Add GatewayAPI Support

Author: cavus700

README.md

@@ -217,7 +217,22 @@ In addition, Sentry will always behave as follows:
 | global.secret.imagePullSecret             | Image pull secret                                                                                     | "e30K"                         |
 | cloud.hashLookup.enabled                  | Enable/Disable the cloud hash lookup                                                                  | true                           |
 | cloud.allowlistLookup.enabled             | Enable/Disable the cloud allowlist lookup                                                             | true                           |
-| gateway.ingress.enabled                   | Enable/Disable the Ingress resource                                                                   | false                          |
+| gatewayApi.enabled                        | Enable/Disable Gateway API resources                                                                  | false                          |
+| gatewayApi.nameOverride                   | Overrides the Gateway API application name                                                            | ""                             |
+| gatewayApi.fullnameOverride               | Overrides the Gateway API full name                                                                   | "gateway-api"                  |
+| gatewayApi.gatewayClassName               | Gateway class name for Gateway API                                                                    | "eg"                           |
+| gatewayApi.annotations                    | Additional annotations for Gateway API                                                                | {}                             |
+| gatewayApi.infrastructure.annotations     | Infrastructure-specific annotations for Gateway API                                                   | {}                             |
+| gatewayApi.listeners.https.hostname       | Hostname for HTTPS listener                                                                           | ""                             |
+| gatewayApi.listeners.https.protocol       | Protocol for HTTPS listener                                                                           | HTTPS                          |
+| gatewayApi.listeners.https.port           | Port for HTTPS listener                                                                               | 443                            |
+| gatewayApi.listeners.https.tlsSecretName  | TLS secret name for HTTPS listener                                                                    | "gateway-api-tls"              |
+| gatewayApi.listeners.http.hostname        | Hostname for HTTP listener                                                                            | ""                             |
+| gatewayApi.listeners.http.protocol        | Protocol for HTTP listener                                                                            | HTTP                           |
+| gatewayApi.listeners.http.port            | Port for HTTP listener                                                                                | 80                             |
+| gateway.httpRoute.enabled                 | Enable/Disable HTTPRoute resource for Gateway API                                                     | false                          |
+| gateway.httpRoute.hostname                | Hostname for HTTPRoute                                                                                | ""                             |
+| gateway.ingress.enabled                   | Enable/Disable the Ingress resource (deprecated: use gatewayApi and httpRoute instead)                | true                           |
 | gateway.ingress.annotations               | Additional annotations for Ingress                                                                    | {}                             |
 | gateway.ingress.hosts                     | Hostnames and paths for Ingress                                                                       | []                             |
 | gateway.ingress.tls`                      | TLS configuration for Ingress                                                                         | []                             |

charts/vaas/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 3.2.6
+version: 3.3.0-alpha.1
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG

charts/vaas/templates/gateway-api/_helpers.tpl

@@ -0,0 +1,53 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "gateway-api.name" -}}
+{{- default "gateway-api" .Values.gatewayApi.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gateway-api.fullname" -}}
+{{- if .Values.gatewayApi.fullnameOverride }}
+{{- .Values.gatewayApi.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.gatewayApi.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gateway-api.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "gateway-api.labels" -}}
+helm.sh/chart: {{ include "gateway-api.chart" . }}
+{{ include "gateway-api.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gateway-api.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gateway-api.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/namespace: {{ .Release.Namespace }}
+{{- end }}

charts/vaas/templates/gateway-api/gateway.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.gatewayApi.enabled }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ default (include "gateway-api.fullname" .) .Values.gatewayApi.nameOverride }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{ include "gateway-api.labels" . | nindent 4 }}
+  annotations:
+  {{- with .Values.gatewayApi.annotations }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.gatewayApi.infrastructure.annotations }}
+  infrastructure:
+    annotations:
+      {{ toYaml .Values.gatewayApi.infrastructure.annotations | nindent 6 }}
+  {{- end }}
+  gatewayClassName: {{ .Values.gatewayApi.gatewayClassName | quote }}
+  listeners:
+  {{- range $name, $values := .Values.gatewayApi.listeners }}
+    - name: {{ $name }}
+      port: {{ $values.port }}
+      protocol: {{ $values.protocol }}
+      {{- if $values.hostname }}
+      hostname: {{ $values.hostname }}
+      {{- end }}
+      {{- if $values.tlsSecretName }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+        - kind: Secret
+          name: {{ $values.tlsSecretName }}
+      {{- end }}
+      {{- if $values.allowedRoutes }}
+      allowedRoutes:
+        {{ toYaml $values.allowedRoutes | nindent 8 }}
+      {{- end }}
+  {{- end}}
+{{- end }}

charts/vaas/templates/gateway-api/http-redirect-route.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.gatewayApi.enabled }}
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: {{ default (include "gateway-api.fullname" .) .Values.gatewayApi.nameOverride }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  parentRefs:
+    - name: {{ default (include "gateway-api.fullname" .) .Values.gatewayApi.nameOverride }}
+      sectionName: http
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+{{- end }}

charts/vaas/templates/gateway/http-route.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.gateway.httpRoute.enabled }}
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: {{ include "gateway.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  parentRefs:
+    - name: {{ default (include "gateway-api.fullname" .) .Values.gatewayApi.nameOverride }}
+      sectionName: https
+  {{- if .Values.gateway.httpRoute.hostname }}
+  hostnames:
+    - {{ .Values.gateway.httpRoute.hostname | quote }}
+  {{- end }}
+  rules:
+    # DEPRECATED: WebSocket connection will be removed in the future
+    - backendRefs:
+        - name: {{ include "gateway.fullname" . }}
+          port: {{ .Values.gateway.service.ws.port }}
+          weight: 1
+      header:
+        - name: Upgrade
+          value: websocket
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+    - backendRefs:
+        - name: {{ include "gateway.fullname" . }}
+          port: {{ .Values.gateway.service.http.port }}
+          weight: 1
+      matches:
+        - path:
+            type: PathPrefix
+            value: /files
+        - path:
+            type: PathPrefix
+            value: /urls
+        - path:
+            type: PathPrefix
+            value: /swagger
+        # DEPRECATED: Functionality is moved to other routes and will be removed in the future
+        - path:
+            type: PathPrefix
+            value: /upload
+{{- end }}

charts/vaas/templates/gateway/ingress.yaml

@@ -1,3 +1,8 @@
+#######################################################################
+###           DEPRECATED: Will be replaced by Gateway API           ###
+### https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/ ###
+#######################################################################
+
 {{- if .Values.gateway.ingress.enabled -}}
 {{- $fullName := include "gateway.fullname" . -}}
 {{- $defaultAnnotations := dict "nginx.ingress.kubernetes.io/proxy-body-size" "2G" "nginx.ingress.kubernetes.io/proxy-request-buffering" "off" }}

charts/vaas/templates/gateway/statefulset.yaml

@@ -20,6 +20,9 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
+        {{- if .Values.gateway.podLabels }}
+        {{ toYaml .Values.gateway.podLabels | nindent 8 }}
+        {{- end }}
         {{- include "gateway.selectorLabels" . | nindent 8 }}
     spec:
       {{- include "gateway.imagePullSecrets" . | nindent 6 }}

charts/vaas/templates/gdscan/ingress.yaml

@@ -1,3 +1,8 @@
+#######################################################################
+###           DEPRECATED: Will be replaced by Gateway API           ###
+### https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/ ###
+#######################################################################
+
 {{- if .Values.gdscan.ingress.enabled -}}
 {{- $fullName := include "gdscan.fullname" . -}}
 {{- $svcPort := .Values.gdscan.service.port -}}

charts/vaas/values.yaml

@@ -80,10 +80,43 @@ cloud:
 #   enableTracing: ""
 #   tracesSampleRate: ""
 
+gatewayApi:
+  enabled: false
+  nameOverride: ""
+  fullnameOverride: "gateway-api"
+  gatewayClassName: "eg"
+  annotations: {}
+  infrastructure:
+    annotations: {}
+  listeners:
+    https:
+      hostname: ""
+      protocol: HTTPS
+      port: 443
+      tlsSecretName: "gateway-api-tls"
+      allowedRoutes:
+        kinds:
+          - kind: HTTPRoute
+        namespaces:
+          from: Same
+    http:
+      hostname: ""
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        kinds:
+          - kind: HTTPRoute
+        namespaces:
+          from: Same
+
 gateway:
   uploadToken:
     existingSecret: ""
     key: ""
+  httpRoute:
+    enabled: false
+    hostname: ""
+  # Deprecated: Use gatewayApi and httpRoute instead
   ingress:
     enabled: true
     className: ""
@@ -174,6 +207,7 @@ gateway:
   terminationGracePeriodSeconds: 30
 
   podAnnotations: {}
+  podLabels: {}
   nodeSelector: {}
   tolerations: []
   affinity: {}