
+  rules:
+    - backendRefs:
+        {{- range $i, $_ := until (int $vals.Values.replicas) }}
+        - name: boilstream-{{ $i }}
+          port: {{ $port }}
+          weight: 1
+        {{- end }}
+---
+{{- end }}
 {{- end }}
 
