Skip to content

feat: add gateway-api support#299

Open
l0wl3vel wants to merge 17 commits into
masterfrom
feat/gatewayapi
Open

feat: add gateway-api support#299
l0wl3vel wants to merge 17 commits into
masterfrom
feat/gatewayapi

Conversation

@l0wl3vel
Copy link
Copy Markdown

@l0wl3vel l0wl3vel commented May 6, 2026
edited
Loading

Description

  • Add kind-cloud-controller-manager to provide Type: Loadbalancer services
  • Introduce envoy-gateway as the Gateway API implementation
  • Move metal-stack control plane kind cluster into the mini_lab_external docker network
    • can't select container IP in the default docker bridge, which we need for the pre-defined *.nip.io DNS records
  • Kept ingress-nginx for now. Still required for Dex, Thanos, Gardener, PowerDNS

WIPs

  • Certificates are a bit messed up still (using default-gateway cert for grcp termination)
  • Link metal-roles pr branch to run ci in pull request metal-roles PR is merged
  • CI is failing - looks like an unrelated timeout

Used AI-Tools ✨

  • none used for generation

Closes: #297

Requires: metal-stack/helm-charts#156 and metal-stack/metal-roles#594

Tested configurations

  • Sonic
  • Dell Sonic
  • Gardener (looks good, deploys correctly with metal-stack on GWAPI and Gardener components still on ingress-nginx, further testing required)
  • Kamaji
    • non-functional. So likely a wontfix, unless it gets integreated into mini-lab. Only usable in capi-lab, which uses an old pinned version of mini-lab.

@metal-robot metal-robot Bot added this to Development May 6, 2026
@l0wl3vel l0wl3vel force-pushed the feat/gatewayapi branch 2 times, most recently from 28079c5 to f84c000 Compare May 8, 2026 14:58
@ma-hartma
Copy link
Copy Markdown
Contributor

ma-hartma commented May 11, 2026

Dell Sonic does actually work, but you need credentials to pull from r.metal-stack.io.

@l0wl3vel l0wl3vel mentioned this pull request May 26, 2026
Draft
9 tasks
@vknabel
Copy link
Copy Markdown
Contributor

vknabel commented May 28, 2026

Sadly I got the following error:

deploy-control-plane  | TASK [ansible-common/roles/helm-chart : Copy over custom helm charts] **********
deploy-control-plane  | fatal: [localhost]: FAILED! => 
deploy-control-plane  |     changed: false
deploy-control-plane  |     cmd: /usr/bin/rsync --delay-updates -F --compress --delete-after --archive --out-format='<<CHANGED>>%i
deploy-control-plane  |         %n%L' /helm-charts/charts/metal-control-plane /tmp/helm-chart
deploy-control-plane  |     msg: |-
deploy-control-plane  |         rsync: [sender] change_dir "/helm-charts/charts" failed: No such file or directory (2)
deploy-control-plane  |         rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.4.1]
deploy-control-plane  |     rc: 23

I had the following overrides metal_roles_version: gatewayapi

@l0wl3vel
Copy link
Copy Markdown
Author

l0wl3vel commented May 29, 2026

Sadly I got the following error:

deploy-control-plane  | TASK [ansible-common/roles/helm-chart : Copy over custom helm charts] **********
deploy-control-plane  | fatal: [localhost]: FAILED! => 
deploy-control-plane  |     changed: false
deploy-control-plane  |     cmd: /usr/bin/rsync --delay-updates -F --compress --delete-after --archive --out-format='<<CHANGED>>%i
deploy-control-plane  |         %n%L' /helm-charts/charts/metal-control-plane /tmp/helm-chart
deploy-control-plane  |     msg: |-
deploy-control-plane  |         rsync: [sender] change_dir "/helm-charts/charts" failed: No such file or directory (2)
deploy-control-plane  |         rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1338) [sender=3.4.1]
deploy-control-plane  |     rc: 23

I had the following overrides metal_roles_version: gatewayapi

@vknabel fixed in 629cb02

@l0wl3vel
Copy link
Copy Markdown
Author

l0wl3vel commented May 29, 2026

@Sven-Ric Would you mind taking a look at the network changes?

@l0wl3vel l0wl3vel requested review from Sven-Ric and vknabel May 29, 2026 13:10
@l0wl3vel l0wl3vel marked this pull request as ready for review June 1, 2026 06:53
@l0wl3vel l0wl3vel requested review from a team as code owners June 1, 2026 06:53
l0wl3vel added 16 commits June 2, 2026 14:13
@l0wl3vel
WIP feat: add gatewayapi support
eddc375 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: add https gateway listener with self-signed cert
6a5f0d1 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: enable zitadel httproute
5229834 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: move kind and sonic containerlab to dedicated network
06b7bef 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: bind zitadel only to https listener
dd23103 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: expose metal-api gRPC endpoint
bc70fb4 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: expose nsq endpoint
9c66c35 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: improve naming consistency
2acc00e 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: use valid hosts for gateway certificates
bebd1b4 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: move gateway configuration into their respective sections
2934921 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: undo changes to gardener ingress ips
08ed8c4 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: fix incorrect use of gateway instead of ingress controller
ad279c2 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
feat: remove ingress-nginx exposed ports
04188b8 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: change mgmt network to mini_lab_internal
776975e 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: remove helm chart override
205080f 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
fix: make minilab internal network a /16 prefix again
a67cb9d 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@Sven-Ric
Copy link
Copy Markdown

Sven-Ric commented Jun 5, 2026

It seems like the kind node always ends up in the default kind network on a clean first run. The kind network is read from .env, which is written by env.sh. However the Makefile reads .env before env.sh is invoked and the kind node network falls back to default. Because .env is persistent the bug is masked on all subsequent runs.

On initial run:

# docker inspect metal-control-plane-control-plane
[
    {
        <SNIP>
        "NetworkSettings": {
            <SNIP>
            "Networks": {
                "kind": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "DriverOpts": null,
                    "GwPriority": 0,
                    "NetworkID": "6530b19e41b397d41d37f6a38d6b1bbd74c9ba2b7478df95f6a6270cc84c4d0e",
                    "EndpointID": "6d56f5f0fa83330b85e0b0ebbd04175a93d8586c48492c9b545beb7eeecce015",
                    "Gateway": "172.18.0.1",
                    "IPAddress": "172.18.0.2",
                    "MacAddress": "12:98:42:c8:e4:ec",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "fc00:f853:ccd:e793::1",
                    "GlobalIPv6Address": "fc00:f853:ccd:e793::2",
                    "GlobalIPv6PrefixLen": 64,
                    "DNSNames": [
                        "metal-control-plane-control-plane",
                        "bd976835cec0"
                    ]
                }
            }
        },
        "ImageManifestDescriptor": {
            "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
            "digest": "sha256:21c46cf61fd45873f89e6a1bfcba4b7904dffa84c2bec88aeeca9a0409af4725",
            "size": 743,
            "platform": {
                "architecture": "amd64",
                "os": "linux"
            }
        }
    }
]

On all subsequent runs:

# docker inspect metal-control-plane-control-plane
[
    {
        <SNIP>
        "NetworkSettings": {
            <SNIP>
            "Networks": {
                "mini_lab_internal": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "DriverOpts": null,
                    "GwPriority": 0,
                    "NetworkID": "2734b8f942cae84d8693ecd43ab3bb9d5cd71905faf992fbfe5c3df17ddc376b",
                    "EndpointID": "62f8b2a6eb379bb65f13f6441a9249417fc9ce754218a29b699cd7511b393d29",
                    "Gateway": "172.42.0.1",
                    "IPAddress": "172.42.0.2",
                    "MacAddress": "66:e7:b9:9c:2e:39",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "DNSNames": [
                        "metal-control-plane-control-plane",
                        "5b12fbbedfdc"
                    ]
                }
            }
        },
        "ImageManifestDescriptor": {
            "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
            "digest": "sha256:21c46cf61fd45873f89e6a1bfcba4b7904dffa84c2bec88aeeca9a0409af4725",
            "size": 743,
            "platform": {
                "architecture": "amd64",
                "os": "linux"
            }
        }
    }
]

@l0wl3vel
fix: set KIND_EXPERIMENTAL_DOCKER_NETWORK on first run
baddf29 
Signed-off-by: Benjamin Ritter <benjamin.ritter@x-cellent.com>
@l0wl3vel
Copy link
Copy Markdown
Author

l0wl3vel commented Jun 5, 2026
edited
Loading

Thank you so much for checking it out @Sven-Ric. Fixed in baddf29. A few people checked this PR and it worked fine but CI was failing and I had no clue why. You saved me a lot of time 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vknabel vknabel Awaiting requested review from vknabel

@Sven-Ric Sven-Ric Awaiting requested review from Sven-Ric

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Development
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add GatewayAPI support to mini-lab

4 participants

@l0wl3vel @ma-hartma @vknabel @Sven-Ric