From b78e60dbf669275b60b1c03a1eae6dffab4e0aff Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 8 Feb 2026 01:01:17 +0000
Subject: [PATCH] [ci skip] Add Ollama TCP entrypoint for HA voice pipeline

Expose Ollama at 10.0.20.202:11434 via Traefik TCP passthrough,
bypassing TLS/auth issues with the HTTPS ingress.
---
 modules/kubernetes/traefik/main.tf |  6 ++++++
 modules/kubernetes/whisper/main.tf | 23 +++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/modules/kubernetes/traefik/main.tf b/modules/kubernetes/traefik/main.tf
index b09e9e4b..7bea0f36 100644
--- a/modules/kubernetes/traefik/main.tf
+++ b/modules/kubernetes/traefik/main.tf
@@ -109,6 +109,12 @@ resource "helm_release" "traefik" {
         protocol    = "TCP"
         expose      = { default = true }
       }
+      ollama-tcp = {
+        port        = 11434
+        exposedPort = 11434
+        protocol    = "TCP"
+        expose      = { default = true }
+      }
     }
 
     service = {
diff --git a/modules/kubernetes/whisper/main.tf b/modules/kubernetes/whisper/main.tf
index b1f56ee2..1c148acd 100644
--- a/modules/kubernetes/whisper/main.tf
+++ b/modules/kubernetes/whisper/main.tf
@@ -231,3 +231,26 @@ resource "kubernetes_manifest" "piper_tcp_ingressroute" {
     }
   }
 }
+
+# TCP passthrough from Traefik to ollama service (for HA voice pipeline)
+resource "kubernetes_manifest" "ollama_tcp_ingressroute" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "IngressRouteTCP"
+    metadata = {
+      name      = "ollama-tcp"
+      namespace = "traefik"
+    }
+    spec = {
+      entryPoints = ["ollama-tcp"]
+      routes = [{
+        match = "HostSNI(`*`)"
+        services = [{
+          name      = "ollama"
+          namespace = "ollama"
+          port      = 11434
+        }]
+      }]
+    }
+  }
+}