Rework networking #20
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # Patterns to ignore when building packages. | ||
| # This supports shell glob matching, relative path matching, and | ||
| # negation (prefixed with !). Only one pattern per line. | ||
| .DS_Store | ||
| # Common VCS dirs | ||
| .git/ | ||
| .gitignore | ||
| .bzr/ | ||
| .bzrignore | ||
| .hg/ | ||
| .hgignore | ||
| .svn/ | ||
| # Common backup files | ||
| *.swp | ||
| *.bak | ||
| *.tmp | ||
| *.orig | ||
| *~ | ||
| # Various IDEs | ||
| .project | ||
| .idea/ | ||
| *.tmproj | ||
| .vscode/ |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| apiVersion: v2 | ||
| name: gateway-config | ||
| description: Gateway Configuration | ||
|
|
||
| # A chart can be either an 'application' or a 'library' chart. | ||
| # | ||
| # Application charts are a collection of templates that can be packaged into versioned archives | ||
| # to be deployed. | ||
| # | ||
| # Library charts provide useful utilities or functions for the chart developer. They're included as | ||
| # a dependency of application charts to inject those utilities and functions into the rendering | ||
| # pipeline. Library charts do not define any templates and therefore cannot be deployed. | ||
| type: application | ||
|
|
||
| # This is the chart version. This version number should be incremented each time you make changes | ||
| # to the chart and its templates, including the app version. | ||
| # Versions are expected to follow Semantic Versioning (https://semver.org/) | ||
| version: 0.1.0 | ||
|
|
||
| # This is the version number of the application being deployed. This version number should be | ||
| # incremented each time you make changes to the application. Versions are not expected to | ||
| # follow Semantic Versioning. They should reflect the version the application is using. | ||
| # It is recommended to use it with quotes. | ||
| appVersion: "0.1.0" |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: GatewayClass | ||
| metadata: | ||
| name: envoy | ||
| spec: | ||
| controllerName: gateway.envoyproxy.io/gatewayclass-controller | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: Gateway | ||
| metadata: | ||
| name: {{ .Values.name }} | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| gatewayClassName: envoy | ||
| listeners: | ||
| - name: http | ||
| protocol: HTTP | ||
| port: 80 | ||
| allowedRoutes: | ||
| namespaces: | ||
| from: All | ||
|
|
||
| - name: https | ||
| protocol: HTTPS | ||
| port: 443 | ||
| tls: | ||
| mode: Terminate | ||
| certificateRefs: | ||
| - kind: Secret | ||
| group: "" | ||
| name: {{ .Values.certificateName }} | ||
| allowedRoutes: | ||
| namespaces: | ||
| from: All |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: HTTPRoute | ||
| metadata: | ||
| name: http-to-https | ||
| namespace: {{ .Release.Namespace }} | ||
| spec: | ||
| parentRefs: | ||
| - name: {{ .Values.name }} | ||
| sectionName: http | ||
| rules: | ||
| - filters: | ||
| - type: RequestRedirect | ||
| requestRedirect: | ||
| scheme: https | ||
| statusCode: 308 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| name: gateway | ||
| certificateName: wildcard-certificate |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,14 +14,18 @@ global: | |
| name: ${registry_host}.${domain} | ||
| pages: | ||
| name: ${pages_host}.${domain} | ||
|
|
||
| gatewayApi: | ||
| enabled: true | ||
| installEnvoy: false | ||
| configureCertmanager: false | ||
| gatewayClass: envoy | ||
| gateway: | ||
| name: gateway | ||
| namespace: envoy-gateway-system | ||
|
|
||
| ingress: | ||
| enabled: false | ||
|
Comment on lines
+18
to
+28
There was a problem hiding this comment. 🧩 Analysis chain🌐 Web query:
💡 Result: Yes, the GitLab Helm chart version 9.10.3 supports Gateway API for GitLab Pages using HTTPRoute with TLS termination. Gateway API support was introduced starting from chart version 9.7 (corresponding to GitLab 18.7). In 9.10.3, enable it by setting global.gatewayApi.enabled=true in your values.yaml. The chart creates HTTPRoutes for services including Pages, referencing a pages-web listener in the Gateway with TLS mode: Terminate and certificateRefs to a pages-tls secret (wildcard certificate required for Pages domains *.pages.example.com). An optional HTTPRoute redirects HTTP to HTTPS. The chart can bundle Envoy Gateway (global.gatewayApi.installEnvoy=true) or reference an external Gateway API implementation like Envoy Gateway. GitLab Pages requires a user-provided wildcard TLS secret named <release>-pages-tls or customized via gitlab.gitlab-pages.ingress.tls.secretName. Providers must support HTTPRoutes, TCPRoutes (for SSH), RegularExpression matches, and ideally GRPCRoutes. Citations:
🏁 Script executed: #!/bin/bash
# Look for any Pages-specific Gateway/HTTPRoute templates produced by the gitlab chart locally
# and any pages-related routing configured in this repo.
rg -nP --hidden -C2 'pages|HTTPRoute|gatewayApi' helm/ terraform/ 2>/dev/null | head -200Repository: clofour/gitlab-kubernetes Length of output: 2896 🏁 Script executed: #!/bin/bash
# Check pages configuration in values.yaml, especially TLS secret settings
rg -A 20 'pages:' helm/gitlab/values.yaml | head -100Repository: clofour/gitlab-kubernetes Length of output: 1281 🏁 Script executed: #!/bin/bash
# Search for pages.ingress or pages TLS configuration more comprehensively
rg -n 'pages.*tls|gitlab-pages|pages.*ingress' helm/gitlab/values.yaml -iRepository: clofour/gitlab-kubernetes Length of output: 51 🏁 Script executed: #!/bin/bash
# Search for pages-tls or pages certificate secret creation anywhere
rg -r 'pages-tls|pages.*certificate|pages.*secret' --iglob '*.yaml' --iglob '*.tf' --iglob '*.md' helm/ terraform/Repository: clofour/gitlab-kubernetes Length of output: 1047 🏁 Script executed: #!/bin/bash
# Look for pages-tls in all files
rg 'pages-tls' helm/ terraform/ --type yaml --type tfRepository: clofour/gitlab-kubernetes Length of output: 51 🏁 Script executed: #!/bin/bash
# Get the entire gitlab section to see gitlab-pages configuration
sed -n '/^gitlab:/,/^[a-z]/p' helm/gitlab/values.yaml | head -150Repository: clofour/gitlab-kubernetes Length of output: 583 Provide wildcard TLS secret for GitLab Pages. The GitLab Helm chart 9.10.3 does support Gateway API for Pages with HTTPRoute and TLS termination. However, the configuration is missing the required wildcard TLS certificate secret. The chart expects either a secret named |
||
|
|
||
| psql: | ||
| host: ${postgres_host} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧹 Nitpick | 🔵 Trivial
GatewayClassis cluster-scoped — beware of multi-release / uninstall coupling.Packaging a cluster-scoped
GatewayClassnamedenvoyinside this chart means ahelm uninstall(or a parallel install in another namespace) will delete/conflict on a cluster-global resource that may be in use by Gateways from other releases. Consider either:GatewayClassto a separate, single-instance chart (or directly into Terraform), or{{- if .Values.createGatewayClass }}) so only one release owns it.