fix(networking): point host ouroboros proxy at the root-tenant ingress

[Aleksei Sviridkin (lexfrei)]

What this PR does

With publishing.proxyProtocol: true, the host emits a cozystack.ouroboros Package using the no-override Package macro, so the proxy inherits the wrapper chart default backend ingress-nginx-controller.cozy-ingress-nginx. That layout describes a managed Kubernetes tenant cluster, not the host: on the host, extra/ingress deploys ingress-nginx into the root tenant namespace as root-ingress-controller in tenant-root. The composed backend FQDN never resolves, so ouroboros-proxy never reaches Ready.

This emits the host ouroboros Package with a proxy.target override derived from publishing.ingressName — namespace plus <short>-ingress-controller service name — mirroring the trimPrefix "tenant-" transform extra/ingress applies to its release namespace. The derivation reuses the existing platform invariant that publishing.ingressName is the namespace where the host ingress controller runs.

Adds bundle helm-unittest coverage for the default ingress name and a non-default one, and corrects the misleading wrapper values.yaml comment that claimed the host uses cozy-ingress-nginx.

Scope: this fixes the ouroboros readiness defect only. The separate defect where the injected nginx PROXY-protocol config keys are not consumed by the host ingress is tracked independently and not touched here.

Closes #2797

Release note

fix(networking): point the host ouroboros PROXY-protocol proxy at the root-tenant ingress so it becomes Ready when publishing.proxyProtocol is enabled

Summary by CodeRabbit

• New Features

  • Enhanced proxy protocol configuration to automatically route through the appropriate ingress-nginx service based on your ingress name settings.

• Tests

  • Added test coverage for proxy protocol bundle wiring and ingress service routing.

• Documentation

  • Clarified proxy target configuration behavior and fallback mechanisms.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f04adab2-4b40-4445-af0a-3ecea4af5b48

📥 Commits

Reviewing files that changed from the base of the PR and between 367ca3a and f90411d.

📒 Files selected for processing (3)

• packages/core/platform/templates/bundles/system.yaml
• packages/core/platform/tests/bundles_proxy_protocol_test.yaml
• packages/system/ouroboros/values.yaml

---

📝 Walkthrough

Walkthrough

When publishing.proxyProtocol is enabled, the host ouroboros proxy now derives its ingress-nginx target from publishing.ingressName, configuring the correct namespace and service name instead of using the tenant cluster default. Tests verify the derivation logic, and documentation clarifies the proxy target behavior.

Changes

Host ouroboros proxy target wiring

Layer / File(s)	Summary
Proxy target configuration derivation packages/core/platform/templates/bundles/system.yaml	system.yaml now derives ingress namespace and controller service name from publishing.ingressName when proxyProtocol is enabled, constructs the ouroboros.proxy.target map, and passes it to the cozystack.ouroboros package instead of omitting proxy configuration.
Proxy target wiring test assertions packages/core/platform/tests/bundles_proxy_protocol_test.yaml	New test assertions verify that cozystack.ouroboros proxy target is correctly wired: default publishing.ingressName derives tenant-root namespace and root-ingress-controller service; custom ingress names (e.g. tenant-foo) derive accordingly.
Proxy target behavior documentation packages/system/ouroboros/values.yaml	Updated comments clarify the proxy.target default fallback behavior, distinguish tenant clusters from host overrides derived from publishing.ingressName, and document runtime FQDN composition when host is empty.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A proxy that wandered too far from home,
Now finds its ingress in the tenant zone to roam!
With ingressName as guide and tests to prove,
The host controller's found its truest move. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change—configuring the host ouroboros proxy to target the root-tenant ingress instead of the default tenant cluster layout.
Linked Issues check	✅ Passed	The changes directly address all coding requirements from #2797: override proxy.target in the host ouroboros Package with namespace and serviceName derived from publishing.ingressName, add helm-unittest coverage for default and non-default ingress names, and update documentation in values.yaml.
Out of Scope Changes check	✅ Passed	All changes remain scoped to the stated objectives: ouroboros proxy configuration, test coverage for proxy wiring, and documentation updates. The PR explicitly excludes the separate defect about injected nginx PROXY-protocol config consumption.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ouroboros-host-target

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request resolves a readiness issue where the Ouroboros proxy failed to reach a 'Ready' state on the host due to an incorrect backend FQDN resolution. By explicitly overriding the proxy target to point to the root-tenant ingress controller, the system now correctly routes traffic on the host. The changes include logic to dynamically derive the ingress service location based on the platform's publishing configuration, alongside updated unit tests and documentation to prevent future configuration confusion.

Highlights

• Ouroboros Proxy Configuration: Updated the host Ouroboros package configuration to correctly point the proxy at the root-tenant ingress service instead of the default tenant cluster backend.
• Dynamic Target Derivation: Implemented dynamic derivation of the proxy target namespace and service name based on the 'publishing.ingressName' value, ensuring compatibility with non-default ingress configurations.
• Testing and Documentation: Added helm-unittest coverage for both default and custom ingress names and updated the Ouroboros values.yaml documentation to clarify the distinction between host and tenant ingress layouts.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	Gemini (@gemini-code-assist)	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on Gemini (@gemini-code-assist) comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the platform bundle configuration to dynamically point the host ouroboros proxy at the root-tenant ingress Service (derived from publishing.ingressName) instead of using the tenant-cluster fallback default. It also adds corresponding unit tests to verify this behavior with both default and non-default ingress names, and updates the documentation comments in packages/system/ouroboros/values.yaml to explain this distinction. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.