From 3879d2fe3548d4ea7ccc2ed572429c27cbf30202 Mon Sep 17 00:00:00 2001
From: Eric Garcia <eric.garcia@gmail.com>
Date: Tue, 3 Feb 2026 13:00:28 -0500
Subject: [PATCH] fix: install Traefik CRDs for IngressRouteTCP SSH routing

The IngressRouteTCP resource was being silently ignored because
Traefik CRDs were never installed. This caused SSH traffic on
port 22 to be handled as HTTP, returning 400 Bad Request.

Add CRD installation step before Traefik deployment.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 terraform/minimal/user-data.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/terraform/minimal/user-data.sh b/terraform/minimal/user-data.sh
index d64ee9c..43703f8 100644
--- a/terraform/minimal/user-data.sh
+++ b/terraform/minimal/user-data.sh
@@ -63,6 +63,18 @@ until kubectl get nodes 2>/dev/null | grep -q "Ready"; do
 done
 echo "k3s is ready"
 
+# -----------------------------------------------------------------------------
+# Install Traefik CRDs (required for IngressRouteTCP)
+# -----------------------------------------------------------------------------
+
+echo "Installing Traefik CRDs..."
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+# Wait for CRDs to be established
+echo "Waiting for Traefik CRDs to be ready..."
+kubectl wait --for=condition=Established crd/ingressroutetcps.traefik.io --timeout=60s || true
+kubectl wait --for=condition=Established crd/ingressroutes.traefik.io --timeout=60s || true
+
 # -----------------------------------------------------------------------------
 # Install Traefik with Let's Encrypt
 # -----------------------------------------------------------------------------