From f48d4bcad6ed8ac6fc658d7b32f2de12fe61698b Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Tue, 28 Apr 2026 15:02:08 +0200
Subject: [PATCH 01/12] WIP feat: add gatewayapi support

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 Makefile                                      |  3 +-
 compose.yaml                                  | 17 +++++++++++
 deploy_control_plane.yaml                     |  2 ++
 inventories/group_vars/all/control_plane.yaml |  2 +-
 inventories/group_vars/control_plane/dex.yaml |  2 +-
 .../group_vars/control_plane/ingress.yaml     |  3 ++
 .../group_vars/control_plane/metal.yml        | 18 +++++++++++-
 roles/gateway/defaults/main.yml               |  8 +++++
 roles/gateway/files/gatewayclass.yaml         |  6 ++++
 roles/gateway/tasks/main.yml                  | 22 ++++++++++++++
 roles/gateway/templates/envoyproxy.yaml       | 14 +++++++++
 roles/gateway/templates/gateway.yaml          | 29 +++++++++++++++++++
 12 files changed, 122 insertions(+), 4 deletions(-)
 create mode 100644 roles/gateway/defaults/main.yml
 create mode 100644 roles/gateway/files/gatewayclass.yaml
 create mode 100644 roles/gateway/tasks/main.yml
 create mode 100644 roles/gateway/templates/envoyproxy.yaml
 create mode 100644 roles/gateway/templates/gateway.yaml

diff --git a/Makefile b/Makefile
index 190c64a4..8a23f19b 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ KINDCONFIG := $(or $(KINDCONFIG),control-plane/kind.yaml)
 KUBECONFIG := $(shell pwd)/.kubeconfig
 
 METALCTL_HMAC := $(or $(METALCTL_HMAC),metal-admin)
-METALCTL_API_URL := $(or $(METALCTL_API_URL),http://api.172.17.0.1.nip.io:8080/metal)
+METALCTL_API_URL := $(or $(METALCTL_API_URL),http://api.172.18.0.42.nip.io:8080/metal)
 
 MKE2FS_CONFIG := $(shell pwd)/mke2fs.conf
 # Default values
@@ -124,6 +124,7 @@ control-plane-bake:
 			--config $(KINDCONFIG) \
 			--kubeconfig $(KUBECONFIG); fi
 	$(MAKE) create-proxy-registries
+	docker compose up -d --force-recreate cloud-provider-kind
 
 .PHONY: partition
 partition: partition-bake
diff --git a/compose.yaml b/compose.yaml
index a2f0d224..4946f418 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -6,6 +6,12 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:z
       - .:/mini-lab
+      # for developing role dependencies
+      # TODO: make this a switch
+      # - ${HOME}/.ansible/roles/ansible-common:/root/.ansible/roles/ansible-common:ro
+      - /home/benjamin/metal-stack/metal-stack/metal-roles:/root/.ansible/roles/metal-roles:ro
+      # - ${HOME}/.ansible/roles/metal-ansible-modules:/root/.ansible/roles/metal-ansible-modules:ro
+      - /home/benjamin/metal-stack/metal-stack/helm-charts:/helm-charts:ro
     environment:
       - ANSIBLE_DISPLAY_SKIPPED_HOSTS=${ANSIBLE_DISPLAY_SKIPPED_HOSTS:-false}
       - ANSIBLE_INVENTORY=inventories/control-plane.yaml
@@ -128,6 +134,17 @@ services:
       - REGISTRY_PROXY_TTL=168h
       - REGISTRY_STORAGE_DELETE_ENABLED=true
       - OTEL_TRACES_EXPORTER=none
+  cloud-provider-kind:
+    image: registry.k8s.io/cloud-provider-kind/cloud-controller-manager:v0.10.0
+    restart: always
+    network_mode: kind
+    command:
+    # v0.10.0 of cloud controller does not support tcproutes, since it does not support the experimental gateway api channel
+    # using envoy-gateway deployed via roles/gateway instead
+      - --gateway-channel
+      - disabled
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
 volumes:
   proxy-docker:
   proxy-gcr:
diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml
index bd0f0241..1db87690 100644
--- a/deploy_control_plane.yaml
+++ b/deploy_control_plane.yaml
@@ -6,6 +6,8 @@
   roles:
     - name: ansible-common
       tags: always
+    - name: gateway
+      tags: gateway
     - name: ingress-controller
       tags: ingress-controller
     - name: metal-roles/control-plane/roles/prepare
diff --git a/inventories/group_vars/all/control_plane.yaml b/inventories/group_vars/all/control_plane.yaml
index 1a93b331..b6ee893a 100644
--- a/inventories/group_vars/all/control_plane.yaml
+++ b/inventories/group_vars/all/control_plane.yaml
@@ -1,6 +1,6 @@
 ---
 metal_control_plane_provider_tenant: metal-stack
-metal_control_plane_ingress_dns: 172.17.0.1.nip.io
+metal_control_plane_ingress_dns: 172.18.0.42.nip.io
 metal_control_plane_stage_name: test
 metal_control_plane_namespace: metal-control-plane
 metal_control_plane_image_pull_policy: Always
diff --git a/inventories/group_vars/control_plane/dex.yaml b/inventories/group_vars/control_plane/dex.yaml
index 6866f208..d1d8ce2d 100644
--- a/inventories/group_vars/control_plane/dex.yaml
+++ b/inventories/group_vars/control_plane/dex.yaml
@@ -8,7 +8,7 @@ auth_dex_static_clients:
   name: "metal-stack"
   secret: secret
   redirectURIs:
-  - 'http://v2.api.172.17.0.1.nip.io:8080/auth/oidc/callback'
+  - 'http://v2.api.172.18.0.42.nip.io:8080/auth/oidc/callback'
 
 auth_dex_static_passwords:
 - email: admin@metal-stack.io
diff --git a/inventories/group_vars/control_plane/ingress.yaml b/inventories/group_vars/control_plane/ingress.yaml
index 0ef8644b..4fe93dcf 100644
--- a/inventories/group_vars/control_plane/ingress.yaml
+++ b/inventories/group_vars/control_plane/ingress.yaml
@@ -2,3 +2,6 @@
 ingress_tcp_service_exposals:
   "4150": "{{ metal_control_plane_namespace }}/nsqd:4150"
   "50051": "{{ metal_control_plane_namespace }}/metal-api:50051"
+gateway_tcp_listeners:
+  nsq: 4150
+  metal-api: 50051
\ No newline at end of file
diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index 6e914d6e..6ffb0dd1 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -3,7 +3,23 @@ metal_set_resource_limits: no
 metal_check_api_health_endpoint: http://api.{{ metal_control_plane_ingress_dns }}:8080/metal/v1/health
 metal_api_headscale_control_plane_address: "http://headscale.{{ metal_control_plane_ingress_dns }}:8080"
 
-# metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
+metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
+
+metal_deploy_ingress: false
+
+metal_httproute:
+  enabled: true
+  parentRefs:
+  - name: metal-control-plane
+    namespace: "{{ metal_control_plane_namespace }}"
+    sectionName: http
+  httpsRedirect:
+    enabled: false
+    # redirectParentRefs:
+    # - name: metal-control-plane
+    #   namespace: "{{ metal_control_plane_namespace }}"
+    #   sectionName: http
+
 
 metal_api_pdb_min_available: 1
 metal_api_replicas: 1
diff --git a/roles/gateway/defaults/main.yml b/roles/gateway/defaults/main.yml
new file mode 100644
index 00000000..5bb8dff6
--- /dev/null
+++ b/roles/gateway/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+gateway_namespace: "{{ metal_control_plane_namespace }}"
+gateway_http_port: 8080
+gateway_https_port: 4443
+
+gateway_tcp_listeners: {}
+    # nsq: 4150
+    # metal-api: 50051
diff --git a/roles/gateway/files/gatewayclass.yaml b/roles/gateway/files/gatewayclass.yaml
new file mode 100644
index 00000000..a750b9fd
--- /dev/null
+++ b/roles/gateway/files/gatewayclass.yaml
@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: eg
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
\ No newline at end of file
diff --git a/roles/gateway/tasks/main.yml b/roles/gateway/tasks/main.yml
new file mode 100644
index 00000000..34e4a059
--- /dev/null
+++ b/roles/gateway/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: Deploy envoy-gateway
+  kubernetes.core.helm:
+    release_name: envoy-gateway
+    release_namespace: envoy-gateway-system
+    create_namespace: true
+    chart_ref: "oci://docker.io/envoyproxy/gateway-helm"
+    chart_version: "{{ envoy_gateway_chart_version | default(omit) }}"
+    # values: "{{ lookup('template', 'values.yaml') | from_yaml }}"
+    wait: true
+- name: Deploy Envoy GatewayClass
+  kubernetes.core.k8s:
+    definition: "{{ lookup('file', 'gatewayclass.yaml') | from_yaml }}"
+- name: Deploy metal-control-plane nsq_namespace
+  kubernetes.core.k8s:
+    kind: Namespace
+    name: "{{ metal_control_plane_namespace }}"
+- name: Deploy metal-control-plane EnvoyProxy
+  kubernetes.core.k8s:
+    definition: "{{ lookup('template', 'envoyproxy.yaml') | from_yaml }}"
+- name: Deploy metal-control-plane Gateway
+  kubernetes.core.k8s:
+    definition: "{{ lookup('template', 'gateway.yaml') | from_yaml }}"
\ No newline at end of file
diff --git a/roles/gateway/templates/envoyproxy.yaml b/roles/gateway/templates/envoyproxy.yaml
new file mode 100644
index 00000000..e0e2e4f6
--- /dev/null
+++ b/roles/gateway/templates/envoyproxy.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: metal-control-plane
+  namespace: {{ gateway_namespace }}
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyService:
+        externalTrafficPolicy: Local
+        type: LoadBalancer
+        loadBalancerIP: 172.18.0.42
\ No newline at end of file
diff --git a/roles/gateway/templates/gateway.yaml b/roles/gateway/templates/gateway.yaml
new file mode 100644
index 00000000..ae971a43
--- /dev/null
+++ b/roles/gateway/templates/gateway.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: metal-control-plane
+  namespace: {{ gateway_namespace }}
+spec:
+  gatewayClassName: eg
+  addresses:
+  - value: 172.18.0.42
+  infrastructure:
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: metal-control-plane
+  listeners:
+  - protocol: HTTP
+    port: {{ gateway_http_port }}
+    name: http
+    hostname: "*.{{ metal_control_plane_ingress_dns }}"
+  - protocol: HTTPS
+    port: {{ gateway_https_port }}
+    name: https
+    hostname: "*.{{ metal_control_plane_ingress_dns }}"
+{% for name, port in gateway_tcp_listeners.items() %}
+  - protocol: TCP
+    name: {{ name }}
+    port: {{ port }}
+{% endfor %}

From 30d01d6dde2d86889bab07298fdc3a07b2157d92 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Wed, 29 Apr 2026 11:11:53 +0200
Subject: [PATCH 02/12] feat: add https gateway listener with self-signed cert

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 files/certs/default-gateway/server.json | 19 +++++++++++++++++++
 roles/gateway/tasks/main.yml            | 12 ++++++++++++
 roles/gateway/templates/gateway.yaml    |  8 +++++++-
 scripts/roll_certs.sh                   |  3 ++-
 4 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 files/certs/default-gateway/server.json

diff --git a/files/certs/default-gateway/server.json b/files/certs/default-gateway/server.json
new file mode 100644
index 00000000..4a2b87e8
--- /dev/null
+++ b/files/certs/default-gateway/server.json
@@ -0,0 +1,19 @@
+{
+  "CN": "default-gateway",
+  "hosts": [
+    "*.nip.io"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 4096
+  },
+  "names": [
+    {
+      "C":  "DE",
+      "L":  "Munich",
+      "O":  "metal-stack",
+      "OU": "DevOps",
+      "ST": "Bavaria"
+    }
+  ]
+}
diff --git a/roles/gateway/tasks/main.yml b/roles/gateway/tasks/main.yml
index 34e4a059..3bc063cf 100644
--- a/roles/gateway/tasks/main.yml
+++ b/roles/gateway/tasks/main.yml
@@ -17,6 +17,18 @@
 - name: Deploy metal-control-plane EnvoyProxy
   kubernetes.core.k8s:
     definition: "{{ lookup('template', 'envoyproxy.yaml') | from_yaml }}"
+- name: Deploy default-tls certificate secret
+  kubernetes.core.k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: kubernetes.io/tls
+      metadata:
+        name: default-tls
+        namespace: "{{ gateway_namespace }}"
+      data:
+        tls.crt: "{{ lookup('file', 'certs/default-gateway/server.pem') | b64encode }}"
+        tls.key: "{{ lookup('file', 'certs/default-gateway/server-key.pem') | b64encode }}"
 - name: Deploy metal-control-plane Gateway
   kubernetes.core.k8s:
     definition: "{{ lookup('template', 'gateway.yaml') | from_yaml }}"
\ No newline at end of file
diff --git a/roles/gateway/templates/gateway.yaml b/roles/gateway/templates/gateway.yaml
index ae971a43..f1fdd297 100644
--- a/roles/gateway/templates/gateway.yaml
+++ b/roles/gateway/templates/gateway.yaml
@@ -3,7 +3,7 @@ apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: metal-control-plane
-  namespace: {{ gateway_namespace }}
+  namespace: "{{ gateway_namespace }}"
 spec:
   gatewayClassName: eg
   addresses:
@@ -22,6 +22,12 @@ spec:
     port: {{ gateway_https_port }}
     name: https
     hostname: "*.{{ metal_control_plane_ingress_dns }}"
+    tls:
+      mode: Terminate
+      certificateRefs:
+        - group: ""
+          kind: Secret
+          name: default-tls
 {% for name, port in gateway_tcp_listeners.items() %}
   - protocol: TCP
     name: {{ name }}
diff --git a/scripts/roll_certs.sh b/scripts/roll_certs.sh
index 7fc34acd..13487d85 100755
--- a/scripts/roll_certs.sh
+++ b/scripts/roll_certs.sh
@@ -13,7 +13,8 @@ rm *.csr
 
 for component in \
         grpc \
-        masterdata-api; do
+        masterdata-api \
+        default-gateway; do
     pushd $component
 
     echo "generating $component certs"

From 71ab40712c5f497d18e0cc408174659445926d44 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Wed, 29 Apr 2026 11:12:43 +0200
Subject: [PATCH 03/12] fixup! WIP feat: add gatewayapi support

---
 roles/gateway/templates/envoyproxy.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/gateway/templates/envoyproxy.yaml b/roles/gateway/templates/envoyproxy.yaml
index e0e2e4f6..ce3b4700 100644
--- a/roles/gateway/templates/envoyproxy.yaml
+++ b/roles/gateway/templates/envoyproxy.yaml
@@ -3,7 +3,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: EnvoyProxy
 metadata:
   name: metal-control-plane
-  namespace: {{ gateway_namespace }}
+  namespace: "{{ gateway_namespace }}"
 spec:
   provider:
     type: Kubernetes

From c54169e3622ee9e9a81710f3e08de6605dd310f5 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Wed, 29 Apr 2026 11:12:52 +0200
Subject: [PATCH 04/12] feat: enable zitadel httproute

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 inventories/group_vars/control_plane/zitadel.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/inventories/group_vars/control_plane/zitadel.yaml b/inventories/group_vars/control_plane/zitadel.yaml
index f45059d2..cbb76e36 100644
--- a/inventories/group_vars/control_plane/zitadel.yaml
+++ b/inventories/group_vars/control_plane/zitadel.yaml
@@ -6,6 +6,10 @@ zitadel_port: 8080
 zitadel_skip_verify_tls: true
 zitadel_insecure: true
 
+zitadel_httproute_enabled: true
+zitadel_httproute_parent_refs:
+- name: metal-control-plane
+
 zitadel_init_config:
   static_users:
     - first_name: Olli

From c2bb95bc6b7987416e2ec70ad8bda7a634dca369 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Thu, 30 Apr 2026 15:40:37 +0200
Subject: [PATCH 05/12] feat: move kind and sonic containerlab to dedicated
 network

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 Makefile                                      |  9 ++-
 compose.yaml                                  |  5 +-
 control-plane/kind.yaml                       |  2 +-
 deploy_gardener.yaml                          |  2 +-
 docs/overview-kamaji.drawio.svg               |  4 +-
 docs/overview.drawio.svg                      |  4 +-
 env.sh                                        |  1 +
 files/certs/grpc/server.json                  |  2 +-
 files/dev_images.yaml                         |  4 +-
 files/startup-config/leaf01_4.4.3.json        |  2 +-
 files/startup-config/leaf01_4.5.1.json        |  2 +-
 files/startup-config/leaf02_4.4.3.json        |  2 +-
 files/startup-config/leaf02_4.5.1.json        |  2 +-
 inventories/group_vars/all/control_plane.yaml |  2 +-
 inventories/group_vars/control_plane/dex.yaml |  2 +-
 .../control_plane/gardener/gardenlet.yaml     |  2 +-
 .../control_plane/gardener/operator.yaml      |  4 +-
 .../group_vars/control_plane/metal.yml        |  2 +-
 .../group_vars/control_plane/minio.yaml       |  2 +-
 .../group_vars/control_plane/powerdns.yaml    |  4 +-
 .../group_vars/control_plane/zitadel.yaml     |  2 +-
 inventories/group_vars/leaves/main.yaml       |  2 +-
 inventories/group_vars/partition/common.yaml  |  2 +-
 inventories/group_vars/partition/router.yaml  |  2 +-
 mini-lab.sonic.yaml                           |  2 +-
 mini-lab.sonic.yaml.annotations.json          | 61 +++++++++++++++++++
 roles/gateway/templates/envoyproxy.yaml       |  2 +-
 roles/gateway/templates/gateway.yaml          |  2 +-
 28 files changed, 102 insertions(+), 32 deletions(-)
 create mode 100644 mini-lab.sonic.yaml.annotations.json

diff --git a/Makefile b/Makefile
index 8a23f19b..8a673c4e 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ KINDCONFIG := $(or $(KINDCONFIG),control-plane/kind.yaml)
 KUBECONFIG := $(shell pwd)/.kubeconfig
 
 METALCTL_HMAC := $(or $(METALCTL_HMAC),metal-admin)
-METALCTL_API_URL := $(or $(METALCTL_API_URL),http://api.172.18.0.42.nip.io:8080/metal)
+METALCTL_API_URL := $(or $(METALCTL_API_URL),http://api.172.42.0.42.nip.io:8080/metal)
 
 MKE2FS_CONFIG := $(shell pwd)/mke2fs.conf
 # Default values
@@ -26,6 +26,8 @@ MINI_LAB_VM_IMAGE := $(or $(MINI_LAB_VM_IMAGE),ghcr.io/metal-stack/mini-lab-vms:
 MINI_LAB_SONIC_IMAGE := $(or $(MINI_LAB_SONIC_IMAGE),ghcr.io/metal-stack/mini-lab-sonic:latest)
 MINI_LAB_DELL_SONIC_VERSION := $(or $(MINI_LAB_DELL_SONIC_VERSION),4.5.1)
 
+MINI_LAB_INTERNAL_NETWORK=mini_lab_internal
+
 MACHINE_OS=debian-12.0
 MAX_RETRIES := 30
 
@@ -117,6 +119,8 @@ create-proxy-registries:
 
 .PHONY: control-plane-bake
 control-plane-bake:
+
+	@if ! docker network ls | grep -q mini_lab_internal; then docker network create mini_lab_internal --gateway 172.42.0.1 --ip-range=172.42.0.0/24 --subnet=172.42.0.0/24 --ipv6=false ; fi
 	@if ! which kind > /dev/null; then echo "kind needs to be installed"; exit 1; fi
 	@if ! kind get clusters | grep metal-control-plane > /dev/null; then \
 		kind create cluster $(KIND_ARGS) \
@@ -167,6 +171,7 @@ env:
 
 .PHONY: cleanup
 cleanup: cleanup-control-plane cleanup-partition
+	docker network rm --force mini_lab_internal
 
 .PHONY: cleanup-control-plane
 cleanup-control-plane:
@@ -439,7 +444,7 @@ build-dell-sonic:
 fetch-virtual-kubeconfig:
 	# TODO: it's hard to get the latest issued generic kubeconfig secret... just take the first result for now
 	kubectl --kubeconfig=$(KUBECONFIG) get secret -n garden $(shell kubectl --kubeconfig=$(KUBECONFIG) get secret -n garden -l managed-by=secrets-manager,manager-identity=gardener-operator,name=generic-token-kubeconfig --no-headers | awk '{ print $$1 }') -o jsonpath='{.data.kubeconfig}' | base64 -d > .virtual-kubeconfig
-	@kubectl --kubeconfig=.virtual-kubeconfig config set-cluster garden --server=https://api.gardener-kube-apiserver.172.17.0.1.nip.io:4443
+	@kubectl --kubeconfig=.virtual-kubeconfig config set-cluster garden --server=https://api.gardener-kube-apiserver.172.42.0.1.nip.io:4443
 	@kubectl --kubeconfig=.virtual-kubeconfig config set-credentials garden --token=$(shell kubectl --kubeconfig=$(KUBECONFIG) get secret -n garden shoot-access-virtual-garden -o jsonpath='{.data.token}' | base64 -d)
 	@kubectl --kubeconfig=$(KUBECONFIG) config unset users.garden
 	@kubectl --kubeconfig=$(KUBECONFIG) config unset contexts.garden
diff --git a/compose.yaml b/compose.yaml
index 4946f418..ac8610d0 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -137,7 +137,10 @@ services:
   cloud-provider-kind:
     image: registry.k8s.io/cloud-provider-kind/cloud-controller-manager:v0.10.0
     restart: always
-    network_mode: kind
+    networks:
+      - kind
+    environment:
+      - KIND_EXPERIMENTAL_DOCKER_NETWORK=${KIND_EXPERIMENTAL_DOCKER_NETWORK:-kind}
     command:
     # v0.10.0 of cloud controller does not support tcproutes, since it does not support the experimental gateway api channel
     # using envoy-gateway deployed via roles/gateway instead
diff --git a/control-plane/kind.yaml b/control-plane/kind.yaml
index a55b4aaf..c0af5d47 100644
--- a/control-plane/kind.yaml
+++ b/control-plane/kind.yaml
@@ -2,7 +2,7 @@ kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 networking:
   apiServerPort: 6443
-  apiServerAddress: 0.0.0.0
+  apiServerAddress: 172.42.0.1
 nodes:
   - role: control-plane
     extraMounts:
diff --git a/deploy_gardener.yaml b/deploy_gardener.yaml
index 43eb72d4..888c6f8c 100644
--- a/deploy_gardener.yaml
+++ b/deploy_gardener.yaml
@@ -81,7 +81,7 @@
             status:
               loadBalancer:
                 ingress:
-                  - ip: "172.17.0.1"
+                  - ip: "172.42.0.1"
         tags: gardener
 
       - name: Expose istio gateway through ingress-nginx (for local environments)
diff --git a/docs/overview-kamaji.drawio.svg b/docs/overview-kamaji.drawio.svg
index f6e083c1..e9b2b33e 100644
--- a/docs/overview-kamaji.drawio.svg
+++ b/docs/overview-kamaji.drawio.svg
@@ -470,13 +470,13 @@
                         <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 82px; margin-left: 90px;">
                             <div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; ">
                                 <div style="display: inline-block; font-size: 10px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">
-                                    docker network 172.17.0.1/16
+                                    docker network 172.42.0.1/16
                                 </div>
                             </div>
                         </div>
                     </foreignObject>
                     <text x="90" y="85" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="10px" text-anchor="middle">
-                        docker network 172.17.0.1/16
+                        docker network 172.42.0.1/16
                     </text>
                 </switch>
             </g>
diff --git a/docs/overview.drawio.svg b/docs/overview.drawio.svg
index 1267de68..fdb8f9b9 100644
--- a/docs/overview.drawio.svg
+++ b/docs/overview.drawio.svg
@@ -470,13 +470,13 @@
                         <div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 82px; margin-left: 90px;">
                             <div style="box-sizing: border-box; font-size: 0; text-align: center; color: #000000; ">
                                 <div style="display: inline-block; font-size: 10px; font-family: &quot;Helvetica&quot;; color: light-dark(#000000, #ffffff); line-height: 1.2; pointer-events: all; white-space: nowrap; ">
-                                    docker network 172.17.0.1/16
+                                    docker network 172.42.0.1/16
                                 </div>
                             </div>
                         </div>
                     </foreignObject>
                     <text x="90" y="85" fill="light-dark(#000000, #ffffff)" font-family="&quot;Helvetica&quot;" font-size="10px" text-anchor="middle">
-                        docker network 172.17.0.1/16
+                        docker network 172.42.0.1/16
                     </text>
                 </switch>
             </g>
diff --git a/env.sh b/env.sh
index a01de375..daac37ec 100755
--- a/env.sh
+++ b/env.sh
@@ -24,4 +24,5 @@ DEPLOYMENT_BASE_IMAGE_TAG=${DEPLOYMENT_BASE_IMAGE_TAG}
 CI=${CI:=false}
 DOCKER_HUB_USER=${DOCKER_HUB_USER:=}
 DOCKER_HUB_TOKEN=${DOCKER_HUB_TOKEN:=}
+KIND_EXPERIMENTAL_DOCKER_NETWORK=${MINI_LAB_INTERNAL_NETWORK:=}
 EOF
diff --git a/files/certs/grpc/server.json b/files/certs/grpc/server.json
index 17ba2a53..e1b8bc35 100644
--- a/files/certs/grpc/server.json
+++ b/files/certs/grpc/server.json
@@ -1,7 +1,7 @@
 {
   "CN": "metal-api",
   "hosts": [
-    "172.17.0.1",
+    "172.42.0.42",
     "203.0.113.1"
   ],
   "key": {
diff --git a/files/dev_images.yaml b/files/dev_images.yaml
index e0699518..91b8285c 100644
--- a/files/dev_images.yaml
+++ b/files/dev_images.yaml
@@ -1,6 +1,6 @@
 ---
 # Do not change these values
 metal_api_image_tag: dev
-metal_core_image_name: 172.17.0.1:5000/metalstack/metal-core
+metal_core_image_name: 172.42.0.42:5000/metalstack/metal-core
 metal_core_image_tag: dev
-metal_hammer_image_url: http://172.17.0.1:20015/metal-hammer-initrd.img.lz4
+metal_hammer_image_url: http://172.42.0.42:20015/metal-hammer-initrd.img.lz4
diff --git a/files/startup-config/leaf01_4.4.3.json b/files/startup-config/leaf01_4.4.3.json
index 622b5df9..60393ec3 100644
--- a/files/startup-config/leaf01_4.4.3.json
+++ b/files/startup-config/leaf01_4.4.3.json
@@ -11,7 +11,7 @@
     }
   },
   "DNS_SERVER": {
-    "172.17.0.1": {},
+    "172.42.0.1": {},
     "1.1.1.1": {},
     "1.0.0.1": {}
   },
diff --git a/files/startup-config/leaf01_4.5.1.json b/files/startup-config/leaf01_4.5.1.json
index cd4224ac..78106fe8 100644
--- a/files/startup-config/leaf01_4.5.1.json
+++ b/files/startup-config/leaf01_4.5.1.json
@@ -11,7 +11,7 @@
     }
   },
   "DNS_SERVER": {
-    "172.17.0.1": {},
+    "172.42.0.1": {},
     "1.1.1.1": {},
     "1.0.0.1": {}
   },
diff --git a/files/startup-config/leaf02_4.4.3.json b/files/startup-config/leaf02_4.4.3.json
index 5a8d4a78..7359f574 100644
--- a/files/startup-config/leaf02_4.4.3.json
+++ b/files/startup-config/leaf02_4.4.3.json
@@ -11,7 +11,7 @@
     }
   },
   "DNS_SERVER": {
-    "172.17.0.1": {},
+    "172.42.0.1": {},
     "1.1.1.1": {},
     "1.0.0.1": {}
   },
diff --git a/files/startup-config/leaf02_4.5.1.json b/files/startup-config/leaf02_4.5.1.json
index 41c8f118..335ef382 100644
--- a/files/startup-config/leaf02_4.5.1.json
+++ b/files/startup-config/leaf02_4.5.1.json
@@ -11,7 +11,7 @@
     }
   },
   "DNS_SERVER": {
-    "172.17.0.1": {},
+    "172.42.0.1": {},
     "1.1.1.1": {},
     "1.0.0.1": {}
   },
diff --git a/inventories/group_vars/all/control_plane.yaml b/inventories/group_vars/all/control_plane.yaml
index b6ee893a..d1eec945 100644
--- a/inventories/group_vars/all/control_plane.yaml
+++ b/inventories/group_vars/all/control_plane.yaml
@@ -1,6 +1,6 @@
 ---
 metal_control_plane_provider_tenant: metal-stack
-metal_control_plane_ingress_dns: 172.18.0.42.nip.io
+metal_control_plane_ingress_dns: 172.42.0.42.nip.io
 metal_control_plane_stage_name: test
 metal_control_plane_namespace: metal-control-plane
 metal_control_plane_image_pull_policy: Always
diff --git a/inventories/group_vars/control_plane/dex.yaml b/inventories/group_vars/control_plane/dex.yaml
index d1d8ce2d..f09642d9 100644
--- a/inventories/group_vars/control_plane/dex.yaml
+++ b/inventories/group_vars/control_plane/dex.yaml
@@ -8,7 +8,7 @@ auth_dex_static_clients:
   name: "metal-stack"
   secret: secret
   redirectURIs:
-  - 'http://v2.api.172.18.0.42.nip.io:8080/auth/oidc/callback'
+  - 'http://v2.api.172.42.0.42.nip.io:8080/auth/oidc/callback'
 
 auth_dex_static_passwords:
 - email: admin@metal-stack.io
diff --git a/inventories/group_vars/control_plane/gardener/gardenlet.yaml b/inventories/group_vars/control_plane/gardener/gardenlet.yaml
index 8fed1d0f..fe02bb70 100644
--- a/inventories/group_vars/control_plane/gardener/gardenlet.yaml
+++ b/inventories/group_vars/control_plane/gardener/gardenlet.yaml
@@ -1,5 +1,5 @@
 ---
-gardener_gardenlet_default_dns_domain: "gardener.172.17.0.1.nip.io"
+gardener_gardenlet_default_dns_domain: "gardener.172.42.0.1.nip.io"
 gardener_gardenlet_default_dns_provider: powerdns
 gardener_gardenlet_default_dns_credentials:
   apiKey: "{{ powerdns_api_key | b64encode }}"
diff --git a/inventories/group_vars/control_plane/gardener/operator.yaml b/inventories/group_vars/control_plane/gardener/operator.yaml
index 5cddad2e..842293b6 100644
--- a/inventories/group_vars/control_plane/gardener/operator.yaml
+++ b/inventories/group_vars/control_plane/gardener/operator.yaml
@@ -1,5 +1,5 @@
 ---
-gardener_operator_ingress_dns_domain: "gardener.172.17.0.1.nip.io"
+gardener_operator_ingress_dns_domain: "gardener.172.42.0.1.nip.io"
 
 gardener_operator_backup_infrastructure:
   provider: S3
@@ -17,7 +17,7 @@ gardener_operator_backup_infrastructure_secret:
   s3ForcePathStyle: "{{ 'true' | b64encode }}"
 
 # enable mini-lab patches
-gardener_operator_patch_istio_ingress_gateway_service_ip: 172.17.0.1
+gardener_operator_patch_istio_ingress_gateway_service_ip: 172.42.0.1
 gardener_operator_expose_virtual_garden_through_ingress_nginx: true
 
 # for local setups this should be sufficient
diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index 6ffb0dd1..6b7acd93 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -39,7 +39,7 @@ metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingre
 metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session"
 
 metal_apiserver_redis_password: change-me-soon
-metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.17.0.1.nip.io@openid-connect"
+metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.42.0.1.nip.io@openid-connect"
 
 metal_api_images:
   - id: firewall-ubuntu-3.0
diff --git a/inventories/group_vars/control_plane/minio.yaml b/inventories/group_vars/control_plane/minio.yaml
index 73801c7c..219fe31c 100644
--- a/inventories/group_vars/control_plane/minio.yaml
+++ b/inventories/group_vars/control_plane/minio.yaml
@@ -2,4 +2,4 @@
 minio_root_user: mini-lab
 minio_root_password: change-me
 
-minio_dns_name: minio.172.17.0.1.nip.io
+minio_dns_name: minio.172.42.0.42.nip.io
diff --git a/inventories/group_vars/control_plane/powerdns.yaml b/inventories/group_vars/control_plane/powerdns.yaml
index bde65e72..595f6d51 100644
--- a/inventories/group_vars/control_plane/powerdns.yaml
+++ b/inventories/group_vars/control_plane/powerdns.yaml
@@ -10,11 +10,11 @@ powerdns_load_balancer_dns_name: "ns.{{ metal_control_plane_ingress_dns }}"
 powerdns_api_dns_name: "powerdns-api.{{ metal_control_plane_ingress_dns }}"
 
 powerdns_zones:
-  - name: "gardener.172.17.0.1.nip.io."
+  - name: "gardener.172.42.0.42.nip.io."
     kind: Master
     nameservers:
       - "{{ powerdns_load_balancer_dns_name }}."
-  - name: "gardener-kube-apiserver.172.17.0.1.nip.io."
+  - name: "gardener-kube-apiserver.172.42.0.42.nip.io."
     kind: Master
     nameservers:
       - "{{ powerdns_load_balancer_dns_name }}."
diff --git a/inventories/group_vars/control_plane/zitadel.yaml b/inventories/group_vars/control_plane/zitadel.yaml
index cbb76e36..7f0cf208 100644
--- a/inventories/group_vars/control_plane/zitadel.yaml
+++ b/inventories/group_vars/control_plane/zitadel.yaml
@@ -27,4 +27,4 @@ zitadel_init_config:
     # later id will be added but currently not possible with zitadel
     id: metal-stack
     name: metal-stack
-    redirect_uri: http://v2.api.172.17.0.1.nip.io:8080/auth/openid-connect/callback
+    redirect_uri: http://v2.api.172.42.0.42.nip.io:8080/auth/openid-connect/callback
diff --git a/inventories/group_vars/leaves/main.yaml b/inventories/group_vars/leaves/main.yaml
index fbc83ac4..e1d1e596 100644
--- a/inventories/group_vars/leaves/main.yaml
+++ b/inventories/group_vars/leaves/main.yaml
@@ -12,7 +12,7 @@ sonic_config_frr_render: false
 sonic_config_loopback_address: "{{ lo }}"
 sonic_config_mgmt_interface:
   ip: "{{ ansible_host }}/16`"
-  gateway_address: "172.17.0.1"
+  gateway_address: "172.42.0.1"
 
 sonic_config_mgmt_vrf: false
 sonic_config_nameservers: "{{ router_nameservers }}"
diff --git a/inventories/group_vars/partition/common.yaml b/inventories/group_vars/partition/common.yaml
index 61da08a0..d91f43df 100644
--- a/inventories/group_vars/partition/common.yaml
+++ b/inventories/group_vars/partition/common.yaml
@@ -14,4 +14,4 @@ metal_partition_metal_api_grpc_ca_cert: "{{ lookup('file', 'certs/ca.pem') }}"
 metal_partition_metal_api_grpc_client_cert: "{{ lookup('file', 'certs/grpc/client.pem') }}"
 metal_partition_metal_api_grpc_client_key: "{{ lookup('file', 'certs/grpc/client-key.pem') }}"
 
-metal_partition_mgmt_gateway: 172.17.0.1
+metal_partition_mgmt_gateway: 172.42.0.42
diff --git a/inventories/group_vars/partition/router.yaml b/inventories/group_vars/partition/router.yaml
index bdcbc460..a85d2998 100644
--- a/inventories/group_vars/partition/router.yaml
+++ b/inventories/group_vars/partition/router.yaml
@@ -1,5 +1,5 @@
 ---
 router_nameservers:
-  - 172.17.0.1
+  - 172.42.0.1
   - 1.1.1.1
   - 1.0.0.1
diff --git a/mini-lab.sonic.yaml b/mini-lab.sonic.yaml
index 5d46a128..a14ad7e0 100644
--- a/mini-lab.sonic.yaml
+++ b/mini-lab.sonic.yaml
@@ -2,7 +2,7 @@ name: mini-lab
 prefix: ""
 
 mgmt:
-  network: bridge
+  network: mini_lab_internal
 
 topology:
   defaults:
diff --git a/mini-lab.sonic.yaml.annotations.json b/mini-lab.sonic.yaml.annotations.json
new file mode 100644
index 00000000..6e468112
--- /dev/null
+++ b/mini-lab.sonic.yaml.annotations.json
@@ -0,0 +1,61 @@
+{
+  "freeTextAnnotations": [],
+  "freeShapeAnnotations": [],
+  "trafficRateAnnotations": [],
+  "groupStyleAnnotations": [],
+  "networkNodeAnnotations": [],
+  "nodeAnnotations": [
+    {
+      "id": "exit",
+      "position": {
+        "x": 360,
+        "y": 420
+      }
+    },
+    {
+      "id": "external_service",
+      "position": {
+        "x": 160,
+        "y": 180
+      }
+    },
+    {
+      "id": "mini_lab_ext",
+      "position": {
+        "x": 280,
+        "y": 300
+      }
+    },
+    {
+      "id": "leaf01",
+      "position": {
+        "x": 500,
+        "y": 360
+      }
+    },
+    {
+      "id": "leaf02",
+      "position": {
+        "x": 520,
+        "y": 460
+      }
+    },
+    {
+      "id": "machine01",
+      "position": {
+        "x": 640,
+        "y": 320
+      }
+    },
+    {
+      "id": "machine02",
+      "position": {
+        "x": 680,
+        "y": 420
+      }
+    }
+  ],
+  "edgeAnnotations": [],
+  "aliasEndpointAnnotations": [],
+  "viewerSettings": {}
+}
\ No newline at end of file
diff --git a/roles/gateway/templates/envoyproxy.yaml b/roles/gateway/templates/envoyproxy.yaml
index ce3b4700..edb7c0fe 100644
--- a/roles/gateway/templates/envoyproxy.yaml
+++ b/roles/gateway/templates/envoyproxy.yaml
@@ -11,4 +11,4 @@ spec:
       envoyService:
         externalTrafficPolicy: Local
         type: LoadBalancer
-        loadBalancerIP: 172.18.0.42
\ No newline at end of file
+        loadBalancerIP: 172.42.0.42
\ No newline at end of file
diff --git a/roles/gateway/templates/gateway.yaml b/roles/gateway/templates/gateway.yaml
index f1fdd297..8bcf5ccf 100644
--- a/roles/gateway/templates/gateway.yaml
+++ b/roles/gateway/templates/gateway.yaml
@@ -7,7 +7,7 @@ metadata:
 spec:
   gatewayClassName: eg
   addresses:
-  - value: 172.18.0.42
+  - value: 172.42.0.42
   infrastructure:
     parametersRef:
       group: gateway.envoyproxy.io

From 216478034124329bef4a72f8b52e4eaebaace734 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Mon, 4 May 2026 14:55:58 +0200
Subject: [PATCH 06/12] fix: bind zitadel only to https listener

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 inventories/group_vars/control_plane/zitadel.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/inventories/group_vars/control_plane/zitadel.yaml b/inventories/group_vars/control_plane/zitadel.yaml
index 7f0cf208..10fc1776 100644
--- a/inventories/group_vars/control_plane/zitadel.yaml
+++ b/inventories/group_vars/control_plane/zitadel.yaml
@@ -9,6 +9,7 @@ zitadel_insecure: true
 zitadel_httproute_enabled: true
 zitadel_httproute_parent_refs:
 - name: metal-control-plane
+  sectionName: https
 
 zitadel_init_config:
   static_users:

From a035c060b0e8270bbfd91635764739c5ba98915f Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Mon, 4 May 2026 14:56:48 +0200
Subject: [PATCH 07/12] feat: expose metal-api gRPC endpoint

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 inventories/group_vars/control_plane/ingress.yaml | 2 +-
 inventories/group_vars/control_plane/metal.yml    | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/inventories/group_vars/control_plane/ingress.yaml b/inventories/group_vars/control_plane/ingress.yaml
index 4fe93dcf..fe68a6b6 100644
--- a/inventories/group_vars/control_plane/ingress.yaml
+++ b/inventories/group_vars/control_plane/ingress.yaml
@@ -4,4 +4,4 @@ ingress_tcp_service_exposals:
   "50051": "{{ metal_control_plane_namespace }}/metal-api:50051"
 gateway_tcp_listeners:
   nsq: 4150
-  metal-api: 50051
\ No newline at end of file
+  metal-api-grpc: 50051
\ No newline at end of file
diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index 6b7acd93..ae01c253 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -20,6 +20,12 @@ metal_httproute:
     #   namespace: "{{ metal_control_plane_namespace }}"
     #   sectionName: http
 
+metal_tcproute:
+  enabled: true
+  parentRefs:
+  - name: metal-control-plane
+    namespace: "{{ metal_control_plane_namespace }}"
+    sectionName: metal-api-grpc
 
 metal_api_pdb_min_available: 1
 metal_api_replicas: 1
@@ -39,7 +45,7 @@ metal_apiserver_oidc_discovery_url: https://zitadel.{{ metal_control_plane_ingre
 metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_ingress_dns }}:4443/oidc/v1/end_session"
 
 metal_apiserver_redis_password: change-me-soon
-metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.42.0.1.nip.io@openid-connect"
+metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.42.0.42.nip.io@openid-connect"
 
 metal_api_images:
   - id: firewall-ubuntu-3.0

From 121ddc3940d09578ccbaee001ab673ca954384cf Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Mon, 4 May 2026 14:57:13 +0200
Subject: [PATCH 08/12] feat: expose nsq endpoint

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 inventories/group_vars/control_plane/nsq.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/inventories/group_vars/control_plane/nsq.yaml b/inventories/group_vars/control_plane/nsq.yaml
index b8983676..c7a1f802 100644
--- a/inventories/group_vars/control_plane/nsq.yaml
+++ b/inventories/group_vars/control_plane/nsq.yaml
@@ -9,3 +9,8 @@ nsq_certs_client_cert: "{{  lookup('file', 'certs/nsq/client.crt') }}"
 nsq_certs_ca_cert: "{{ lookup('file', 'certs/ca.pem') }}"
 
 nsq_broadcast_address: nsqd
+
+nsq_tcproute_enabled: true
+nsq_tcproute_parent_refs:
+- name: metal-control-plane
+  sectionName: nsq

From c55b5693c0e44b2293e0e30173df2ad37067fdb6 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Mon, 4 May 2026 15:18:33 +0200
Subject: [PATCH 09/12] fix: improve naming consistency

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 .../group_vars/control_plane/metal.yml        | 24 +++++++------------
 1 file changed, 8 insertions(+), 16 deletions(-)

diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index ae01c253..f446df4b 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -7,25 +7,17 @@ metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
 
 metal_deploy_ingress: false
 
-metal_httproute:
-  enabled: true
-  parentRefs:
+metal_httproute_enabled: true
+metal_httproute_parent_refs:
   - name: metal-control-plane
     namespace: "{{ metal_control_plane_namespace }}"
     sectionName: http
-  httpsRedirect:
-    enabled: false
-    # redirectParentRefs:
-    # - name: metal-control-plane
-    #   namespace: "{{ metal_control_plane_namespace }}"
-    #   sectionName: http
-
-metal_tcproute:
-  enabled: true
-  parentRefs:
-  - name: metal-control-plane
-    namespace: "{{ metal_control_plane_namespace }}"
-    sectionName: metal-api-grpc
+
+metal_tcproute_enabled: true
+metal_tcproute_parent_refs:
+- name: metal-control-plane
+  namespace: "{{ metal_control_plane_namespace }}"
+  sectionName: metal-api-grpc
 
 metal_api_pdb_min_available: 1
 metal_api_replicas: 1

From 31f8c87ef233bf77878940172e8c842bec56bb8b Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Mon, 4 May 2026 16:28:39 +0200
Subject: [PATCH 10/12] fix: use valid hosts for gateway certificates

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 files/certs/default-gateway/server.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/files/certs/default-gateway/server.json b/files/certs/default-gateway/server.json
index 4a2b87e8..fb3a27a2 100644
--- a/files/certs/default-gateway/server.json
+++ b/files/certs/default-gateway/server.json
@@ -1,7 +1,8 @@
 {
   "CN": "default-gateway",
   "hosts": [
-    "*.nip.io"
+    "api.172.42.0.42.nip.io",
+    "v2.api.172.42.0.42.nip.io"
   ],
   "key": {
     "algo": "rsa",

From ea71720481382879b38ddc344c5abe5d2ecde8b6 Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Thu, 7 May 2026 11:28:00 +0200
Subject: [PATCH 11/12] fix: move gateway configuration into their respective
 sections

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 .../group_vars/control_plane/metal.yml        | 26 +++++++++++++------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/inventories/group_vars/control_plane/metal.yml b/inventories/group_vars/control_plane/metal.yml
index f446df4b..c7980a60 100644
--- a/inventories/group_vars/control_plane/metal.yml
+++ b/inventories/group_vars/control_plane/metal.yml
@@ -7,14 +7,16 @@ metal_helm_chart_local_path: /helm-charts/charts/metal-control-plane
 
 metal_deploy_ingress: false
 
-metal_httproute_enabled: true
-metal_httproute_parent_refs:
-  - name: metal-control-plane
-    namespace: "{{ metal_control_plane_namespace }}"
-    sectionName: http
-
-metal_tcproute_enabled: true
-metal_tcproute_parent_refs:
+metal_api_httproute_enabled: true
+metal_api_httproute_hostnames:
+- "{{ metal_ingress_dns }}"
+metal_api_httproute_parent_refs:
+- name: metal-control-plane
+  namespace: "{{ metal_control_plane_namespace }}"
+  sectionName: http
+
+metal_api_tcproute_enabled: true
+metal_api_tcproute_parent_refs:
 - name: metal-control-plane
   namespace: "{{ metal_control_plane_namespace }}"
   sectionName: metal-api-grpc
@@ -39,6 +41,14 @@ metal_apiserver_oidc_end_session_url: "https://zitadel.{{ metal_control_plane_in
 metal_apiserver_redis_password: change-me-soon
 metal_apiserver_admin_subjects: "admin@metal-stack.zitadel.172.42.0.42.nip.io@openid-connect"
 
+metal_apiserver_httproute_enabled: true
+metal_apiserver_httproute_hostnames:
+- "{{ metal_ingress_v2_dns }}"
+metal_apiserver_httproute_parent_refs:
+- name: metal-control-plane
+  namespace: "{{ metal_control_plane_namespace }}"
+  sectionName: http
+
 metal_api_images:
   - id: firewall-ubuntu-3.0
     name: Firewall 3 Ubuntu

From a8e2474b405da9b2aafd4e8ec4e014bf818e990a Mon Sep 17 00:00:00 2001
From: Benjamin Ritter <benjamin.ritter@x-cellent.com>
Date: Fri, 8 May 2026 11:29:07 +0200
Subject: [PATCH 12/12] fix: undo changes to gardener ingress ips

Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
---
 inventories/group_vars/control_plane/minio.yaml    | 2 +-
 inventories/group_vars/control_plane/powerdns.yaml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/inventories/group_vars/control_plane/minio.yaml b/inventories/group_vars/control_plane/minio.yaml
index 219fe31c..0e7566ee 100644
--- a/inventories/group_vars/control_plane/minio.yaml
+++ b/inventories/group_vars/control_plane/minio.yaml
@@ -2,4 +2,4 @@
 minio_root_user: mini-lab
 minio_root_password: change-me
 
-minio_dns_name: minio.172.42.0.42.nip.io
+minio_dns_name: minio.172.42.0.1.nip.io
diff --git a/inventories/group_vars/control_plane/powerdns.yaml b/inventories/group_vars/control_plane/powerdns.yaml
index 595f6d51..d001532f 100644
--- a/inventories/group_vars/control_plane/powerdns.yaml
+++ b/inventories/group_vars/control_plane/powerdns.yaml
@@ -10,11 +10,11 @@ powerdns_load_balancer_dns_name: "ns.{{ metal_control_plane_ingress_dns }}"
 powerdns_api_dns_name: "powerdns-api.{{ metal_control_plane_ingress_dns }}"
 
 powerdns_zones:
-  - name: "gardener.172.42.0.42.nip.io."
+  - name: "gardener.172.42.0.1.nip.io."
     kind: Master
     nameservers:
       - "{{ powerdns_load_balancer_dns_name }}."
-  - name: "gardener-kube-apiserver.172.42.0.42.nip.io."
+  - name: "gardener-kube-apiserver.172.42.0.1.nip.io."
     kind: Master
     nameservers:
       - "{{ powerdns_load_balancer_dns_name }}."