Merge pull request opencloud-eu#16 from opencloud-eu/generic-gateway

make gateway generic

Author: butonic

README.md

@@ -22,8 +22,8 @@ Welcome to the **OpenCloud Helm Charts** repository! This repository is intended
   - [OnlyOffice Settings](#onlyoffice-settings)
   - [Collabora Settings](#collabora-settings)
   - [Collaboration Service Settings](#collaboration-service-settings)
-- [Cilium Gateway API Configuration](#cilium-gateway-api-configuration)
-  - [Cilium HTTPRoute Settings](#cilium-httproute-settings)
+- [Gateway API Configuration](#gateway-api-configuration)
+  - [HTTPRoute Settings](#httproute-settings)
 - [Setting Up Gateway API with Talos, Cilium, and cert-manager](#setting-up-gateway-api-with-talos-cilium-and-cert-manager)
 - [Installing the DEV Helm Charts](#-installing-the-dev-helm-charts)
 - [License](#-license)
@@ -69,8 +69,8 @@ To install the chart with the release name `opencloud`:
 helm install opencloud . \
   --namespace opencloud \
   --create-namespace \
-  --set cilium.httproute.gateway.name=cilium-gateway \
-  --set cilium.httproute.gateway.namespace=kube-system
+  --set httpRoute.gateway.name=opencloud-gateway \
+  --set httpRoute.gateway.namespace=kube-system
 ```
 
 ## Architecture
@@ -307,19 +307,19 @@ The following table lists the configurable parameters of the OpenCloud chart and
 | `collaboration.wopiDomain` | WOPI server domain | `collaboration.opencloud.test` |
 | `collaboration.resources` | CPU/Memory resource requests/limits | `{}` |
 
-## Cilium Gateway API Configuration
+## Gateway API Configuration
 
-This chart includes Cilium HTTPRoute resources that can be used to expose the OpenCloud, Keycloak, and MinIO services externally. The HTTPRoutes are configured to route traffic to the respective services.
+This chart includes HTTPRoute resources that can be used to expose the OpenCloud, Keycloak, and MinIO services externally. The HTTPRoutes are configured to route traffic to the respective services.
 
-### Cilium HTTPRoute Settings
+### HTTPRoute Settings
 
 | Parameter | Description | Default |
 | --------- | ----------- | ------- |
-| `cilium.httproute.enabled` | Enable Cilium HTTPRoutes | `true` |
-| `cilium.httproute.gateway.name` | Gateway name | `cilium-gateway` |
-| `cilium.httproute.gateway.namespace` | Gateway namespace | `""` (defaults to Release.Namespace) |
+| `httpRoute.enabled` | Enable HTTPRoutes | `true` |
+| `httpRoute.gateway.name` | Gateway name | `opencloud-gateway` |
+| `httpRoute.gateway.namespace` | Gateway namespace | `""` (defaults to Release.Namespace) |
 
-The following HTTPRoutes are created when `cilium.httproute.enabled` is set to `true`:
+The following HTTPRoutes are created when `httpRoute.enabled` is set to `true`:
 
 1. **OpenCloud HTTPRoute**:
    - Hostname: `global.domain.opencloud`
@@ -368,7 +368,7 @@ The following HTTPRoutes are created when `cilium.httproute.enabled` is set to `
    - Port: 9300
    - Headers: Adds Permissions-Policy header to prevent browser features like interest-based advertising
 
-All HTTPRoutes are configured to use the same Gateway specified by `cilium.httproute.gateway.name` and `cilium.httproute.gateway.namespace`.
+All HTTPRoutes are configured to use the same Gateway specified by `httpRoute.gateway.name` and `httpRoute.gateway.namespace`.
 
 ## Setting Up Gateway API with Talos, Cilium, and cert-manager
 
@@ -392,7 +392,7 @@ helm repo add cilium https://helm.cilium.io/
 helm install cilium cilium/cilium \
   --namespace kube-system \
   --set gatewayAPI.enabled=true \
-  --set kubeProxyReplacement=strict \
+  --set kubeProxyReplacement=true \
   --set k8sServiceHost=<your-kubernetes-api-server-ip> \
   --set k8sServicePort=6443
 ```
@@ -402,14 +402,8 @@ helm install cilium cilium/cilium \
 Install cert-manager to manage TLS certificates:
 
 ```bash
-# Add the Jetstack Helm repository
-helm repo add jetstack https://charts.jetstack.io
-
-# Install cert-manager
-helm install cert-manager jetstack/cert-manager \
-  --namespace cert-manager \
-  --create-namespace \
-  --set installCRDs=true
+# install the default cert manager
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml
 ```
 
 ### Step 3: Create a ClusterIssuer for cert-manager
@@ -470,6 +464,7 @@ kubectl apply -f cluster-issuer.yaml
 
 Create a Gateway resource to expose your services:
 
+
 ```yaml
 # gateway.yaml
 apiVersion: gateway.networking.k8s.io/v1beta1
@@ -616,8 +611,8 @@ cd opencloud-helm
 helm install opencloud . \
   --namespace opencloud \
   --create-namespace \
-  --set cilium.httproute.gateway.name=cilium-gateway \
-  --set cilium.httproute.gateway.namespace=kube-system
+  --set httpRoute.gateway.name=opencloud-gateway \
+  --set httpRoute.gateway.namespace=kube-system
 ```
 
 ### Troubleshooting

templates/NOTES.txt

@@ -54,10 +54,10 @@ The following services have been deployed:
 {{- end }}
 
 
-{{- if .Values.cilium.httproute.enabled }}
-IMPORTANT: This chart includes Cilium HTTPRoute resources that route traffic to the OpenCloud, Keycloak, and MinIO services.
-All HTTPRoutes are configured to use the Gateway named "{{ .Values.cilium.httproute.gateway.name }}" in the
-{{ if .Values.cilium.httproute.gateway.namespace }}{{ .Values.cilium.httproute.gateway.namespace }}{{ else }}{{ .Values.namespace }}{{ end }} namespace.
+{{- if .Values.httpRoute.enabled }}
+IMPORTANT: This chart includes HTTPRoute resources that route traffic to the OpenCloud, Keycloak, and MinIO services.
+All HTTPRoutes are configured to use the Gateway named "{{ .Values.httpRoute.gateway.name }}" in the
+{{ if .Values.httpRoute.gateway.namespace }}{{ .Values.httpRoute.gateway.namespace }}{{ else }}{{ .Values.namespace }}{{ end }} namespace.
 
 Make sure the Gateway exists and is properly configured to accept traffic for the following domains:
 - OpenCloud: {{ include "opencloud.domain" . }} (Service: {{ include "opencloud.opencloud.fullname" . }}, Port: 9200)
@@ -72,7 +72,7 @@ Make sure the Gateway exists and is properly configured to accept traffic for th
 {{- end }}
 
 {{- else }}
-IMPORTANT: The Cilium HTTPRoutes are disabled. You need to configure your own ingress controller
+IMPORTANT: The HTTPRoutes are disabled. You need to configure your own ingress controller
 to expose these services externally.
 
 Example domains for your ingress configuration:

templates/gateway/collaboration-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.cilium.httproute.enabled .Values.onlyoffice.collaboration.enabled .Values.onlyoffice.enabled }}
+{{- if and .Values.httpRoute.enabled .Values.onlyoffice.collaboration.enabled .Values.onlyoffice.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: collaboration
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: collaboration-https
   hostnames:
     - {{ .Values.global.domain.wopi | quote }}

templates/gateway/gateway.yaml

@@ -0,0 +1,100 @@
+{{- if .Values.httpRoute.gateway.create }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ .Values.httpRoute.gateway.name }}
+  namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "opencloud.labels" . | nindent 4 }}
+spec:
+  gatewayClassName: {{ .Values.httpRoute.gateway.className }}
+  infrastructure:
+    annotations:
+      {{- with .Values.httpRoute.gateway.annotations }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  listeners:
+    - name: opencloud-https
+      protocol: HTTPS
+      port: {{ .Valuees.httpRoute.gateway.port | default 443 }}
+      hostname: {{ .Values.global.domain.opencloud | quote }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+    {{- if .Values.keycloak.enabled }}
+    - name: keycloak-https
+      protocol: HTTPS
+      port: {{ .Valuees.httpRoute.gateway.port | default 443 }}
+      hostname: {{ .Values.global.domain.keycloak | quote }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+    {{- end }}
+    {{- if and .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
+    - name: minio-https
+      protocol: HTTPS
+      port: {{ .Valuees.httpRoute.gateway.port | default 443 }}
+      hostname: {{ .Values.global.domain.minio | quote }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.onlyoffice.enabled }}
+    - name: onlyoffice-https
+      protocol: HTTPS
+      port: {{ .Valuees.httpRoute.gateway.port | default 443 }}
+      hostname: {{ .Values.global.domain.onlyoffice | quote }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+    {{- end }}
+    {{- if and .Values.onlyoffice.collaboration.enabled .Values.onlyoffice.enabled }}
+    - name: collaboration-https
+      protocol: HTTPS
+      port: {{ .Valuees.httpRoute.gateway.port | default 443 }}
+      hostname: {{ .Values.global.domain.wopi | quote }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: opencloud-wildcard-tls
+            namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              kubernetes.io/metadata.name: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
+    {{- end }}
+{{- end }}

templates/gateway/https-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.cilium.httproute.enabled }}
+{{- if .Values.httpRoute.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -8,8 +8,8 @@ metadata:
     {{- include "opencloud.labels" . | nindent 4 }}
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: opencloud-https
   hostnames:
     - {{ include "opencloud.domain" . | quote }}

templates/gateway/keycloak-https-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.cilium.httproute.enabled .Values.keycloak.enabled (not .Values.keycloak.external.enabled) }}
+{{- if and .Values.httpRoute.enabled .Values.keycloak.enabled (not .Values.keycloak.external.enabled) }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: keycloak
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: keycloak-https
   hostnames:
     - {{ include "opencloud.keycloak.domain" . | quote }}

templates/gateway/minio-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.cilium.httproute.enabled .Values.opencloud.storage.s3.internal.enabled }}
+{{- if and .Values.httpRoute.enabled .Values.opencloud.storage.s3.internal.enabled .Values.opencloud.storage.s3.internal.httpRoute.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: minio
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: minio-https
   hostnames:
     - {{ include "opencloud.minio.domain" . | quote }}

templates/gateway/onlyoffice-httproute-echo.yaml

@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: onlyoffice
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: onlyoffice-https
   hostnames:
     - {{ .Values.global.domain.onlyoffice | quote }}

templates/gateway/onlyoffice-httproute.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.cilium.httproute.enabled .Values.onlyoffice.enabled }}
+{{- if and .Values.httpRoute.enabled .Values.onlyoffice.enabled }}
 apiVersion: gateway.networking.k8s.io/v1beta1
 kind: HTTPRoute
 metadata:
@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: onlyoffice
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: onlyoffice-https
   hostnames:
     - {{ .Values.global.domain.onlyoffice | quote }}
@@ -19,6 +19,20 @@ spec:
         - path:
             type: PathPrefix
             value: /
+      filters:
+        {{- if eq .Values.httpRoute.gateway.className "traefik" }}
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: add-x-forwarded-proto-https
+        {{- else }}
+        - type: RequestHeaderModifier
+          requestHeaderModifier:
+            add:
+              - name: X-Forwarded-Proto
+                value: https
+        {{- end }}
       backendRefs:
         - name: {{ include "opencloud.fullname" . }}-onlyoffice
           port: 80

templates/gateway/onlyoffice-tlsroute.yaml

@@ -9,8 +9,8 @@ metadata:
     app.kubernetes.io/component: onlyoffice
 spec:
   parentRefs:
-    - name: {{ .Values.cilium.httproute.gateway.name }}
-      namespace: {{ .Values.cilium.httproute.gateway.namespace | default .Values.namespace }}
+    - name: {{ .Values.httpRoute.gateway.name }}
+      namespace: {{ .Values.httpRoute.gateway.namespace | default .Release.Namespace }}
       sectionName: onlyoffice-tls
   hostnames:
     - {{ .Values.global.domain.onlyoffice | quote }}