feat(netbird): add Gateway API support and reject ingressGrpc without TLS (#74)#80
Open
mikkeldamsgaard wants to merge 4 commits intomainfrom
Open
feat(netbird): add Gateway API support and reject ingressGrpc without TLS (#74)#80mikkeldamsgaard wants to merge 4 commits intomainfrom
mikkeldamsgaard wants to merge 4 commits intomainfrom
Conversation
… TLS
Adds HTTPRoute/GRPCRoute/TCPRoute as mutually-exclusive alternatives to
each existing Ingress block (server.httpRoute, server.grpcRoute,
server.relayHttpRoute, server.relayTcpRoute, dashboard.httpRoute). The
chart renders routes only and attaches them via parentRefs to a
user-managed Gateway. Omitted backendRefs auto-fill to the netbird
Service on port 80.
Fail-fast helm-template validation covers:
* Ingress + Gateway route both enabled for the same traffic class
* relayHttpRoute and relayTcpRoute both enabled
* Route enabled with empty parentRefs
* ingressGrpc enabled with empty tls — gRPC over nginx-ingress cannot
negotiate h2c, and the default ssl-redirect annotation redirects
plaintext gRPC to HTTPS, so this silently failed before
Fixes #74 by giving users a plaintext-h2c path (grpcRoute) for gRPC and
rejecting the silent-failure Ingress configuration.
Includes 36 new helm-unittest cases and an Envoy-Gateway-based e2e test
harness (ci/scripts/netbird/e2e-gateway.sh + CI job) that verifies routes
reach Accepted=True on the gateway and that backendRefs auto-fill.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Installing standard-install.yaml with kubectl then running the envoy-gateway Helm chart caused server-side-apply conflicts: EG owns the same CRDs via its packaged manifests but our prior kubectl-apply set "kubectl-client-side-apply" as the field manager. The EG chart bundles both standard and experimental channel CRDs (including TCPRoute), so a single install is enough. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gateway Programmed condition requires Envoy's data-plane pod to be Ready, which is too slow on kind within the 3m timeout. Route attachment only needs the Gateway to be Accepted (admission by the controller), so wait on that instead — routes progress independently of proxy readiness. Also skip the cleanup trap on non-zero exit so CI's "Show debug info on failure" step can actually see pod status / events / logs — previously the namespace was deleted before debug ran. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HTTPRoute/GRPCRoute/TCPRoute— as a mutually-exclusive, per-route alternative to the chart's existing Ingress blocks. Users pick Ingress or Gateway API independently for each of: server HTTP, server gRPC, server relay (HTTP or TCP), and dashboard.Gateway). OmittedbackendRefsauto-fill to the server/dashboard Service on port 80.relayHttpRoute+relayTcpRouteboth enabled, any route enabled with emptyparentRefs, andingressGrpcenabled withouttls(the silent-failure case from the issue — nginx-ingress can't negotiate h2c, and the defaultssl-redirectredirects plaintext gRPC to HTTPS).ingressGrpcsnippet, and an updated architecture diagram.Fixes #74.
Test plan
make lint— passesmake unittest— 232 tests pass (36 new across 5 new route suites + mutual-exclusion + ingressGrpc-TLS cases)helm templatesanity checks: defaults, each new route variant, and every mutex combinationmake e2e-gateway— new Envoy-Gateway-based harness that installs Gateway API CRDs, provisions aGateway, installs the chart with all four routes enabled, and asserts each route reachesAccepted=Truewith correct auto-filledbackendRefs. Could not run locally (Docker daemon wasn't up); will run in the newe2e-gatewayCI job on this PR.make e2e-sqlite— regression check that existing Ingress path still works; will also run in CI.Notes
Chart.yamlversion bump — reserved for/release.server.relayTcpRouteusesgateway.networking.k8s.io/v1alpha2; README notes that the experimental-channel CRDs are required.🤖 Generated with Claude Code