From 6218868ea5e581f9eee4ecca1c42eaf2b40eebb3 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 24 May 2026 01:13:54 +0000
Subject: [PATCH] xray: drop dead vless ingress + pin Service target_port
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The xray-vless ingress, Service port 6443, and container port 6443 had
no backing listener — xray.config.json only binds 7443 (REALITY), 8443
(WS) and 9443 (XHTTP). The "xray-vless" hostname was returning 502
since the module was created.

Side effect: removing the first Service port slot ("vless"/6443) caused
the kubernetes provider to shift targetPort values on the remaining
two ports (defaulting only worked at create time, not on port removal).
Pinning target_port explicitly makes Service routing deterministic.

End-to-end verified: REALITY via public IP:8080 (pfSense forward 8080
-> 10.0.20.200:7443), WS via Cloudflare, XHTTP via Cloudflare — all
three transports proxied successfully through a test pod, egress IP
correctly resolves to the home WAN.
---
 stacks/xray/modules/xray/main.tf | 36 +++++++-------------------------
 1 file changed, 8 insertions(+), 28 deletions(-)

diff --git a/stacks/xray/modules/xray/main.tf b/stacks/xray/modules/xray/main.tf
index 903eaabd..37e9ecb3 100644
--- a/stacks/xray/modules/xray/main.tf
+++ b/stacks/xray/modules/xray/main.tf
@@ -91,10 +91,6 @@ resource "kubernetes_deployment" "xray" {
           image             = "teddysun/xray"
           name              = "xray"
           image_pull_policy = "IfNotPresent"
-          port {
-            container_port = 6443 // vless
-            protocol       = "TCP"
-          }
           port {
             container_port = 7443 // reality
             protocol       = "TCP"
@@ -174,19 +170,16 @@ resource "kubernetes_service" "xray" {
       app = "xray"
     }
     port {
-      name     = "vless"
-      port     = 6443
-      protocol = "TCP"
+      name        = "websocket"
+      port        = 8443
+      target_port = 8443
+      protocol    = "TCP"
     }
     port {
-      name     = "websocket"
-      port     = 8443
-      protocol = "TCP"
-    }
-    port {
-      name     = "grpc"
-      port     = 9443
-      protocol = "TCP"
+      name        = "grpc"
+      port        = 9443
+      target_port = 9443
+      protocol    = "TCP"
     }
   }
 }
@@ -249,16 +242,3 @@ module "ingress_grpc" {
   }
 }
 
-module "ingress_vless" {
-  source = "../../../../modules/kubernetes/ingress_factory"
-  # VPN protocol (VLESS) — native xray clients, not browsers.
-  # auth = "none": VPN protocol (VLESS) — native xray clients, not browsers; forward-auth incompatible.
-  auth            = "none"
-  dns_type        = "proxied"
-  namespace       = kubernetes_namespace.xray.metadata[0].name
-  name            = "xray-vless"
-  service_name    = "xray"
-  host            = "xray-vless"
-  port            = 6443
-  tls_secret_name = var.tls_secret_name
-}