fix(vm): fix gateway readiness timeout with correct port mapping and aligned pre-bake

Two issues caused the gateway service readiness check to time out:

1. Port mapping mismatch: gvproxy mapped host:30051 → VM:8080, but with
   bridge CNI the pod listens on 8080 inside its network namespace, not
   on the VM's root namespace. Changed to 30051:30051 so traffic flows
   through the NodePort service (kube-proxy nftables → pod:8080).

2. Pod cycling from helm upgrade: build-rootfs.sh pre-baked with
   hostNetwork=true and automountServiceAccountToken=false, but
   gateway-init.sh changed these at boot, triggering a HelmChart
   reconcile that killed the pre-baked pod ~90s in. Aligned pre-bake
   values (hostNetwork=false, automountServiceAccountToken=true) to
   match runtime, eliminating the manifest delta.

Author: drew

crates/openshell-vm/scripts/build-rootfs.sh

@@ -243,17 +243,17 @@ if [ -f "$HELMCHART" ]; then
     sed -i '' "s|server:[[:space:]]*sandboxImage: ghcr.io/nvidia/openshell-community/sandboxes/base:latest|server:\n      sandboxImage: ${SANDBOX_IMAGE}|g" "$HELMCHART" 2>/dev/null || true
     sed -i '' "s|sandboxImage: ghcr.io/nvidia/openshell-community/sandboxes/base:latest|sandboxImage: ${SANDBOX_IMAGE}|g" "$HELMCHART" 2>/dev/null \
         || sed -i "s|sandboxImage: ghcr.io/nvidia/openshell-community/sandboxes/base:latest|sandboxImage: ${SANDBOX_IMAGE}|g" "$HELMCHART"
-    # Enable hostNetwork for VM (no kube-proxy / iptables).
-    sed -i '' 's|__HOST_NETWORK__|true|g' "$HELMCHART" 2>/dev/null \
-        || sed -i 's|__HOST_NETWORK__|true|g' "$HELMCHART"
-    # Disable SA token automount. The projected volume at
-    # /var/run/secrets/kubernetes.io/serviceaccount fails on sandbox
-    # re-creation because /var/run is a symlink to /run in the container
-    # image and the native snapshotter + virtiofs combination can't
-    # resolve it correctly on the second mount.
-    sed -i '' 's|__AUTOMOUNT_SA_TOKEN__|false|g' "$HELMCHART" 2>/dev/null \
-        || sed -i 's|__AUTOMOUNT_SA_TOKEN__|false|g' "$HELMCHART"
-    # Mount the k3s kubeconfig into the pod since SA token isn't mounted.
+    # Bridge CNI: pods use normal pod networking, not hostNetwork.
+    # This must match what gateway-init.sh applies at runtime so the
+    # HelmChart manifest is unchanged at boot — preventing a helm
+    # upgrade job that would cycle the pre-baked pod.
+    sed -i '' 's|__HOST_NETWORK__|false|g' "$HELMCHART" 2>/dev/null \
+        || sed -i 's|__HOST_NETWORK__|false|g' "$HELMCHART"
+    # Enable SA token automount for bridge CNI mode. Must match
+    # gateway-init.sh runtime value to avoid manifest delta.
+    sed -i '' 's|__AUTOMOUNT_SA_TOKEN__|true|g' "$HELMCHART" 2>/dev/null \
+        || sed -i 's|__AUTOMOUNT_SA_TOKEN__|true|g' "$HELMCHART"
+    # Mount the k3s kubeconfig into the pod for VM mode.
     sed -i '' 's|__KUBECONFIG_HOST_PATH__|"/etc/rancher/k3s"|g' "$HELMCHART" 2>/dev/null \
         || sed -i 's|__KUBECONFIG_HOST_PATH__|"/etc/rancher/k3s"|g' "$HELMCHART"
     # Disable persistence — use /tmp for the SQLite database. PVC mounts

crates/openshell-vm/src/lib.rs

@@ -161,12 +161,12 @@ impl VmConfig {
             ],
             workdir: "/".to_string(),
             port_map: vec![
-                // Navigator server — with hostNetwork the server binds
-                // directly to port 8080 on the VM's interface, bypassing
-                // NodePort (which requires kube-proxy / iptables).
-                // Map host 30051 -> guest 8080 so the external-facing
-                // port stays the same for CLI clients.
-                "30051:8080".to_string(),
+                // Navigator server — with bridge CNI the pod listens on
+                // 8080 inside its own network namespace (10.42.0.x), not
+                // on the VM's root namespace. The NodePort service
+                // (kube-proxy nftables) forwards VM:30051 → pod:8080.
+                // gvproxy maps host:30051 → VM:30051 to complete the path.
+                "30051:30051".to_string(),
             ],
             vsock_ports: vec![],
             log_level: 3, // Info — for debugging