Merged
Conversation
Add Gateway API HTTPRoute templates for happa and happaapi: - route.yaml: HTTPRoute for happa frontend service - happaapi-route.yaml: HTTPRoute for kubernetes API proxy Features: - Support for all Gateway API route kinds (HTTPRoute, GRPCRoute, etc.) - Optional Envoy Gateway SecurityPolicy (CORS, JWT, OIDC, basicAuth, extAuth) - Configurable hostnames, parentRefs, matches, and filters - Template support for dynamic values The existing Ingress resources are preserved for backwards compatibility.
mcharriere
reviewed
Dec 12, 2025
| # defaultAction: Deny | ||
| # rules: [] | ||
|
|
||
| # Gateway API HTTPRoute for happaapi (kubernetes API proxy) |
Contributor
There was a problem hiding this comment.
since this is meant to proxy the kube api server (which has already certs), I think you'll need to add a BackendTLSPolicy
More info here https://gateway.envoyproxy.io/docs/tasks/security/backend-tls/
weatherhog
changed the title
weatherhog
changed the title
mcharriere
previously approved these changes
Dec 19, 2025
mcharriere
reviewed
Dec 19, 2025
__tests__/AppDetailPane.tsx
Outdated
| }) as HTMLButtonElement; | ||
| fireEvent.click(deleteButton); | ||
|
|
||
| // Wait for the success message first (confirms operation completed) |
Contributor
There was a problem hiding this comment.
I have no idea if this change might have some impact.
mcharriere
reviewed
Dec 19, 2025
| }) | ||
| ); | ||
|
|
||
| render( |
Contributor
There was a problem hiding this comment.
same here. this change is not related to the purpose of the PR
Add BackendTLSPolicy template and configuration for TLS between Gateway and backend, required when proxying to Kubernetes API server or other TLS backends. Features: - Support for ConfigMap and ClusterTrustBundle CA certificate references - Hostname validation for backend certificates - Option to use well-known CA certificates (system trust store) - Automatic sectionName detection for HTTPS ports This is essential for the happaapi route which proxies to the Kubernetes API server that uses TLS.
Set default hostname to 'kubernetes.default.svc.cluster.local' for BackendTLSPolicy when proxying to the kubernetes service. This ensures proper TLS certificate validation. The template also includes a fallback to automatically set this hostname if not explicitly configured and the backend is the kubernetes service.
According to Gateway API specification, the 'validation' section is required in BackendTLSPolicy, and 'hostname' is required within validation. Changes: - validation section is now always present (not conditional) - hostname is always set with appropriate defaults - Structure now matches Gateway API v1alpha3 specification
weatherhog
force-pushed
the
feat/gateway-api-support
branch
from
b9cc2a3 to
d7daf8b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Gateway API HTTPRoute templates for happa and happaapi:
Features:
The existing Ingress resources are preserved for backwards compatibility.
Issue: https://github.com/giantswarm/giantswarm/issues/34943