From 9349d5d566d4f6986f04564f1a7a072d8f138346 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 6 Apr 2026 13:38:30 +0300
Subject: [PATCH] =?UTF-8?q?fix(meshcentral):=20use=20service=20port=2080?=
 =?UTF-8?q?=E2=86=92443=20to=20prevent=20Traefik=20HTTPS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause: Traefik v3 auto-detects HTTPS for backend port 443,
ignoring the port name "http" and serversscheme annotations.
MeshCentral serves HTTP on 443 (TLSOffload mode), but Traefik
connected via HTTPS causing TLS handshake failure → 500.

Fix: Change K8s service port from 443 to 80 with target_port 443.
Traefik sees port 80 → uses HTTP → reaches MeshCentral correctly.
Also disables anti-AI scraping (internal tool behind Authentik).
---
 stacks/meshcentral/main.tf | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf
index ec53d12c..b474e7b3 100644
--- a/stacks/meshcentral/main.tf
+++ b/stacks/meshcentral/main.tf
@@ -224,9 +224,10 @@ resource "kubernetes_service" "meshcentral" {
       app = "meshcentral"
     }
     port {
-      name     = "http"
-      port     = 443
-      protocol = "TCP"
+      name        = "http"
+      port        = 80
+      target_port = 443
+      protocol    = "TCP"
     }
   }
 }
@@ -236,7 +237,7 @@ module "ingress" {
   namespace       = kubernetes_namespace.meshcentral.metadata[0].name
   name            = "meshcentral"
   tls_secret_name = var.tls_secret_name
-  port            = 443
+  port            = 80
   protected         = true
   anti_ai_scraping  = false
   extra_annotations = {