feat: add envoy gateway to service clusters (for isolated clusters) (#522)

mwennrich · web-flow · commit d744e99600f0 · 2026-02-03T12:30:59.000+01:00
* feat: add envoy gateway to service clusters (for isolated clusters)
diff --git a/control-plane/roles/isolated-clusters/README.md b/control-plane/roles/isolated-clusters/README.md
@@ -8,13 +8,26 @@ It contains the services:
 - Registry
 - DNS
 - NTP
+- Ingress Controller (nginx-ingress)
+- Envoy Gateway (optional, alternative to nginx-ingress)
 
 A cert-manager is expected to be deployed by the user beforehand.
 
+## Ingress vs Envoy Gateway
+
+This role supports two options for exposing services:
+
+1. **nginx-ingress** (default, enabled by default): Traditional Ingress controller for HTTP/HTTPS traffic and TCP/UDP proxying
+2. **Envoy Gateway** (optional): Modern Gateway API implementation supporting HTTP/HTTPS, TCP, and UDP protocols
+
+You can enable/disable each option independently using the `isolated_clusters_ingress_controller_enabled` and `isolated_clusters_envoy_gateway_enabled` variables. Both can be enabled simultaneously if needed.
+
 ## Variables
 
 The `control-plane-defaults` folder contains defaults that are used by multiple roles in the control-plane directory. You can look up all the default values [here](control-plane-defaults/main.yaml).
 
+**Note:** Variables marked with `yes*` are conditionally mandatory - they are only required when the corresponding feature is enabled.
+
 | Name                                                             | Mandatory | Description                                                                                      |
 | ---------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------ |
 | isolated_clusters_virtual_garden_kubeconfig                      |           | The kubeconfig to access the virtual garden as a string value.                                              |
@@ -24,11 +37,20 @@ The `control-plane-defaults` folder contains defaults that are used by multiple
 | isolated_clusters_dns_image_name                                 |           | The image name of the dns service for the partition.                                             |
 | isolated_clusters_dns_image_tag                                  | yes       | The tag or version of the dns service container image.                                           |
 | isolated_clusters_dns_namespace                                  |           | The namespace to deploy the dns server to.                                                       |
+| isolated_clusters_ingress_controller_enabled                     |           | Enable/disable nginx-ingress controller deployment (default: true).                              |
 | isolated_clusters_ingress_controller_namespace                   |           | The namespace where the ingress controller should be deployed to.                                |
-| isolated_clusters_ingress_controller_chart_version               | yes       | The version of the ingress controller chart.                                                     |
+| isolated_clusters_ingress_controller_chart_version               | yes*      | The version of the ingress controller chart (required if ingress enabled).                       |
 | isolated_clusters_ingress_controller_chroot                      |           | Indicates if the image should have a changed root.                                               |
-| isolated_clusters_ingress_controller_load_balancer_ip            | yes       | The load balancer source ip of the ingress controller.                                           |
-| isolated_clusters_ingress_controller_load_balancer_source_ranges | yes       | The load balancer source ranges of the ingress controller.                                       |
+| isolated_clusters_ingress_controller_load_balancer_ip            | yes*      | The load balancer source ip of the ingress controller (required if ingress enabled).             |
+| isolated_clusters_ingress_controller_load_balancer_source_ranges | yes*      | The load balancer source ranges of the ingress controller (required if ingress enabled).         |
+| isolated_clusters_envoy_gateway_enabled                          |           | Enable/disable Envoy Gateway deployment (default: false).                                        |
+| isolated_clusters_envoy_gateway_namespace                        |           | The namespace where Envoy Gateway should be deployed to.                                         |
+| isolated_clusters_envoy_gateway_chart_version                    | yes*      | The version of the Envoy Gateway helm chart (required if envoy gateway enabled).                 |
+| isolated_clusters_envoy_gateway_replicas                         |           | Number of Envoy Gateway replicas (default: 1).                                                   |
+| isolated_clusters_envoy_gateway_load_balancer_ip                 |           | The load balancer IP for the Envoy Gateway service (optional).                                   |
+| isolated_clusters_envoy_gateway_load_balancer_source_ranges      |           | The load balancer source ranges for Envoy Gateway (optional).                                    |
+| isolated_clusters_envoy_gateway_registry_tls_secret_name         |           | The name of the TLS secret for registry HTTPS listener in Envoy Gateway.                         |
+| isolated_clusters_registry_fqdn                                  | yes*      | The FQDN for the registry service (required if envoy gateway enabled).                           |
 | isolated_clusters_registry_image_name                            |           | The image name of the registry service for the partition.                                        |
 | isolated_clusters_registry_image_tag                             | yes       | The tag or version of the registry service container image.                                      |
 | isolated_clusters_registry_namespace                             |           | The namespace for the registry used for isolated clusters.                                       |
@@ -37,6 +59,6 @@ The `control-plane-defaults` folder contains defaults that are used by multiple
 | isolated_clusters_registry_oci_mirror_config                     |           | Contains a mapping of source and destination images for specific versions.                       |
 | isolated_clusters_registry_storage_size                          |           | The storage size of the registry used for isolated clusters.                                     |
 | isolated_clusters_registry_storage_class_name                    |           | The storageClassName of the registry used for isolated clusters.                                 |
-| isolated_clusters_registry_ingress_fqdn                          | yes       | The full name of the registry used for isolated clusters.                                        |
+| isolated_clusters_registry_ingress_fqdn                          | yes*      | The full name of the registry ingress (required if ingress enabled).                             |
 | isolated_clusters_registry_ingress_annotations                   |           | Optional ingress annotations for the registry used for isolated clusters.                        |
 | isolated_clusters_partition_services_cluster                     |           | The cluster to deploy the services like ntp, dns, ingress, cert manager and the OCI registry to. |
diff --git a/control-plane/roles/isolated-clusters/defaults/main/main.yaml b/control-plane/roles/isolated-clusters/defaults/main/main.yaml
@@ -9,12 +9,21 @@ isolated_clusters_dns_image_name: coredns/coredns
 isolated_clusters_dns_image_tag:
 isolated_clusters_dns_namespace: dns-service
 
+isolated_clusters_ingress_controller_enabled: true
 isolated_clusters_ingress_controller_namespace: ingress
 isolated_clusters_ingress_controller_chart_version:
 isolated_clusters_ingress_controller_chroot: true
 isolated_clusters_ingress_controller_load_balancer_ip:
 isolated_clusters_ingress_controller_load_balancer_source_ranges:
 
+isolated_clusters_envoy_gateway_enabled: false
+isolated_clusters_envoy_gateway_namespace: envoy-gateway-system
+isolated_clusters_envoy_gateway_chart_version:
+isolated_clusters_envoy_gateway_replicas: 1
+isolated_clusters_envoy_gateway_load_balancer_ip:
+isolated_clusters_envoy_gateway_load_balancer_source_ranges:
+isolated_clusters_envoy_gateway_registry_tls_secret_name: registry-tls-cert
+
 isolated_clusters_group_label: "{{ metal_control_plane_stage_name }}"
 isolated_clusters_partition_services_cluster: []
   # - name: somename
diff --git a/control-plane/roles/isolated-clusters/tasks/envoy-gateway.yaml b/control-plane/roles/isolated-clusters/tasks/envoy-gateway.yaml
@@ -0,0 +1,45 @@
+---
+- name: Create namespace for envoy-gateway
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ isolated_clusters_envoy_gateway_namespace }}"
+        labels:
+          app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+    apply: yes
+    kubeconfig: "{{ cluster.kubeconfig }}"
+
+- name: Deploy envoy gateway
+  kubernetes.core.helm:
+    name: envoy-gateway
+    chart_ref: oci://docker.io/envoyproxy/gateway-helm
+    chart_version: "{{ isolated_clusters_envoy_gateway_chart_version }}"
+    namespace: "{{ isolated_clusters_envoy_gateway_namespace }}"
+    values: "{{ lookup('template', 'envoy-gateway/values.yaml') | from_yaml }}"
+    kubeconfig: "{{ cluster.kubeconfig }}"
+
+- name: Wait for envoy-gateway deployment to be available
+  kubernetes.core.k8s_info:
+    kind: Deployment
+    name: envoy-gateway
+    namespace: "{{ isolated_clusters_envoy_gateway_namespace }}"
+    kubeconfig: "{{ cluster.kubeconfig }}"
+    wait: yes
+    wait_condition:
+      type: Available
+      status: "True"
+    wait_timeout: 300
+
+- name: Deploy gateway resources
+  k8s:
+    definition: "{{ lookup('template', 'envoy-gateway/gateway.yaml') }}"
+    apply: yes
+    kubeconfig: "{{ cluster.kubeconfig }}"
+
+- name: Deploy gateway routes
+  k8s:
+    definition: "{{ lookup('template', 'envoy-gateway/routes.yaml') }}"
+    apply: yes
+    kubeconfig: "{{ cluster.kubeconfig }}"
diff --git a/control-plane/roles/isolated-clusters/tasks/main.yaml b/control-plane/roles/isolated-clusters/tasks/main.yaml
@@ -12,10 +12,26 @@
       - isolated_clusters_registry_image_tag is not none
       - isolated_clusters_registry_oci_mirror_image_name is not none
       - isolated_clusters_registry_oci_mirror_image_tag is not none
+
+- name: Check mandatory variables for ingress controller
+  assert:
+    fail_msg: "not all mandatory ingress controller variables given, check role documentation"
+    quiet: yes
+    that:
       - isolated_clusters_ingress_controller_chart_version is not none
       - isolated_clusters_ingress_controller_load_balancer_ip is not none
       - isolated_clusters_ingress_controller_load_balancer_source_ranges is not none
       - isolated_clusters_registry_ingress_fqdn is not none
+  when: isolated_clusters_ingress_controller_enabled | bool
+
+- name: Check mandatory variables for envoy gateway
+  assert:
+    fail_msg: "not all mandatory envoy gateway variables given, check role documentation"
+    quiet: yes
+    that:
+      - isolated_clusters_envoy_gateway_chart_version is not none
+      - isolated_clusters_registry_fqdn is not none
+  when: isolated_clusters_envoy_gateway_enabled | bool
 
 - name: Loop over clusters to install services
   include_tasks: services.yaml
diff --git a/control-plane/roles/isolated-clusters/tasks/ntp.yaml b/control-plane/roles/isolated-clusters/tasks/ntp.yaml
@@ -2,7 +2,6 @@
 - name: Create namespace {{ isolated_clusters_ntp_namespace }}
   k8s:
     definition:
-      api_version: v1
       kind: Namespace
       metadata:
         name: "{{ isolated_clusters_ntp_namespace }}"
diff --git a/control-plane/roles/isolated-clusters/tasks/registry.yaml b/control-plane/roles/isolated-clusters/tasks/registry.yaml
@@ -2,7 +2,6 @@
 - name: Create namespace {{ isolated_clusters_registry_namespace }}
   k8s:
     definition:
-      api_version: v1
       kind: Namespace
       metadata:
         name: "{{ isolated_clusters_registry_namespace }}"
@@ -20,5 +19,12 @@
   loop:
     - registry-sts.yaml
     - registry-service.yaml
-    - registry-ingress.yaml
     - registry-oci-mirror.yaml
+
+- name: Deploy registry ingress
+  k8s:
+    definition: "{{ lookup('template', 'registry/registry-ingress.yaml') }}"
+    namespace: "{{ isolated_clusters_registry_namespace }}"
+    kubeconfig: "{{ cluster.kubeconfig }}"
+    apply: yes
+  when: isolated_clusters_ingress_controller_enabled | bool
diff --git a/control-plane/roles/isolated-clusters/tasks/services.yaml b/control-plane/roles/isolated-clusters/tasks/services.yaml
@@ -3,6 +3,7 @@
 
 - name: Install nginx-ingress
   import_tasks: ingress.yaml
+  when: isolated_clusters_ingress_controller_enabled | bool
 
 - name: Install ntp
   import_tasks: ntp.yaml
@@ -12,3 +13,7 @@
 
 - name: Install deployment
   import_tasks: registry.yaml
+
+- name: Install envoy-gateway
+  import_tasks: envoy-gateway.yaml
+  when: isolated_clusters_envoy_gateway_enabled | bool
diff --git a/control-plane/roles/isolated-clusters/templates/envoy-gateway/gateway.yaml b/control-plane/roles/isolated-clusters/templates/envoy-gateway/gateway.yaml
@@ -0,0 +1,100 @@
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: custom-proxy-config
+  namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyService:
+        type: LoadBalancer
+        externalTrafficPolicy: "Local"
+        loadBalancerIP: "{{ isolated_clusters_envoy_gateway_load_balancer_ip }}"
+        loadBalancerSourceRanges:
+{{ isolated_clusters_envoy_gateway_load_balancer_source_ranges | to_nice_yaml | indent(10, true) }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy-gateway-class
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+  parametersRef:
+    group: gateway.envoyproxy.io
+    kind: EnvoyProxy
+    name: custom-proxy-config
+    namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: main-gateway
+  namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  gatewayClassName: envoy-gateway-class
+  listeners:
+    - name: https-registry
+      protocol: HTTPS
+      port: 443
+      hostname: "{{ isolated_clusters_registry_fqdn }}"
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: {{ isolated_clusters_envoy_gateway_registry_tls_secret_name }}
+            namespace: {{ isolated_clusters_registry_namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ isolated_clusters_registry_namespace }}
+
+    - name: dns-tcp
+      protocol: TCP
+      port: 53
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ isolated_clusters_dns_namespace }}
+    - name: dns-udp
+      protocol: UDP
+      port: 53
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ isolated_clusters_dns_namespace }}
+
+    - name: ntp-udp
+      protocol: UDP
+      port: 123
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ isolated_clusters_ntp_namespace }}
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: allow-gateway-to-read-tls-secret
+  namespace: {{ isolated_clusters_registry_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+  to:
+    - group: ""
+      kind: Secret
+      name: {{ isolated_clusters_envoy_gateway_registry_tls_secret_name }}
diff --git a/control-plane/roles/isolated-clusters/templates/envoy-gateway/routes.yaml b/control-plane/roles/isolated-clusters/templates/envoy-gateway/routes.yaml
@@ -0,0 +1,76 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: registry-mirror-route
+  namespace: {{ isolated_clusters_registry_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  parentRefs:
+    - name: main-gateway
+      namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+      sectionName: https-registry
+  hostnames:
+    - "{{ isolated_clusters_registry_fqdn }}"
+  rules:
+    - matches:
+        - method: GET
+        - method: HEAD
+      backendRefs:
+        - name: registry
+          port: 5000
+
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: dns-tcp-route
+  namespace: {{ isolated_clusters_dns_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  parentRefs:
+    - name: main-gateway
+      namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+      sectionName: dns-tcp
+  rules:
+    - backendRefs:
+        - name: coredns-tcp
+          port: 53
+
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: UDPRoute
+metadata:
+  name: dns-udp-route
+  namespace: {{ isolated_clusters_dns_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  parentRefs:
+    - name: main-gateway
+      namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+      sectionName: dns-udp
+  rules:
+    - backendRefs:
+        - name: coredns-udp
+          port: 53
+
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: UDPRoute
+metadata:
+  name: ntp-udp-route
+  namespace: {{ isolated_clusters_ntp_namespace }}
+  labels:
+    app.kubernetes.io/part-of: "{{ isolated_clusters_group_label }}"
+spec:
+  parentRefs:
+    - name: main-gateway
+      namespace: {{ isolated_clusters_envoy_gateway_namespace }}
+      sectionName: ntp-udp
+  rules:
+    - backendRefs:
+        - name: chrony
+          port: 123
diff --git a/control-plane/roles/isolated-clusters/templates/envoy-gateway/values.yaml b/control-plane/roles/isolated-clusters/templates/envoy-gateway/values.yaml
@@ -0,0 +1,2 @@
+deployment:
+  replicas: {{ isolated_clusters_envoy_gateway_replicas | default(1) }}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+deployment:`
	`2`	`+ replicas: {{ isolated_clusters_envoy_gateway_replicas \| default(1) }}`