-
Notifications
You must be signed in to change notification settings - Fork 905
feat(helm): add TLS termination for Envoy Gateway ingress #2015
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| # SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. | ||
| # SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| # Gateway API overlay with TLS termination at the Envoy Gateway listener. | ||
| # | ||
| # Exercises the HTTPS listener branch of templates/gateway.yaml for | ||
| # `helm template`/lint coverage. Envoy Gateway terminates TLS using the | ||
| # referenced kubernetes.io/tls Secret and forwards plaintext to the gateway pod, | ||
| # so the gateway runs with TLS disabled and uses OIDC for client identity. | ||
| # | ||
| # The certificate Secret (openshell-ingress-tls) and the OIDC issuer below are | ||
| # placeholders for render coverage; a real deployment must provide a valid TLS | ||
| # Secret in the release namespace and a reachable OIDC issuer. | ||
|
|
||
| grpcRoute: | ||
| enabled: true | ||
| gateway: | ||
| create: true | ||
| className: "eg" | ||
| listener: | ||
| port: 443 | ||
| protocol: HTTPS | ||
| tls: | ||
| certificateRefs: | ||
| - name: openshell-ingress-tls | ||
| hostnames: [] | ||
|
|
||
| server: | ||
| # Envoy terminates TLS at the edge; the gateway listens plaintext behind it. | ||
| disableTls: true | ||
| oidc: | ||
| issuer: "https://keycloak.example.com/realms/openshell" | ||
| audience: "openshell-cli" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -372,9 +372,21 @@ grpcRoute: | |
| namespace: "" | ||
| # Listener settings (only used when gateway.create is true). | ||
| listener: | ||
| # -- Listener port for the generated Gateway resource. | ||
| # -- Listener port for the generated Gateway resource. Use 443 with protocol HTTPS. | ||
| port: 80 | ||
| # -- Listener protocol for the generated Gateway resource. | ||
| # -- Listener protocol for the generated Gateway resource: HTTP or HTTPS. | ||
| # HTTPS terminates TLS at the Envoy Gateway listener; pair it with | ||
| # server.disableTls=true so Envoy forwards plaintext to the gateway pod, | ||
| # and use OIDC for client identity (the gateway never sees the client cert). | ||
| protocol: HTTP | ||
| # -- "Same" restricts attached routes to the release namespace; "All" allows any namespace. | ||
| allowedRoutes: Same | ||
| # TLS settings for the listener. Used only when protocol is HTTPS | ||
| # (mode is always Terminate). | ||
| tls: | ||
| # -- certificateRefs for the HTTPS listener. Required when protocol is | ||
| # HTTPS. Each entry needs a `name` pointing at a kubernetes.io/tls Secret | ||
| # in the Gateway's namespace. May reference a cert-manager-issued Secret | ||
| # or the existing openshell-server-tls Secret (its SANs must include the | ||
| # external hostname). | ||
| certificateRefs: [] | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If a certificate is provided by e.g. cert-manager, would that be supported automatically?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes. A Gateway API certificateRefs entry just points at a kubernetes.io/tls Secret by name, and cert-manager can write that Secret when it issues a Certificate. Nothing here is coupled to how the Secret gets populated (manual, cert-manager, external-secrets, etc.). |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we document a way to enable this? Possibly as a follow-up; it would be great to support end-to-end TLS, but I think this PR is a good first step.