Skip to content

feat(helm): add extensible Gateway API routing with TLS passthrough#2108

Open
krishicks wants to merge 2 commits into
mainfrom
hicks/push-umwsnmztxknl
Open

feat(helm): add extensible Gateway API routing with TLS passthrough#2108
krishicks wants to merge 2 commits into
mainfrom
hicks/push-umwsnmztxknl

Conversation

@krishicks

Copy link
Copy Markdown
Collaborator

Summary

Refactor the Helm chart’s Gateway API configuration under a route-neutral gatewayApi hierarchy, allowing Gateway resources and individual route types to be managed independently. Replace the Envoy TLS termination approach introduced by abcd15d1 with TLS passthrough, preserving end-to-end TLS and mTLS while avoiding certificate management at the Envoy listener.

Related Issue

Follow-up to #2015 (abcd15d1).

Changes

  • Replace the route-specific grpcRoute.gateway values hierarchy with:
    • gatewayApi.gateway for shared Gateway resource configuration.
    • gatewayApi.routes.grpc for independently managed GRPCRoute configuration.
    • gatewayApi.routes.tls for independently managed TLSRoute configuration.
  • Use gatewayApi as the parent key to distinguish the Kubernetes Gateway API integration from the OpenShell gateway server.
  • Allow the chart to create:
    • Only a Gateway.
    • Only a GRPCRoute or TLSRoute attached to a pre-existing Gateway.
    • A Gateway and either or both supported route types.
  • Preserve the fixed port 80 HTTP listener and existing GRPCRoute behavior.
  • Add a fixed port 443 TLS listener in Passthrough mode when TLSRoute and chart-managed Gateway creation are enabled.
  • Add a gateway.networking.k8s.io/v1 TLSRoute that routes by SNI and forwards the encrypted stream to the OpenShell service.
  • Keep TLS termination and client certificate validation at the OpenShell gateway server, preserving existing mTLS behavior through Envoy.
  • Avoid Gateway listener certificate references:
    • The OpenShell server certificate does not need to be reused as an Envoy certificate.
    • Operators do not need to provision a separate edge certificate or Secret.
    • The backend server certificate only needs a SAN covering the external SNI hostname.
  • Reject TLSRoute passthrough when server.disableTls=true.
  • Add migration validation for the removed grpcRoute values.
  • Standardize the local Envoy Gateway setup and documentation on gateway-helm v1.8.1.
  • Add Helm unit tests for Gateway-only, route-only, combined, pre-existing Gateway, TLS passthrough, hostname, and invalid plaintext configurations.
  • Update CI overlays, generated Helm documentation, the Kubernetes ingress guide, Skaffold guidance, and cluster troubleshooting instructions.

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated (if applicable)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated (if applicable)

krishicks added 2 commits July 1, 2026 12:33
Move Kubernetes Gateway creation and route settings out of the
grpcRoute hierarchy and into a dedicated gatewayApi configuration tree.

Nesting the Gateway resource under grpcRoute made the Gateway lifecycle
look like an implementation detail of GRPCRoute. It also coupled shared
Gateway identity and listener configuration to one route kind, making it
awkward to create only a Gateway, attach only a route to an existing
Gateway, or add other Gateway API route types.

Use gatewayApi as the umbrella because it names the Kubernetes Gateway
API integration directly and avoids conflating it with the OpenShell
gateway server. Keep shared Gateway resource settings under
gatewayApi.gateway and place independently selectable route kinds under
gatewayApi.routes. The initial gatewayApi.routes.grpc entry preserves
GRPCRoute support while establishing a natural extension point for
TLSRoute and other route types.

Restore the generated Gateway to its original fixed HTTP listener on
port 80 and remove the TLS termination settings introduced in commit
abcd15d while restructuring the values contract. This removal is
intentional and temporary: a later commit restores encrypted ingress as
TLS passthrough using TLSRoute, without coupling TLS configuration to
GRPCRoute.

Add shared helpers for Gateway name and namespace resolution, reject the
removed grpcRoute values with migration guidance, and cover Gateway-only,
GRPCRoute-only, combined, and pre-existing Gateway configurations with
Helm unit tests. Update the chart values, CI overlay, generated README,
ingress documentation, Skaffold guidance, and troubleshooting references
to use the new hierarchy.

Signed-off-by: Kris Hicks <khicks@nvidia.com>
Add gatewayApi.routes.tls so TLSRoute can be created independently for
an existing Gateway or paired with a chart-managed Gateway. When the
chart owns the Gateway, enabling the route adds a fixed port 443 TLS
listener in Passthrough mode while retaining the existing HTTP listener.

This revises the ingress approach introduced by commit abcd15d. Envoy
reads the ClientHello SNI for routing and forwards the encrypted stream
to the OpenShell gateway, which remains the TLS endpoint. That preserves
end-to-end TLS and client certificate authentication, so existing mTLS
continues to work through Envoy.

Passthrough also avoids certificate management at the Envoy listener. It
does not require reusing the OpenShell server certificate as a Gateway
certificate or provisioning a separate edge certificate and Secret.
The server certificate only needs to cover the external SNI hostname.

Signed-off-by: Kris Hicks <khicks@nvidia.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

@krishicks

krishicks commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

cc @zhaohuabing I think this solves the problem you created #2015 to fix while retaining mTLS support, and overall being a simpler implementation as it does TLS passthrough instead of termination.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants