You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This revises the ingress approach introduced by commit abcd15d to use TLS
passthrough instead of termination at the Envoy proxy. Envoy reads the
ClientHello SNI for routing and forwards the encrypted stream to the OpenShell
gateway, which remains the TLS termnation endpoint. That preserves end-to-end
TLS and client certificate authentication, so existing mTLS continues to work
through Envoy.
Passthrough also avoids certificate management at the Envoy listener. It
does not require reusing the OpenShell server certificate as a Gateway
certificate or provisioning a separate edge certificate and Secret.
The server certificate only needs to cover the external SNI hostname.
This also restores the HTTP listener on the Gateway, adding TLS as an
additional listener when enabled.
The values were restructured to be under a gatewayApi umbrella rather than
grpcRoute as there are now both GRPCRoute and TLSRoute resources.
Signed-off-by: Kris Hicks <khicks@nvidia.com>
| Kubernetes gateway pod crash loops | Missing secret, bad DB URL, bad TLS config |`kubectl -n openshell logs deployment/openshell -c openshell-gateway` or `kubectl -n openshell logs statefulset/openshell -c openshell-gateway`|
297
297
| CLI TLS error | Local mTLS bundle does not match server cert/CA | Check `~/.config/openshell/gateways/<name>/mtls/`|
298
298
| Image pull failure | Gateway or sandbox image cannot be pulled | Runtime events and image pull credentials |
299
-
|`K8s namespace not ready` with `envoy-gateway-openshell.yaml: the server could not find the requested resource`| Optional Gateway API manifest was applied without Envoy Gateway CRDs, or k3s Helm controller startup exceeded the namespace wait | Apply `deploy/kube/manifests/envoy-gateway-openshell.yaml` manually only after Envoy Gateway is installed and `grpcRoute` is enabled |
300
-
| HTTPS ingress (`grpcRoute.gateway.listener.protocol=HTTPS`) connection resets or TLS handshake hangs | Envoy terminates TLS but the gateway pod still expects TLS, so the plaintext backend hop fails | Set `server.disableTls=true` so Envoy forwards plaintext to the pod; verify the listener `certificateRefs` Secret exists in the release namespace and `openshell status` over `https://<host>`|
301
-
| HTTPS ingress returns `Unauthenticated` after connecting | TLS terminates at Envoy, so the gateway never sees a client cert; no OIDC issuer is configured for identity | Configure `server.oidc.issuer` and register with `openshell gateway add https://<host> --oidc-issuer <url>`, or set `server.auth.allowUnauthenticatedUsers=true` for a trusted-proxy/dev cluster |
302
-
303
-
## Reporting
299
+
|`K8s namespace not ready` with `envoy-gateway-openshell.yaml: the server could not find the requested resource`| Optional Gateway API manifest was applied without Envoy Gateway CRDs, or k3s Helm controller startup exceeded the namespace wait | Apply `deploy/kube/manifests/envoy-gateway-openshell.yaml` manually only after Envoy Gateway is installed and a `gatewayApi` resource is enabled |
300
+
| TLSRoute remains unaccepted or port 443 is not exposed | The referenced Gateway has no compatible TLS passthrough listener, or the Gateway API controller does not support TLSRoute | Check `kubectl describe tlsroute -n <namespace>` and `kubectl describe gateway -n <namespace>`; with a chart-created Gateway, verify both `gatewayApi.gateway.create=true` and `gatewayApi.routes.tls.enabled=true`|
301
+
| TLS passthrough connection fails during the handshake | The gateway server is running plaintext or its certificate does not cover the external SNI hostname | Keep `server.disableTls=false`, verify the server certificate SAN, and configure `pkiInitJob.serverDnsNames` or `certManager.serverDnsNames` before issuing the certificate |
-[`ci/values-high-availability.yaml`](ci/values-high-availability.yaml) - CI overlay for multi-replica external PostgreSQL testing
@@ -147,16 +148,14 @@ add `ci/values-spire.yaml` to the OpenShell release values files.
147
148
| certManager.serverDnsNames | list |`["openshell","openshell.openshell.svc","openshell.openshell.svc.cluster.local","localhost","openshell.localhost","*.openshell.localhost","host.docker.internal"]`| DNS SANs on the cert-manager-issued server certificate. |
148
149
| certManager.serverIpAddresses | list |`["127.0.0.1"]`| IP SANs on the cert-manager-issued server certificate. |
149
150
| fullnameOverride | string |`""`| Override the full generated resource name. |
150
-
| grpcRoute.enabled | bool |`false`| Create a Gateway API GRPCRoute for the gateway service. |
151
-
| grpcRoute.gateway.className | string |`"eg"`| GatewayClass to reference. Envoy Gateway installs one named "eg". |
152
-
| grpcRoute.gateway.create | bool |`false`| When true, a Gateway resource is created in the release namespace. Set to false and provide name/namespace to attach to a pre-existing Gateway. |
153
-
| grpcRoute.gateway.listener.allowedRoutes | string |`"Same"`| "Same" restricts attached routes to the release namespace; "All" allows any namespace. |
154
-
| grpcRoute.gateway.listener.port | int |`80`| Listener port for the generated Gateway resource. Use 443 with protocol HTTPS. |
155
-
| grpcRoute.gateway.listener.protocol | string |`"HTTP"`| Listener protocol for the generated Gateway resource: HTTP or HTTPS. HTTPS terminates TLS at the Envoy Gateway listener; pair it with server.disableTls=true so Envoy forwards plaintext to the gateway pod, and use OIDC for client identity (the gateway never sees the client cert). |
156
-
| grpcRoute.gateway.listener.tls.certificateRefs | list |`[]`| certificateRefs for the HTTPS listener. Required when protocol is HTTPS. Each entry needs a `name` pointing at a kubernetes.io/tls Secret in the Gateway's namespace. May reference a cert-manager-issued Secret or the existing openshell-server-tls Secret (its SANs must include the external hostname). |
157
-
| grpcRoute.gateway.name | string |`""`| Name of the Gateway resource. Defaults to the chart fullname. |
158
-
| grpcRoute.gateway.namespace | string |`""`| Namespace of the Gateway referenced by the GRPCRoute parentRef. Defaults to the release namespace. |
159
-
| grpcRoute.hostnames | list |`[]`| Hostnames the GRPCRoute matches on. Leave empty to match all hosts. |
151
+
| gatewayApi.gateway.className | string |`"eg"`| GatewayClass to reference. Envoy Gateway installs one named "eg". |
152
+
| gatewayApi.gateway.create | bool |`false`| When true, a Gateway resource is created. Set to false and provide name/namespace to attach to a pre-existing Gateway. |
153
+
| gatewayApi.gateway.name | string |`""`| Name of the Gateway resource. Defaults to the chart fullname. |
154
+
| gatewayApi.gateway.namespace | string |`""`| Namespace of a pre-existing Gateway referenced by routes. Defaults to the release namespace. Chart-created Gateways always use the release namespace. |
155
+
| gatewayApi.routes.grpc.enabled | bool |`false`| Create a Gateway API GRPCRoute for the gateway service. |
156
+
| gatewayApi.routes.grpc.hostnames | list |`[]`| Hostnames the GRPCRoute matches on. Leave empty to match all hosts. |
157
+
| gatewayApi.routes.tls.enabled | bool |`false`| Create a Gateway API TLSRoute that passes encrypted traffic through to the gateway service. When gatewayApi.gateway.create is true, the generated Gateway also gets a TLS listener on port 443 in Passthrough mode. |
158
+
| gatewayApi.routes.tls.hostnames | list |`[]`| SNI hostnames the TLSRoute matches on. Leave empty to match all hosts. |
Validate chart values that Helm would otherwise accept silently.
179
199
*/}}
180
200
{{- define"openshell.validateValues" -}}
201
+
{{- if hasKey .Values"grpcRoute" -}}
202
+
{{- fail "grpcRoute values were replaced by gatewayApi; configure Gateway creation under gatewayApi.gateway and GRPCRoute creation under gatewayApi.routes.grpc." -}}
{{- fail "gatewayApi.routes.tls.enabled requires server.disableTls=false because TLS passthrough forwards the encrypted connection to the gateway server." -}}
206
+
{{- end -}}
181
207
{{- $workloadKind:= include "openshell.workloadKind". -}}
182
208
{{- $workload:=.Values.workload| default dict -}}
183
209
{{- $replicaCount:= int (default 1 .Values.replicaCount) -}}
{{- if eq .Values.grpcRoute.gateway.listener.protocol "HTTPS" }}
19
-
{{- if not .Values.grpcRoute.gateway.listener.tls.certificateRefs }}
20
-
{{- fail "grpcRoute.gateway.listener.tls.certificateRefs is required when grpcRoute.gateway.listener.protocol is HTTPS" }}
21
-
{{- end }}
22
-
{{- if not .Values.server.disableTls }}
23
-
{{- fail "grpcRoute.gateway.listener.protocol=HTTPS terminates TLS at Envoy Gateway, which forwards plaintext gRPC to the gateway pod; set server.disableTls=true so the pod listens plaintext (this chart does not render a BackendTLSPolicy for re-encryption to a TLS backend)" }}
0 commit comments