Status: Resolved on 2026-04-06 by migrating *.mycure.md routing to NGINX Gateway.
The https-mycure listener on the Envoy gateway-system/shared-gateway had
InvalidCertificateRef because Envoy Gateway v1.2.0 has an HTTP listener merging
bug that prevents cert-manager's HTTP-01 solver from serving the ACME challenge
on port 80 for api.mycure.md. The proposed solutions were either Cloudflare DNS-01
or upgrading Envoy Gateway.
*.mycure.md traffic was moved off Envoy Gateway and onto NGINX Gateway Fabric
(nginx-gateway-system/nginx-shared-gateway). NGINX Gateway doesn't have the
listener-merging bug, so HTTP-01 works directly.
Verified live state:
- Cert
nginx-gateway-tls-prod-mycureis valid (Let's Encrypt R12, SAN includesapi.mycure.mdandfind.mycure.md) - NGINX
https-mycurelistener:Accepted=True,Programmed=True,ResolvedRefs=True curl https://api.mycure.md/returns HTTP from the hapihub backend (TLS handshake succeeds, route is programmed end-to-end)- All
*.mycure.mdHTTPRoutes now reference the NGINX gateway (mycurelocal, hapihub, etc.)
The dead Envoy listeners on gateway-system/shared-gateway are still misconfigured
and harmless but noisy:
https-mycure—Programmed=False,InvalidCertificateRefhttps-stg-mycure— samehttp-mycureandhttp-stg-mycure— programmed but unused
Cleanup task: remove these listeners from the Envoy shared-gateway config since
nothing routes through Envoy for *.mycure.md anymore. Files involved:
values/infrastructure/main.yaml—envoyGatewayResources.gateway.listenerscharts/gateway/templates/gateway.yamlif any per-listener config remains
Status: Partial — 4 of 6 FIXME-listed apps have per-app NetworkPolicy templates,
but the centralized policies in allow-gateway-to-apps.yaml were never removed,
so the apps now have duplicate NetworkPolicies (additive — works, but defeats the
migration).
Gateway ingress NetworkPolicies were centralized in
charts/security-baseline/templates/allow-gateway-to-apps.yaml with hardcoded
app names, ports, and a hardcoded envoy-gateway-system namespace selector. This
broke when dentalemon-website was added (missing entirely) and when apps moved
to NGINX Gateway (wrong namespace selector).
Per-app templates/networkpolicy.yaml files now exist in 11 charts:
| Chart | Was in original FIXME? |
|---|---|
charts/api/templates/networkpolicy.yaml |
✅ FIXME target |
charts/account/templates/networkpolicy.yaml |
✅ FIXME target |
charts/hapihub/templates/networkpolicy.yaml |
✅ FIXME target |
charts/mycure/templates/networkpolicy.yaml |
✅ FIXME target |
charts/dentalemon-website/templates/networkpolicy.yaml |
(already done at FIXME time) |
charts/dentalemon/templates/networkpolicy.yaml |
bonus |
charts/hapihub-docs/templates/networkpolicy.yaml |
bonus |
charts/mycurelocal/templates/networkpolicy.yaml |
bonus |
charts/mycurev8/templates/networkpolicy.yaml |
bonus |
charts/syncd/templates/networkpolicy.yaml |
bonus |
charts/external-dns/templates/networkpolicy.yaml |
bonus |
allow-gateway-to-apps.yaml still contains all 6 original entries, now
duplicating the per-app policies for api, account, hapihub, mycure:
allow-gateway-to-apiallow-gateway-to-api-workerallow-gateway-to-accountallow-gateway-to-hapihuballow-gateway-to-mycureallow-gateway-to-minio
Edge cases — neither minio nor api-worker has a local chart:
charts/minio/does not exist — MinIO is a Bitnami subchart ofhapihub(and others). It cannot host its own NetworkPolicy template the same way.charts/api-worker/does not exist — verify whetherapi-workeris still deployed anywhere; if not, the entry should be dropped entirely.
- Remove the duplicated entries from
charts/security-baseline/templates/allow-gateway-to-apps.yaml:allow-gateway-to-apiallow-gateway-to-accountallow-gateway-to-hapihuballow-gateway-to-mycure
- Verify
networkPolicy.enabled: truein deployment values for those four apps so the per-chart policies actually render. - Decide on
api-worker:- If still deployed: create a chart (or its own NetworkPolicy template) and migrate
- If retired: drop the entry from
allow-gateway-to-apps.yamlentirely
- Decide on
minio:- Option A: keep
allow-gateway-to-minioin the centralized file as a special case for the Bitnami subchart - Option B: add the NetworkPolicy as part of the parent chart (e.g.,
charts/hapihub/templates/networkpolicy-minio.yaml) where minio is exposed
- Option A: keep
- Once 1-4 are done and the centralized file only contains residual edge cases
(or is empty), either delete
allow-gateway-to-apps.yamlor keep it solely for documented exceptions