xray: drop dead vless ingress + pin Service target_port

The xray-vless ingress, Service port 6443, and container port 6443 had no backing listener — xray.config.json only binds 7443 (REALITY), 8443 (WS) and 9443 (XHTTP). The "xray-vless" hostname was returning 502 since the module was created. Side effect: removing the first Service port slot ("vless"/6443) caused the kubernetes provider to shift targetPort values on the remaining two ports (defaulting only worked at create time, not on port removal). Pinning target_port explicitly makes Service routing deterministic. End-to-end verified: REALITY via public IP:8080 (pfSense forward 8080 -> 10.0.20.200:7443), WS via Cloudflare, XHTTP via Cloudflare — all three transports proxied successfully through a test pod, egress IP correctly resolves to the home WAN.
2026-05-24 01:13:54 +00:00 · 2026-05-24 01:13:54 +00:00 · 6218868ea5
commit 6218868ea5
parent ae874e028d
1 changed files with 8 additions and 28 deletions
--- a/stacks/xray/modules/xray/main.tf
+++ b/stacks/xray/modules/xray/main.tf
@ -91,10 +91,6 @@ resource "kubernetes_deployment" "xray" {
          image             = "teddysun/xray"
          name              = "xray"
          image_pull_policy = "IfNotPresent"
-          port {
-            container_port = 6443 // vless
-            protocol       = "TCP"
-          }
          port {
            container_port = 7443 // reality
            protocol       = "TCP"
@ -174,19 +170,16 @@ resource "kubernetes_service" "xray" {
      app = "xray"
    }
    port {
-      name     = "vless"
-      port     = 6443
-      protocol = "TCP"
+      name        = "websocket"
+      port        = 8443
+      target_port = 8443
+      protocol    = "TCP"
    }
    port {
-      name     = "websocket"
-      port     = 8443
-      protocol = "TCP"
-    }
-    port {
-      name     = "grpc"
-      port     = 9443
-      protocol = "TCP"
+      name        = "grpc"
+      port        = 9443
+      target_port = 9443
+      protocol    = "TCP"
    }
  }
 }
@ -249,16 +242,3 @@ module "ingress_grpc" {
  }
 }

-module "ingress_vless" {
-  source = "../../../../modules/kubernetes/ingress_factory"
-  # VPN protocol (VLESS) — native xray clients, not browsers.
-  # auth = "none": VPN protocol (VLESS) — native xray clients, not browsers; forward-auth incompatible.
-  auth            = "none"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.xray.metadata[0].name
-  name            = "xray-vless"
-  service_name    = "xray"
-  host            = "xray-vless"
-  port            = 6443
-  tls_secret_name = var.tls_secret_name
-}