Rework networking

[clofour]

Summary by CodeRabbit

Release Notes

• New Features

  • Gateway API infrastructure with Envoy Gateway for application routing
  • Automatic HTTP-to-HTTPS traffic redirect

• Infrastructure

  • Certificate management updated to DNS01 validation approach
  • Application routing migrated from nginx ingress to Gateway API
  • New envoy-gateway namespace provisioned for gateway resources
  • Grafana now routes through Gateway API instead of direct ingress

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ad4ec5d5-c565-4329-87b9-18687de9ecca

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This change introduces a Gateway API-based ingress architecture using Envoy Gateway, replacing traditional nginx ingress controllers. It renames and refactors the certificate Helm chart, creates a new gateway-config chart with Gateway and HTTPRoute resources, updates infrastructure configuration files to disable nginx ingress in favor of Gateway API routing, and adjusts Terraform deployments to manage the new Envoy Gateway infrastructure and DNS01 certificate handling.

Changes

Cohort / File(s)	Summary
DNS01 Certificate Chart Rename & Update helm/dns01-certificate/chart/Chart.yaml, helm/dns01-certificate/chart/templates/dns01-certificate.yaml	Renames chart from wildcard-certificate to dns01-certificate and modifies the template to build spec.dnsNames dynamically from .Values.dnsNameTemplates list using template rendering and quoting.
Gateway Config Chart Creation helm/gateway-config/chart/.helmignore, helm/gateway-config/chart/Chart.yaml, helm/gateway-config/chart/templates/_helpers.tpl, helm/gateway-config/chart/templates/gateway-class.yaml, helm/gateway-config/chart/templates/gateway.yaml, helm/gateway-config/chart/templates/http-to-https.yaml, helm/gateway-config/chart/values.yaml	New Helm chart for Envoy Gateway configuration, including chart metadata, helper templates for naming/labeling, Kubernetes GatewayClass, Gateway, and HTTPRoute resources with HTTP-to-HTTPS redirect, and configurable values for gateway name and certificate reference.
Helm Values Migration to Gateway API helm/gitlab/values.yaml, helm/kube-prometheus-stack/values.yaml	Switches Grafana and GitLab exposure from nginx ingress + TLS to Gateway API configuration using external Envoy Gateway parentRefs and route-based routing; disables ingress controller integration.
Removed Certificate Values helm/wildcard-certificate/values.yaml	Deletes configuration values file, removing domain and reflectNamespaces keys from chart configuration.
Terraform Infrastructure Updates terraform/helm.tf	Replaces wildcard_certificate Helm release with dns01_certificate (dns01-certificate chart with additional dnsNameTemplates for apex, wildcard, and pages subdomain), adds new envoy_gateway Helm release (OCI gateway-helm v1.7.2), and updates gitlab release dependency.
Terraform Namespace Restructuring terraform/kubernetes.tf	Reorganizes Kubernetes namespace resources: creates cert-manager namespace (previously labeled ingress_nginx), adds new envoy_gateway_system namespace, and re-adds ingress-nginx namespace with proper dependency ordering.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Add ingress for Grafana #11 — Modifies Grafana exposure in kube-prometheus-stack values.yaml from ingress to Gateway API routing (overlapping configuration change with opposite direction in git history).
• Implement wildcard certificate #7 — Directly precedes this PR by introducing the wildcard-certificate chart that is now being refactored and renamed to dns01-certificate with updated Terraform dependencies.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title "Rework networking" is very vague and generic, using non-descriptive language that doesn't convey specific information about the substantial changes in the PR.	Provide a more specific title that highlights the main change, such as "Migrate networking to Envoy Gateway" or "Replace nginx ingress with Gateway API and DNS01 certificate."

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[clofour]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 7

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

terraform/kubernetes.tf (2)

49-51: 🧹 Nitpick | 🔵 Trivial

Consider constraining random_password charset to GitLab-acceptable characters.

random_password "gitlab_root" defaults to including punctuation. If GitLab’s root account or any consumer of this secret has restricted allowed characters (or if the value is later embedded in a URL/env without escaping), authentication can break in non-obvious ways. Consider setting special = false (or override_special = "...") and adding explicit min_lower/min_upper/min_numeric to make the generated password deterministic in shape.

♻️ Proposed adjustment

 resource "random_password" "gitlab_root" {
-    length = 64
+    length           = 64
+    special          = true
+    override_special = "!@#%^*-_=+"
+    min_lower        = 2
+    min_upper        = 2
+    min_numeric      = 2
 }

---

25-31: ⚠️ Potential issue | 🟠 Major

Migration to Envoy Gateway is incomplete — DNS still points to ingress-nginx.

The PR deploys Envoy Gateway resources (Gateway, GatewayClass, HTTPRoute in the gateway-config chart), but the public ingress is still wired to ingress-nginx:

• terraform/dns.tf:2 reads lb_ip from data.kubernetes_service_v1.ingress_nginx
• terraform/dns.tf:18 uses this lb_ip for all DNS A records (gitlab_host, registry_host, etc.)
• helm_release.ingress_nginx is still deployed with a LoadBalancer service (lines 81–89 in helm.tf)
• time_sleep.wait_for_lb depends on helm_release.ingress_nginx (line 178)

Public traffic and DNS resolution will continue routing through nginx, not Envoy Gateway. To complete the migration, either:

1. Update dns.tf to read the LoadBalancer IP from the Envoy Gateway service instead, or
2. If this is an intentional parallel rollout, document the transition plan and flag nginx for deprecation.

terraform/helm.tf (2)

120-138: ⚠️ Potential issue | 🟠 Major

Add Envoy Gateway / gateway-config to helm_release.gitlab.depends_on.

GitLab is now configured with global.gatewayApi.enabled: true and references a Gateway named gateway in envoy-gateway-system. Its rendered HTTPRoutes require both the Gateway API CRDs (from helm_release.envoy_gateway) and the actual Gateway resource (from the missing gateway-config release) to exist before apply, otherwise the install will fail or create dangling routes.

🔧 Proposed fix

     depends_on = [
         digitalocean_database_cluster.postgres,
         ...
         helm_release.cert_manager,
         helm_release.dns01_certificate,
         helm_release.reflector,
         helm_release.cluster_issuer,
-        helm_release.ingress_nginx,
+        helm_release.envoy_gateway,
+        helm_release.gateway_config,
         digitalocean_record.main,
         ...
     ]

The same depends_on addition applies to helm_release.kube_prometheus_stack (Lines 141‑155), which currently has no depends_on at all but renders a Grafana HTTPRoute.

---

81-91: 🧹 Nitpick | 🔵 Trivial

The ingress_nginx Helm release is orphaned and should be removed.

helm/gitlab/values.yaml confirms global.ingress.enabled: false, nginx-ingress.enabled: false, and installCertmanager: false. No Ingress resources in the codebase reference the nginx ingress controller, and routing has been migrated to Gateway API (evidenced by Gateway, GatewayClass, and HTTPRoute resources in helm/gateway-config/). The release, its namespace, and values file are dead infrastructure unnecessarily maintaining a LoadBalancer and DNS/TLS surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 120eea1b-8335-48aa-b5e0-f3e03dea0bdd

📥 Commits

Reviewing files that changed from the base of the PR and between cc404ad and 5465734.

📒 Files selected for processing (17)

• helm/dns01-certificate/chart/.helmignore
• helm/dns01-certificate/chart/Chart.yaml
• helm/dns01-certificate/chart/templates/_helpers.tpl
• helm/dns01-certificate/chart/templates/dns01-certificate.yaml
• helm/dns01-certificate/chart/values.yaml
• helm/gateway-config/chart/.helmignore
• helm/gateway-config/chart/Chart.yaml
• helm/gateway-config/chart/templates/_helpers.tpl
• helm/gateway-config/chart/templates/gateway-class.yaml
• helm/gateway-config/chart/templates/gateway.yaml
• helm/gateway-config/chart/templates/http-to-https.yaml
• helm/gateway-config/chart/values.yaml
• helm/gitlab/values.yaml
• helm/kube-prometheus-stack/values.yaml
• helm/wildcard-certificate/values.yaml
• terraform/helm.tf
• terraform/kubernetes.tf

💤 Files with no reviewable changes (1)

• helm/wildcard-certificate/values.yaml

📜 Review details

🧰 Additional context used

🪛 YAMLlint (1.38.0)

helm/dns01-certificate/chart/templates/dns01-certificate.yaml

[error] 13-13: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 14-14: too many spaces inside braces

(braces)

---

[error] 14-14: too many spaces inside braces

(braces)

---

[error] 15-15: too many spaces inside braces

(braces)

helm/gateway-config/chart/templates/http-to-https.yaml

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 8-8: too many spaces inside braces

(braces)

---

[error] 8-8: too many spaces inside braces

(braces)

helm/gateway-config/chart/templates/gateway.yaml

[error] 4-4: too many spaces inside braces

(braces)

---

[error] 4-4: too many spaces inside braces

(braces)

---

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 24-24: too many spaces inside braces

(braces)

---

[error] 24-24: too many spaces inside braces

(braces)

🔇 Additional comments (7)

helm/dns01-certificate/chart/Chart.yaml (1)

2-3: LGTM — chart rename is consistent with downstream Terraform wiring.

name: dns01-certificate aligns with the new chart path ${path.module}/../helm/dns01-certificate/chart referenced in terraform/helm.tf.

helm/gateway-config/chart/.helmignore (1)

1-23: LGTM — standard .helmignore.

helm/gateway-config/chart/Chart.yaml (1)

1-24: LGTM — new chart manifest is well-formed.

helm/dns01-certificate/chart/templates/dns01-certificate.yaml (1)

13-15: The tpl . $ invocation is correct and will properly evaluate nested template expressions like {{ .Values.domain }} against the root context. The terraform helm_release only passes domain, dnsNameTemplates, and reflectNamespaces, but this is not a problem: the chart's values.yaml provides defaults for name (wildcard-certificate), secretName (wildcard-certificate), and issuer (letsencrypt). These will be used when the Kubernetes Certificate is rendered, so all required fields will be populated correctly.

helm/gateway-config/chart/values.yaml (1)

1-2: Confirm that the gateway-config helm release will be deployed to envoy-gateway-system namespace, or add a ReferenceGrant if deployed elsewhere.

The certificateName: wildcard-certificate correctly matches the Secret name produced by the dns01-certificate chart (which explicitly sets secretName: wildcard-certificate). However, the original concern remains unresolved:

1. ✓ The Secret is correctly named and created in envoy-gateway-system.
2. ✗ The gateway-config helm_release is not deployed via Terraform, so the target namespace is unclear. The Gateway resource requires the TLS Secret to be in its namespace; cross-namespace references need a ReferenceGrant, which does not exist in the codebase.

Verify where gateway-config will be deployed. If not in envoy-gateway-system, add a ReferenceGrant allowing the Gateway to reference the Secret from that namespace.

terraform/helm.tf (1)

58-68: LGTM on the dnsNameTemplates indirection.

Passing {{ .Values.domain }} strings through yamlencode (rather than interpolating ${var.domain_name} here) is correct — the chart re-templates them via tpl against its own values, which keeps the rendered Certificate.spec.dnsNames driven by a single source of truth (domain). The set covers apex, wildcard, and *.pages.<domain>, which lines up with GitLab Pages user content.

helm/gateway-config/chart/templates/gateway.yaml (1)

19-24: TLS Secret will be properly created and reflected to all required namespaces.

The dns01-certificate Helm chart creates a cert-manager Certificate that generates a Secret named wildcard-certificate in the envoy-gateway-system namespace. The Secret is configured with reflector annotations:

reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "{{ .Values.reflectNamespaces }}"

This ensures automatic mirroring to target namespaces. The gateway-config references this Secret via .Values.certificateName (default: wildcard-certificate), which matches the secret name produced by dns01-certificate. The listener will become Ready once cert-manager provisions the certificate and it is reflected to the required namespace.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

GatewayClass is cluster-scoped — beware of multi-release / uninstall coupling.

Packaging a cluster-scoped GatewayClass named envoy inside this chart means a helm uninstall (or a parallel install in another namespace) will delete/conflict on a cluster-global resource that may be in use by Gateways from other releases. Consider either:

• moving the GatewayClass to a separate, single-instance chart (or directly into Terraform), or
• gating it behind a value (e.g., {{- if .Values.createGatewayClass }}) so only one release owns it.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

GitLab Helm chart 9.10.3 Gateway API support for Pages HTTPRoute and TLS

💡 Result:

Yes, the GitLab Helm chart version 9.10.3 supports Gateway API for GitLab Pages using HTTPRoute with TLS termination. Gateway API support was introduced starting from chart version 9.7 (corresponding to GitLab 18.7). In 9.10.3, enable it by setting global.gatewayApi.enabled=true in your values.yaml. The chart creates HTTPRoutes for services including Pages, referencing a pages-web listener in the Gateway with TLS mode: Terminate and certificateRefs to a pages-tls secret (wildcard certificate required for Pages domains *.pages.example.com). An optional HTTPRoute redirects HTTP to HTTPS. The chart can bundle Envoy Gateway (global.gatewayApi.installEnvoy=true) or reference an external Gateway API implementation like Envoy Gateway. GitLab Pages requires a user-provided wildcard TLS secret named <release>-pages-tls or customized via gitlab.gitlab-pages.ingress.tls.secretName. Providers must support HTTPRoutes, TCPRoutes (for SSH), RegularExpression matches, and ideally GRPCRoutes.

Citations:

• 1: https://gitlab.com/gitlab-org/charts/gitlab/raw/master/values.yaml
• 2: https://docs.gitlab.com/charts/advanced/gateway-api/
• 3: https://docs.gitlab.com/charts/installation/version_mappings/
• 4: https://gitlab.com/gitlab-org/charts/gitlab/-/tags

---

🏁 Script executed:

#!/bin/bash
# Look for any Pages-specific Gateway/HTTPRoute templates produced by the gitlab chart locally
# and any pages-related routing configured in this repo.
rg -nP --hidden -C2 'pages|HTTPRoute|gatewayApi' helm/ terraform/ 2>/dev/null | head -200

Repository: clofour/gitlab-kubernetes

Length of output: 2896

---

🏁 Script executed:

#!/bin/bash
# Check pages configuration in values.yaml, especially TLS secret settings
rg -A 20 'pages:' helm/gitlab/values.yaml | head -100

Repository: clofour/gitlab-kubernetes

Length of output: 1281

---

🏁 Script executed:

#!/bin/bash
# Search for pages.ingress or pages TLS configuration more comprehensively
rg -n 'pages.*tls|gitlab-pages|pages.*ingress' helm/gitlab/values.yaml -i

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Search for pages-tls or pages certificate secret creation anywhere
rg -r 'pages-tls|pages.*certificate|pages.*secret' --iglob '*.yaml' --iglob '*.tf' --iglob '*.md' helm/ terraform/

Repository: clofour/gitlab-kubernetes

Length of output: 1047

---

🏁 Script executed:

#!/bin/bash
# Look for pages-tls in all files
rg 'pages-tls' helm/ terraform/ --type yaml --type tf

Repository: clofour/gitlab-kubernetes

Length of output: 51

---

🏁 Script executed:

#!/bin/bash
# Get the entire gitlab section to see gitlab-pages configuration
sed -n '/^gitlab:/,/^[a-z]/p' helm/gitlab/values.yaml | head -150

Repository: clofour/gitlab-kubernetes

Length of output: 583

---

Provide wildcard TLS secret for GitLab Pages.

The GitLab Helm chart 9.10.3 does support Gateway API for Pages with HTTPRoute and TLS termination. However, the configuration is missing the required wildcard TLS certificate secret. The chart expects either a secret named <release>-pages-tls or explicit configuration via gitlab.gitlab-pages.ingress.tls.secretName, but neither is present in this values.yaml. The Terraform setup includes the wildcard domain *.pages.${domain} in the dns01 certificate, which is correct, but the secret must be created and referenced in the Helm values. Without it, Pages HTTPS will fail. Add the secret or configure gitlab.gitlab-pages.ingress.tls.secretName pointing to the certificate secret.