feat(helm): add TLS termination for Envoy Gateway ingress#2015
feat(helm): add TLS termination for Envoy Gateway ingress#2015zhaohuabing wants to merge 1 commit into
Conversation
The chart's optional Gateway API ingress only rendered a plaintext HTTP listener, so the gateway could not be exposed over TLS. Add an HTTPS listener option that terminates TLS at the Envoy Gateway and forwards plaintext gRPC to the gateway pod. - gateway.yaml renders an HTTPS listener with `tls.mode: Terminate` and `certificateRefs` when `grpcRoute.gateway.listener.protocol=HTTPS`, keeping the default HTTP listener unchanged. Guards fail the render when `certificateRefs` is empty or `server.disableTls` is not true (the chart does not render a BackendTLSPolicy for re-encryption). - values.yaml adds `grpcRoute.gateway.listener.tls.certificateRefs`. - ci/values-gateway-tls.yaml exercises the HTTPS branch in lint/render. - docs/kubernetes/ingress.mdx documents HTTPS setup and clarifies that Envoy Gateway only terminates TLS (no OIDC SecurityPolicy); client identity uses OIDC bearer tokens, with the client-credentials grant for headless agents. - debug-openshell-cluster skill gains HTTPS-ingress troubleshooting rows. - Regenerated the chart README values table. Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
TaylorMutch
left a comment
There was a problem hiding this comment.
Couple small comments, but I think this is looking good so far.
| {{- fail "grpcRoute.gateway.listener.tls.certificateRefs is required when grpcRoute.gateway.listener.protocol is HTTPS" }} | ||
| {{- end }} | ||
| {{- if not .Values.server.disableTls }} | ||
| {{- fail "grpcRoute.gateway.listener.protocol=HTTPS terminates TLS at Envoy Gateway, which forwards plaintext gRPC to the gateway pod; set server.disableTls=true so the pod listens plaintext (this chart does not render a BackendTLSPolicy for re-encryption to a TLS backend)" }} |
There was a problem hiding this comment.
Could we document a way to enable this? Possibly as a follow-up; it would be great to support end-to-end TLS, but I think this PR is a good first step.
| # in the Gateway's namespace. May reference a cert-manager-issued Secret | ||
| # or the existing openshell-server-tls Secret (its SANs must include the | ||
| # external hostname). | ||
| certificateRefs: [] |
There was a problem hiding this comment.
If a certificate is provided by e.g. cert-manager, would that be supported automatically?
There was a problem hiding this comment.
Yes. A Gateway API certificateRefs entry just points at a kubernetes.io/tls Secret by name, and cert-manager can write that Secret when it issues a Certificate. Nothing here is coupled to how the Secret gets populated (manual, cert-manager, external-secrets, etc.).
|
Ah, just realized this is in draft still. Sorry! |
Summary
The chart's optional Gateway API ingress only rendered a plaintext HTTP listener, so the OpenShell gateway could not be exposed over TLS. This adds an HTTPS listener option that terminates TLS at the Envoy Gateway and forwards plaintext gRPC to the gateway pod, with guardrails and docs for the supported configuration.
Related Issue
Close #2017
Changes
templates/gateway.yaml— renders an HTTPS listener withtls.mode: TerminateandcertificateRefswhengrpcRoute.gateway.listener.protocol=HTTPS; the default HTTP listener is unchanged. Twofailguards: emptycertificateRefs, and HTTPS withoutserver.disableTls=true(the chart does not render aBackendTLSPolicyfor re-encryption, so the backend hop must be plaintext).values.yaml— addsgrpcRoute.gateway.listener.tls.certificateRefsand clarifies protocol/port usage.ci/values-gateway-tls.yaml— new CI overlay exercising the HTTPS branch in lint/render.docs/kubernetes/ingress.mdx— documents HTTPS termination setup, and clarifies that Envoy Gateway only terminates TLS (no OIDCSecurityPolicy, which is browser-only); client identity uses OIDC bearer tokens, with the client-credentials grant for headless agents..agents/skills/debug-openshell-cluster/SKILL.md— adds HTTPS-ingress troubleshooting rows (plaintext-backend mismatch, unauthenticated-after-connect).README.md— regenerated chart values table.Testing
helm lint(defaults + all CI variants) andhelm templateverified: default renders the unchanged HTTP listener; HTTPS rendersTerminate+certificateRefs; bothfailguards fire as expected.mise run markdown:lint:md,mise run license:check, andmise run helm:docs:checkpass.codex exec review --uncommittedrun to convergence — no remaining findings.mise run pre-commitpasses — relevant checks (helm lint, markdown, license, helm-docs) pass;rust:lintfails on a pre-existing local env issue (missingz3.hsystem header), unrelated to these Helm/docs-only changesUnit tests added/updated — N/A (Helm template + docs only) - considering adding unit tests in a follow-up PR, as there is no existing unit tests for EG ingress yet.
E2E tests added/updated (if applicable) — not run locally (requires a live k3d + Envoy Gateway cluster); recommend running the Gateway API e2e path in CI - considering adding e2e tests in a follow-up PR, as there is no existing e2e tests for EG ingress yet.
Checklist
architecture/change needed; user-facing docs (docs/kubernetes/ingress.mdx) and the chart README/skill updated per AGENTS.md