From db255ecaba9b9d810da378f36349db02a8aadc5d Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 9 Mar 2026 15:17:28 -0700 Subject: [PATCH 01/46] Adding charts for envoy-gateway --- charts/controlplane/Chart.yaml | 4 +++ .../values.aws.selfhosted-intracluster.yaml | 31 ++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml index 60fcc57c..74a83f3e 100644 --- a/charts/controlplane/Chart.yaml +++ b/charts/controlplane/Chart.yaml @@ -28,3 +28,7 @@ dependencies: version: 80.8.0 alias: monitoring condition: monitoring.enabled +- name: envoy-gateway + repository: oci://docker.io/envoyproxy/gateway-helm + version: 1.1.0 + condition: envoy-gateway.enabled diff --git a/charts/controlplane/values.aws.selfhosted-intracluster.yaml b/charts/controlplane/values.aws.selfhosted-intracluster.yaml index 2f9f3058..685174e1 100644 --- a/charts/controlplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.aws.selfhosted-intracluster.yaml @@ -34,6 +34,14 @@ global: + # Controls which ingress controller is active for this deployment. + # nginx - ingress-nginx Ingress objects only (default) + # envoy - Envoy Gateway API resources only + # both - both sets rendered simultaneously (parallel-run migration phase) + # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml + # exists in the environment directory. + ingressProvider: nginx + # AWS region for all resources # Example: "us-west-2", "us-east-1", "eu-west-1" AWS_REGION: "" @@ -431,7 +439,28 @@ ingress-nginx: name: controlplane # ---------------------------------------------------------------------------- -# SECTION 9: Service-Specific Configuration +# SECTION 9: Envoy Gateway Configuration +# ---------------------------------------------------------------------------- +# Envoy Gateway is installed as a separate Helm release (via the envoy-gateway +# ArgoCD ApplicationSet) and is NOT a sub-chart of the controlplane chart. +# This section configures how the controlplane chart interacts with Envoy Gateway +# when it is present in the cluster. +# +# Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists +# in the environment directory. Manual override possible by setting enabled: true. + +envoy-gateway: + # Set to true when Envoy Gateway is installed alongside this controlplane. + enabled: false + + # GatewayClass name created by the Envoy Gateway installation. + # Must match the gatewayClassName in the Gateway resource rendered by the + # controlplane chart when global.ingressProvider is "envoy" or "both". + # Uses a distinct name from the dataplane's gateway class to avoid conflicts. + gatewayClassName: controlplane-envoy + +# ---------------------------------------------------------------------------- +# SECTION 10: Service-Specific Configuration # ---------------------------------------------------------------------------- services: From 3f2fa532c0ba7107c0a3f5915ab4cce37a5a6df5 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 10 Mar 2026 09:09:33 -0700 Subject: [PATCH 02/46] Fixing envoy-proxy repo url --- charts/controlplane/Chart.yaml | 2 +- .../values.gcp.selfhosted-intracluster.yaml | 31 ++++++++++++++++++- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml index 74a83f3e..aa34b8e9 100644 --- a/charts/controlplane/Chart.yaml +++ b/charts/controlplane/Chart.yaml @@ -29,6 +29,6 @@ dependencies: alias: monitoring condition: monitoring.enabled - name: envoy-gateway - repository: oci://docker.io/envoyproxy/gateway-helm + repository: oci://docker.io/envoyproxy version: 1.1.0 condition: envoy-gateway.enabled diff --git a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml index 417a2e82..f8050978 100644 --- a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml @@ -34,6 +34,14 @@ global: + # Controls which ingress controller is active for this deployment. + # nginx - ingress-nginx Ingress objects only (default) + # envoy - Envoy Gateway API resources only + # both - both sets rendered simultaneously (parallel-run migration phase) + # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml + # exists in the environment directory. + ingressProvider: nginx + # Region for all resources # Example for GCP: "us-central1", "us-east1", "europe-west1" GCP_REGION: "us-central1" @@ -390,7 +398,28 @@ ingress: # Override here only if you need to customize auth behavior for this deployment mode. # ---------------------------------------------------------------------------- -# SECTION 7: NGINX Ingress Controller +# SECTION 7: Envoy Gateway Configuration +# ---------------------------------------------------------------------------- +# Envoy Gateway is installed as a separate Helm release (via the envoy-gateway +# ArgoCD ApplicationSet) and is NOT a sub-chart of the controlplane chart. +# This section configures how the controlplane chart interacts with Envoy Gateway +# when it is present in the cluster. +# +# Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists +# in the environment directory. Manual override possible by setting enabled: true. + +envoy-gateway: + # Set to true when Envoy Gateway is installed alongside this controlplane. + enabled: false + + # GatewayClass name created by the Envoy Gateway installation. + # Must match the gatewayClassName in the Gateway resource rendered by the + # controlplane chart when global.ingressProvider is "envoy" or "both". + # Uses a distinct name from the dataplane's gateway class to avoid conflicts. + gatewayClassName: controlplane-envoy + +# ---------------------------------------------------------------------------- +# SECTION 8: NGINX Ingress Controller # ---------------------------------------------------------------------------- ingress-nginx: From 23b43bddac4f79d33b525197fdc1a65e51f24294 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 10 Mar 2026 09:14:05 -0700 Subject: [PATCH 03/46] Fixing name of envoy-gateway chart and aliasing --- charts/controlplane/Chart.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml index aa34b8e9..be824f80 100644 --- a/charts/controlplane/Chart.yaml +++ b/charts/controlplane/Chart.yaml @@ -28,7 +28,8 @@ dependencies: version: 80.8.0 alias: monitoring condition: monitoring.enabled -- name: envoy-gateway +- name: gateway-helm + alias: envoy-gateway repository: oci://docker.io/envoyproxy - version: 1.1.0 + version: v1.7.0 condition: envoy-gateway.enabled From fdb6a5de0dde8d706f606927d9d2937d3de4bda1 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Thu, 12 Mar 2026 17:19:45 -0700 Subject: [PATCH 04/46] Updating chart version --- charts/controlplane/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml index be824f80..ca4cafa6 100644 --- a/charts/controlplane/Chart.yaml +++ b/charts/controlplane/Chart.yaml @@ -31,5 +31,5 @@ dependencies: - name: gateway-helm alias: envoy-gateway repository: oci://docker.io/envoyproxy - version: v1.7.0 + version: v1.6.4 condition: envoy-gateway.enabled From 247ea21666fb3f12f0825e3ff8b68daadb7413c2 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 17 Mar 2026 16:37:56 -0700 Subject: [PATCH 05/46] Adding envoy gateway and routes --- .../templates/common/_gateway.yaml | 32 +++ .../common/_grpcroute-protected.yaml | 192 ++++++++++++++++++ .../common/_grpcroute-unprotected.yaml | 32 +++ .../common/_httproute-auth-proxy.yaml | 26 +++ .../common/_httproute-protected.yaml | 147 ++++++++++++++ .../common/_httproute-unprotected.yaml | 93 +++++++++ .../templates/flyte-core-app.yaml | 18 ++ 7 files changed, 540 insertions(+) create mode 100644 charts/controlplane/templates/common/_gateway.yaml create mode 100644 charts/controlplane/templates/common/_grpcroute-protected.yaml create mode 100644 charts/controlplane/templates/common/_grpcroute-unprotected.yaml create mode 100644 charts/controlplane/templates/common/_httproute-auth-proxy.yaml create mode 100644 charts/controlplane/templates/common/_httproute-protected.yaml create mode 100644 charts/controlplane/templates/common/_httproute-unprotected.yaml diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml new file mode 100644 index 00000000..d15c4246 --- /dev/null +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -0,0 +1,32 @@ +{{- define "control-plane-library.gateway" }} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} +spec: + gatewayClassName: {{ .Values.global.gatewayClassName }} + listeners: + - name: https + protocol: HTTPS + port: 443 + hostname: {{ .Values.global.UNION_HOST | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + namespace: {{ .Values.global.TLS_SECRET_NAMESPACE }} + name: {{ .Values.global.TLS_SECRET_NAME }} + {{- if .Values.flyte.common.ingress.isServerless }} + - name: https-serverless + protocol: HTTPS + port: 443 + hostname: {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + namespace: {{ .Values.global.TLS_SECRET_NAMESPACE }} + name: {{ .Values.global.TLS_SECRET_NAME }} + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml new file mode 100644 index 00000000..a9b6fa89 --- /dev/null +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -0,0 +1,192 @@ +{{- define "control-plane-library.grpcroute-protected" }} +# NOTE: Auth enforcement (SecurityPolicy/ExtAuthz) is added in M2. +# Consolidates nginx protected-grpc, protected-grpc-streaming, apps-protected, +# and protected-grpc-high-tput ingresses. GRPCRoute service-level matches +# cover all methods; specific-method matches are used where routes vary by method. +apiVersion: gateway.networking.k8s.io/v1 +kind: GRPCRoute +metadata: + name: {{ template "flyte.name" . }}-grpc-protected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + # flyteadmin — protected gRPC (AdminService, ProjectService, IdentityService, etc.) + - matches: + - method: {service: "flyteidl.service.AdminService"} + - method: {service: "flyteidl2.project.ProjectService"} + - method: {service: "flyteidl2.auth.IdentityService"} + - method: {service: "flyteidl.service.WatchService"} + - method: {service: "cloudidl.cloudadmin.CloudAdminService"} + - method: {service: "flyteidl.service.IdentityService"} + - method: {service: "flyteidl.service.SignalService"} + backendRefs: + - name: flyteadmin + port: 81 + # execution-service + - matches: + - method: {service: "cloudidl.execution.ExecutionService"} + - method: {service: "cloudidl.echo.EchoService"} + - method: {service: "cloudidl.app.AppService"} + backendRefs: + - name: execution-service + port: 80 + # cluster-service + - matches: + - method: {service: "cloudidl.cluster.ClusterService"} + - method: {service: "cloudidl.cluster.ClusterNodepoolService"} + - method: {service: "cloudidl.cloudaccounts.CloudAccountsService"} + - method: {service: "cloudidl.cluster.ManagedClusterService"} + - method: {service: "cloudidl.clusterpool.ClusterPoolService"} + - method: {service: "cloudidl.clusterconfig.ClusterConfigService"} + backendRefs: + - name: cluster-service + port: 80 + # identity-service + - matches: + - method: {service: "cloudidl.apikey.APIKeyService"} + - method: {service: "cloudidl.identity.AppsService"} + - method: {service: "cloudidl.identity.UserService"} + - method: {service: "cloudidl.identity.MemberService"} + - method: {service: "cloudidl.identity.RoleService"} + - method: {service: "cloudidl.identity.PolicyService"} + - method: {service: "cloudidl.identity.IdentityService"} + backendRefs: + - name: identity-service + port: 83 + - matches: + - method: {service: "cloudidl.identity.SelfServe"} + backendRefs: + - name: identity-service + port: 80 + # organizations-service + - matches: + - method: {service: "cloudidl.org.OrgService"} + backendRefs: + - name: organizations-service + port: 83 + # usage-service + - matches: + - method: {service: "cloudidl.usage.UsageService"} + backendRefs: + - name: usage-service + port: 80 + # authorizer-service + - matches: + - method: {service: "cloudidl.authorizer.AuthorizerService"} + backendRefs: + - name: authorizer-service + port: 83 + # datacatalog + - matches: + - method: {service: "datacatalog.DataCatalog"} + backendRefs: + - name: datacatalog + port: 89 + # cacheservice + - matches: + - method: {service: "flyteidl.cacheservice.CacheService"} + - method: {service: "flyteidl.cacheservice.v2.CacheService"} + backendRefs: + - name: cacheservice + port: 89 + # dataproxy-service (gRPC) + - matches: + - method: {service: "cloudidl.actor.ActorEnvironmentService"} + - method: {service: "cloudidl.agent.AgentService"} + - method: {service: "cloudidl.clouddataproxy.CloudDataProxyService"} + - method: {service: "flyteidl.service.DataProxyService"} + - method: {service: "flyteidl2.dataproxy.DataProxyService"} + - method: {service: "cloudidl.logs.LogsService"} + - method: {service: "cloudidl.app.AppLogsService"} + - method: {service: "cloudidl.app.ReplicaService"} + - method: {service: "flyteidl2.app.AppService"} + - method: {service: "flyteidl2.app.AppLogsService"} + - method: {service: "flyteidl2.app.ReplicaService"} + backendRefs: + - name: dataproxy-service + port: 80 + # queue-service + - matches: + - method: {service: "cloudidl.workflow.QueueService"} + - method: {service: "cloudidl.workflow.StateService"} + - method: {service: "cloudidl.workflow.LeaseService"} + - method: {service: "flyteidl2.workflow.QueueService"} + - method: {service: "flyteidl2.workflow.StateService"} + backendRefs: + - name: queue-service + port: 80 + # image builder (dataproxy-service) + - matches: + - method: {service: "cloudidl.imagebuilder.ImageService"} + - method: {service: "flyteidl2.imagebuilder.ImageService"} + backendRefs: + - name: dataproxy-service + port: 80 + {{- if .Values.flyte.common.ingress.secretService }} + - matches: + - method: {service: "cloudidl.secret.SecretService"} + - method: {service: "flyteidl2.secret.SecretService"} + backendRefs: + - name: dataproxy-service + port: 80 + {{- end }} + {{- if .Values.artifacts.enabled }} + - matches: + - method: {service: "flyteidl.artifact.ArtifactRegistry"} + backendRefs: + - name: artifacts-service + port: 80 + {{- end }} + {{- if .Values.hooksService.enabled }} + - matches: + - method: {service: "cloudidl.hooks.HooksService"} + backendRefs: + - name: hooks-service + port: 80 + {{- end }} + {{- if .Values.workspaceService.enabled }} + - matches: + - method: {service: "cloudidl.workspace.WorkspaceRegistryService"} + - method: {service: "cloudidl.workspace.WorkspaceInstanceService"} + backendRefs: + - name: execution-service + port: 80 + {{- end }} + {{- if .Values.objectstore.controlPlane.enabled }} + - matches: + - method: {service: "cloudidl.objectstore.v1.ObjectStoreService"} + backendRefs: + - name: dataproxy-service + port: 80 + {{- end }} + {{- if .Values.unionv2.enabled }} + # Union v2 workflow services (execution-service) + - matches: + - method: {service: "cloudidl.workflow.RunService"} + - method: {service: "cloudidl.workflow.InternalRunService"} + - method: {service: "cloudidl.workflow.TaskService"} + - method: {service: "cloudidl.workflow.TriggerService"} + - method: {service: "flyteidl2.workflow.RunService"} + - method: {service: "flyteidl2.workflow.TranslatorService"} + - method: {service: "flyteidl2.task.TaskService"} + - method: {service: "flyteidl2.trigger.TriggerService"} + backendRefs: + - name: execution-service + port: 80 + {{- if .Values.assistant.enabled }} + - matches: + - method: {service: "cloudidl.workflow.AssistantService"} + backendRefs: + - name: execution-service + port: 80 + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_grpcroute-unprotected.yaml b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml new file mode 100644 index 00000000..9c566cfc --- /dev/null +++ b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml @@ -0,0 +1,32 @@ +{{- define "control-plane-library.grpcroute-unprotected" }} +# Unauthenticated gRPC routes — health checks and auth metadata used by clients +# before they have a token. Mirrors the gRPC rules in the nginx unprotected ingress. +apiVersion: gateway.networking.k8s.io/v1 +kind: GRPCRoute +metadata: + name: {{ template "flyte.name" . }}-grpc-unprotected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + - matches: + - method: + service: "flyteidl.service.HealthService" + - method: + service: "flyteidl.service.AuthMetadataService" + - method: + service: "flyteidl2.auth.AuthMetadataService" + - method: + service: "flyteidl.service.WatchService" + method: "WatchExecutionStatusUpdates" + backendRefs: + - name: flyteadmin + port: 81 +{{- end }} diff --git a/charts/controlplane/templates/common/_httproute-auth-proxy.yaml b/charts/controlplane/templates/common/_httproute-auth-proxy.yaml new file mode 100644 index 00000000..11d8b7ee --- /dev/null +++ b/charts/controlplane/templates/common/_httproute-auth-proxy.yaml @@ -0,0 +1,26 @@ +{{- define "control-plane-library.httproute-auth-proxy" }} +# Routes OAuth2 token requests to the auth-proxy service. +# NOTE: The nginx version uses Lua-based token caching (client body buffer, proxy_cache). +# That caching logic is replaced in M2 with a SecurityPolicy/custom filter. +# M3 provides a basic passthrough route. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: auth-proxy + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + - matches: + - path: {type: PathPrefix, value: "/auth-proxy/oauth2"} + backendRefs: + - name: auth-proxy-service + port: 443 +{{- end }} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml new file mode 100644 index 00000000..29d977e0 --- /dev/null +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -0,0 +1,147 @@ +{{- define "control-plane-library.httproute-protected" }} +# NOTE: Auth enforcement (SecurityPolicy/ExtAuthz) is added in M2. +# These routes currently allow unauthenticated access — they match the +# nginx protected-ingress paths but without the auth-url annotation. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ template "flyte.name" . }}-protected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + # Flyte REST API + - matches: + - path: {type: PathPrefix, value: "/api"} + - path: {type: PathPrefix, value: "/v1"} + - path: {type: PathPrefix, value: "/cloudadmin"} + backendRefs: + - name: flyteadmin + port: 80 + # Dataproxy HTTP + - matches: + - path: {type: PathPrefix, value: "/actor"} + - path: {type: PathPrefix, value: "/agent"} + - path: {type: PathPrefix, value: "/dataplane"} + - path: {type: PathPrefix, value: "/spark-history-server"} + - path: {type: PathPrefix, value: "/api/v1/dataproxy"} + - path: {type: PathPrefix, value: "/cloudidl.support.SupportService"} + backendRefs: + - name: dataproxy-service + port: 81 + # Execution service HTTP + - matches: + - path: {type: PathPrefix, value: "/app"} + - path: {type: PathPrefix, value: "/apps"} + - path: {type: PathPrefix, value: "/echo"} + - path: {type: PathPrefix, value: "/execution"} + backendRefs: + - name: execution-service + port: 81 + # Cluster service HTTP + - matches: + - path: {type: PathPrefix, value: "/cluster"} + - path: {type: PathPrefix, value: "/clusterpool"} + - path: {type: PathPrefix, value: "/clusterconfig"} + - path: {type: PathPrefix, value: "/managed_cluster"} + backendRefs: + - name: cluster-service + port: 81 + # Identity service HTTP + - matches: + - path: {type: PathPrefix, value: "/oauth_app"} + - path: {type: PathPrefix, value: "/users"} + - path: {type: PathPrefix, value: "/members"} + - path: {type: PathPrefix, value: "/roles"} + - path: {type: PathPrefix, value: "/policies"} + - path: {type: PathPrefix, value: "/identities"} + backendRefs: + - name: identity-service + port: 81 + # Organizations service HTTP + - matches: + - path: {type: PathPrefix, value: "/org"} + backendRefs: + - name: organizations-service + port: 81 + # Authorizer service HTTP + - matches: + - path: {type: PathPrefix, value: "/authorizer"} + backendRefs: + - name: authorizer-service + port: 81 + # Usage service HTTP + - matches: + - path: {type: PathPrefix, value: "/usage"} + backendRefs: + - name: usage-service + port: 81 + {{- if .Values.dataproxy.prometheus.enabled }} + # Prometheus (via dataproxy) + - matches: + - path: {type: PathPrefix, value: "/prometheus"} + backendRefs: + - name: dataproxy-service + port: 81 + {{- end }} + {{- if .Values.grafana.enabled }} + # Grafana + - matches: + - path: {type: PathPrefix, value: "/grafana/d-solo"} + - path: {type: PathPrefix, value: "/grafana/api"} + - path: {type: PathPrefix, value: "/grafana/public"} + backendRefs: + - name: {{ include "grafana.fullname" .Subcharts.grafana }} + port: 80 + {{- end }} + {{- if .Values.workspaceService.enabled }} + # Workspace service HTTP + - matches: + - path: {type: PathPrefix, value: "/workspace_registry"} + - path: {type: PathPrefix, value: "/workspace_instance"} + backendRefs: + - name: execution-service + port: 81 + {{- end }} + {{- if .Values.artifacts.enabled }} + # Artifacts service HTTP + - matches: + - path: {type: PathPrefix, value: "/artifacts"} + backendRefs: + - name: artifacts-service + port: 81 + {{- end }} + # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading + - matches: + - path: {type: PathPrefix, value: "/console"} + - path: {type: PathPrefix, value: "/dashboard"} + - path: {type: PathPrefix, value: "/resources"} + - path: {type: PathPrefix, value: "/cost"} + - path: {type: PathPrefix, value: "/loading"} + backendRefs: + - name: flyteconsole + port: 80 + {{- if .Values.unionv2.enabled }} + # Union v2 console + - matches: + - path: {type: PathPrefix, value: "/v2"} + backendRefs: + - name: unionconsole + port: 80 + {{- end }} + {{- if .Values.flyte.common.ingress.isServerless }} + # Serverless root catch-all → console + - matches: + - path: {type: PathPrefix, value: "/"} + backendRefs: + - name: flyteconsole + port: 80 + {{- end }} +{{- end }} diff --git a/charts/controlplane/templates/common/_httproute-unprotected.yaml b/charts/controlplane/templates/common/_httproute-unprotected.yaml new file mode 100644 index 00000000..26d501f6 --- /dev/null +++ b/charts/controlplane/templates/common/_httproute-unprotected.yaml @@ -0,0 +1,93 @@ +{{- define "control-plane-library.httproute-unprotected" }} +# WARNING: any route here is accessible without authentication. +# Flyteadmin acts as an auth server and is therefore publicly accessible. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ template "flyte.name" . }}-unprotected + namespace: {{ template "flyte.namespace" . }} +spec: + parentRefs: + - name: {{ template "flyte.name" . }} + namespace: {{ template "flyte.namespace" . }} + hostnames: + - {{ .Values.global.UNION_HOST | quote }} + {{- if .Values.flyte.common.ingress.isServerless }} + - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} + {{- end }} + rules: + # Auth / identity endpoints — publicly required for OIDC flows + - matches: + - path: {type: PathPrefix, value: "/.well-known"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/login"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/logout"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/callback"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/config"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/oauth2"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: PathPrefix, value: "/auth"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: Exact, value: "/me"} + backendRefs: + - name: flyteadmin + port: 80 + - matches: + - path: {type: Exact, value: "/healthcheck"} + backendRefs: + - name: flyteadmin + port: 80 + # OpenAPI / redoc — port 87 in flyteadmin + - matches: + - path: {type: PathPrefix, value: "/openapi"} + backendRefs: + - name: flyteadmin + port: 87 + # Console healthcheck + - matches: + - path: {type: Exact, value: "/healthz"} + backendRefs: + - name: flyteconsole + port: 8080 + # Webhook endpoints + - matches: + - path: {type: PathPrefix, value: "/enqueue_metronome_request/v1"} + backendRefs: + - name: usage-service + port: 81 + - matches: + - path: {type: PathPrefix, value: "/enqueue_stripe_request/v1"} + backendRefs: + - name: usage-service + port: 81 + - matches: + - path: {type: PathPrefix, value: "/okta_event_webhook/v1"} + backendRefs: + - name: hooks-service + port: 81 +{{- end }} diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index 8914bb5a..a0738658 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -1,5 +1,7 @@ {{- include "control-plane-library.flyteadmin" . }} --- +{{- /* ingress-nginx Ingress objects — active when ingressProvider is "nginx" (default) or "both" (parallel-run migration phase) */}} +{{- if or (eq (default "nginx" .Values.global.ingressProvider) "nginx") (eq .Values.global.ingressProvider "both") }} {{- include "control-plane-library.dataproxy-ingress" . }} --- {{- include "control-plane-library.usage-ingress" . }} @@ -10,3 +12,19 @@ --- {{- include "control-plane-library.console-protected-ingress" . }} --- +{{- end }} +{{- /* Envoy Gateway API resources — active when ingressProvider is "envoy" or "both" */}} +{{- if or (eq .Values.global.ingressProvider "envoy") (eq .Values.global.ingressProvider "both") }} +{{- include "control-plane-library.gateway" . }} +--- +{{- include "control-plane-library.httproute-unprotected" . }} +--- +{{- include "control-plane-library.httproute-protected" . }} +--- +{{- include "control-plane-library.grpcroute-unprotected" . }} +--- +{{- include "control-plane-library.grpcroute-protected" . }} +--- +{{- include "control-plane-library.httproute-auth-proxy" . }} +--- +{{- end }} From 907f8ec6b3776bc55e5a0f7106a23e0a00009fdc Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 17 Mar 2026 16:53:24 -0700 Subject: [PATCH 06/46] Cleaning up charts to remove unused blocks --- .../common/_grpcroute-protected.yaml | 31 ++------------ .../common/_httproute-protected.yaml | 42 +------------------ 2 files changed, 5 insertions(+), 68 deletions(-) diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index a9b6fa89..61aed355 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -14,9 +14,6 @@ spec: namespace: {{ template "flyte.namespace" . }} hostnames: - {{ .Values.global.UNION_HOST | quote }} - {{- if .Values.flyte.common.ingress.isServerless }} - - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} - {{- end }} rules: # flyteadmin — protected gRPC (AdminService, ProjectService, IdentityService, etc.) - matches: @@ -138,36 +135,21 @@ spec: - name: dataproxy-service port: 80 {{- end }} - {{- if .Values.artifacts.enabled }} + {{- if ((.Values.artifacts).enabled) }} - matches: - method: {service: "flyteidl.artifact.ArtifactRegistry"} backendRefs: - name: artifacts-service port: 80 {{- end }} - {{- if .Values.hooksService.enabled }} - - matches: - - method: {service: "cloudidl.hooks.HooksService"} - backendRefs: - - name: hooks-service - port: 80 - {{- end }} - {{- if .Values.workspaceService.enabled }} - - matches: - - method: {service: "cloudidl.workspace.WorkspaceRegistryService"} - - method: {service: "cloudidl.workspace.WorkspaceInstanceService"} - backendRefs: - - name: execution-service - port: 80 - {{- end }} - {{- if .Values.objectstore.controlPlane.enabled }} + {{- if (((.Values.objectstore).controlPlane).enabled) }} - matches: - method: {service: "cloudidl.objectstore.v1.ObjectStoreService"} backendRefs: - name: dataproxy-service port: 80 {{- end }} - {{- if .Values.unionv2.enabled }} + {{- if ((.Values.unionv2).enabled) }} # Union v2 workflow services (execution-service) - matches: - method: {service: "cloudidl.workflow.RunService"} @@ -181,12 +163,5 @@ spec: backendRefs: - name: execution-service port: 80 - {{- if .Values.assistant.enabled }} - - matches: - - method: {service: "cloudidl.workflow.AssistantService"} - backendRefs: - - name: execution-service - port: 80 - {{- end }} {{- end }} {{- end }} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml index 29d977e0..9381b76a 100644 --- a/charts/controlplane/templates/common/_httproute-protected.yaml +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -13,9 +13,6 @@ spec: namespace: {{ template "flyte.namespace" . }} hostnames: - {{ .Values.global.UNION_HOST | quote }} - {{- if .Values.flyte.common.ingress.isServerless }} - - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} - {{- end }} rules: # Flyte REST API - matches: @@ -83,34 +80,7 @@ spec: backendRefs: - name: usage-service port: 81 - {{- if .Values.dataproxy.prometheus.enabled }} - # Prometheus (via dataproxy) - - matches: - - path: {type: PathPrefix, value: "/prometheus"} - backendRefs: - - name: dataproxy-service - port: 81 - {{- end }} - {{- if .Values.grafana.enabled }} - # Grafana - - matches: - - path: {type: PathPrefix, value: "/grafana/d-solo"} - - path: {type: PathPrefix, value: "/grafana/api"} - - path: {type: PathPrefix, value: "/grafana/public"} - backendRefs: - - name: {{ include "grafana.fullname" .Subcharts.grafana }} - port: 80 - {{- end }} - {{- if .Values.workspaceService.enabled }} - # Workspace service HTTP - - matches: - - path: {type: PathPrefix, value: "/workspace_registry"} - - path: {type: PathPrefix, value: "/workspace_instance"} - backendRefs: - - name: execution-service - port: 81 - {{- end }} - {{- if .Values.artifacts.enabled }} + {{- if ((.Values.artifacts).enabled) }} # Artifacts service HTTP - matches: - path: {type: PathPrefix, value: "/artifacts"} @@ -128,7 +98,7 @@ spec: backendRefs: - name: flyteconsole port: 80 - {{- if .Values.unionv2.enabled }} + {{- if ((.Values.unionv2).enabled) }} # Union v2 console - matches: - path: {type: PathPrefix, value: "/v2"} @@ -136,12 +106,4 @@ spec: - name: unionconsole port: 80 {{- end }} - {{- if .Values.flyte.common.ingress.isServerless }} - # Serverless root catch-all → console - - matches: - - path: {type: PathPrefix, value: "/"} - backendRefs: - - name: flyteconsole - port: 80 - {{- end }} {{- end }} From a190f342dee1cc0f92891c3f5ae7b854442ffbef Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 17 Mar 2026 17:04:37 -0700 Subject: [PATCH 07/46] Adding missing EG variables --- charts/controlplane/values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index f814a9c5..129ee717 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -51,6 +51,17 @@ global: # Contact Union for controlplane access and distribution. IMAGE_REPOSITORY_PREFIX: "643379628101.dkr.ecr.us-east-1.amazonaws.com/union-cp" + # Authorization type for RBAC. Set to "union" to enable UserClouds-based authorization. + # Controls union-authz pod deployment and all four authorizer blocks (union services, + # flyteadmin, cacheservice). Leave empty or set to "noop" to disable (default). + # Visible to subcharts (flyte-core) via global scope. + AUTHZ_TYPE: "" + # Ingress controller provider. Options: "nginx", "envoy", "both" + ingressProvider: nginx + + # GatewayClass name for Envoy Gateway. Used when ingressProvider is "envoy" or "both". + gatewayClassName: envoy + # OAuth2 client ID for service-to-service authentication (client_credentials flow). # Services use this to acquire tokens for internal calls through nginx. # Example: "0oa3xyz4abc5def6g7h8" From 39bd80126c0b524b19e298256f4ee4dbb7e7e227 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 18 Mar 2026 08:36:06 -0700 Subject: [PATCH 08/46] Updating global variables to new format --- charts/controlplane/templates/common/_gateway.yaml | 2 +- charts/controlplane/templates/flyte-core-app.yaml | 8 ++++---- .../controlplane/values.aws.selfhosted-intracluster.yaml | 2 +- .../controlplane/values.gcp.selfhosted-intracluster.yaml | 2 +- charts/controlplane/values.yaml | 6 +++--- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml index d15c4246..8ddd47ea 100644 --- a/charts/controlplane/templates/common/_gateway.yaml +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "flyte.name" . }} namespace: {{ template "flyte.namespace" . }} spec: - gatewayClassName: {{ .Values.global.gatewayClassName }} + gatewayClassName: {{ .Values.global.GATEWAY_CLASS_NAME }} listeners: - name: https protocol: HTTPS diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index a0738658..7d63c5b3 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -1,7 +1,7 @@ {{- include "control-plane-library.flyteadmin" . }} --- -{{- /* ingress-nginx Ingress objects — active when ingressProvider is "nginx" (default) or "both" (parallel-run migration phase) */}} -{{- if or (eq (default "nginx" .Values.global.ingressProvider) "nginx") (eq .Values.global.ingressProvider "both") }} +{{- /* ingress-nginx Ingress objects — active when INGRESS_PROVIDER is "nginx" (default) or "both" (parallel-run migration phase) */}} +{{- if or (eq (default "nginx" .Values.global.INGRESS_PROVIDER) "nginx") (eq .Values.global.INGRESS_PROVIDER "both") }} {{- include "control-plane-library.dataproxy-ingress" . }} --- {{- include "control-plane-library.usage-ingress" . }} @@ -13,8 +13,8 @@ {{- include "control-plane-library.console-protected-ingress" . }} --- {{- end }} -{{- /* Envoy Gateway API resources — active when ingressProvider is "envoy" or "both" */}} -{{- if or (eq .Values.global.ingressProvider "envoy") (eq .Values.global.ingressProvider "both") }} +{{- /* Envoy Gateway API resources — active when INGRESS_PROVIDER is "envoy" or "both" */}} +{{- if or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both") }} {{- include "control-plane-library.gateway" . }} --- {{- include "control-plane-library.httproute-unprotected" . }} diff --git a/charts/controlplane/values.aws.selfhosted-intracluster.yaml b/charts/controlplane/values.aws.selfhosted-intracluster.yaml index 685174e1..d7c5b03c 100644 --- a/charts/controlplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.aws.selfhosted-intracluster.yaml @@ -40,7 +40,7 @@ global: # both - both sets rendered simultaneously (parallel-run migration phase) # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml # exists in the environment directory. - ingressProvider: nginx + INGRESS_PROVIDER: nginx # AWS region for all resources # Example: "us-west-2", "us-east-1", "eu-west-1" diff --git a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml index f8050978..3e07521f 100644 --- a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml @@ -40,7 +40,7 @@ global: # both - both sets rendered simultaneously (parallel-run migration phase) # Automatically set to "both" by Terraform when envoy-gateway/revisions.yaml # exists in the environment directory. - ingressProvider: nginx + INGRESS_PROVIDER: nginx # Region for all resources # Example for GCP: "us-central1", "us-east1", "europe-west1" diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index 129ee717..b527048b 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -57,10 +57,10 @@ global: # Visible to subcharts (flyte-core) via global scope. AUTHZ_TYPE: "" # Ingress controller provider. Options: "nginx", "envoy", "both" - ingressProvider: nginx + INGRESS_PROVIDER: nginx - # GatewayClass name for Envoy Gateway. Used when ingressProvider is "envoy" or "both". - gatewayClassName: envoy + # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both". + GATEWAY_CLASS_NAME: envoy # OAuth2 client ID for service-to-service authentication (client_credentials flow). # Services use this to acquire tokens for internal calls through nginx. From cab6c6aa6b304d640f75f245d2aabe0d60762d09 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Thu, 19 Mar 2026 09:43:08 -0700 Subject: [PATCH 09/46] Fixing port for flyteconsole --- .../controlplane/templates/common/_httproute-unprotected.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/controlplane/templates/common/_httproute-unprotected.yaml b/charts/controlplane/templates/common/_httproute-unprotected.yaml index 26d501f6..f2d6c20d 100644 --- a/charts/controlplane/templates/common/_httproute-unprotected.yaml +++ b/charts/controlplane/templates/common/_httproute-unprotected.yaml @@ -73,7 +73,7 @@ spec: - path: {type: Exact, value: "/healthz"} backendRefs: - name: flyteconsole - port: 8080 + port: 80 # Webhook endpoints - matches: - path: {type: PathPrefix, value: "/enqueue_metronome_request/v1"} From 54430500b4cda6d9ba068a59685db8da68884836 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Thu, 19 Mar 2026 09:53:59 -0700 Subject: [PATCH 10/46] Removing auth-proxy reference in selfhosted --- .../common/_httproute-auth-proxy.yaml | 26 ------------------- .../templates/flyte-core-app.yaml | 2 -- 2 files changed, 28 deletions(-) delete mode 100644 charts/controlplane/templates/common/_httproute-auth-proxy.yaml diff --git a/charts/controlplane/templates/common/_httproute-auth-proxy.yaml b/charts/controlplane/templates/common/_httproute-auth-proxy.yaml deleted file mode 100644 index 11d8b7ee..00000000 --- a/charts/controlplane/templates/common/_httproute-auth-proxy.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- define "control-plane-library.httproute-auth-proxy" }} -# Routes OAuth2 token requests to the auth-proxy service. -# NOTE: The nginx version uses Lua-based token caching (client body buffer, proxy_cache). -# That caching logic is replaced in M2 with a SecurityPolicy/custom filter. -# M3 provides a basic passthrough route. -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: auth-proxy - namespace: {{ template "flyte.namespace" . }} -spec: - parentRefs: - - name: {{ template "flyte.name" . }} - namespace: {{ template "flyte.namespace" . }} - hostnames: - - {{ .Values.global.UNION_HOST | quote }} - {{- if .Values.flyte.common.ingress.isServerless }} - - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} - {{- end }} - rules: - - matches: - - path: {type: PathPrefix, value: "/auth-proxy/oauth2"} - backendRefs: - - name: auth-proxy-service - port: 443 -{{- end }} diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index 7d63c5b3..c7372413 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -25,6 +25,4 @@ --- {{- include "control-plane-library.grpcroute-protected" . }} --- -{{- include "control-plane-library.httproute-auth-proxy" . }} ---- {{- end }} From f330f62d7fddc7aad89276fd2c7239e46d29d849 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 11:55:22 -0700 Subject: [PATCH 11/46] Adding gate check for enabled features --- .../common/_grpcroute-protected.yaml | 22 +++++++++++++++++++ .../common/_httproute-protected.yaml | 17 ++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index 61aed355..f66e1233 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -149,6 +149,21 @@ spec: - name: dataproxy-service port: 80 {{- end }} + {{- if ((.Values.hooksService).enabled) }} + - matches: + - method: {service: "cloudidl.hooks.HooksService"} + backendRefs: + - name: hooks-service + port: 80 + {{- end }} + {{- if ((.Values.workspaceService).enabled) }} + - matches: + - method: {service: "cloudidl.workspace.WorkspaceRegistryService"} + - method: {service: "cloudidl.workspace.WorkspaceInstanceService"} + backendRefs: + - name: execution-service + port: 80 + {{- end }} {{- if ((.Values.unionv2).enabled) }} # Union v2 workflow services (execution-service) - matches: @@ -163,5 +178,12 @@ spec: backendRefs: - name: execution-service port: 80 + {{- if ((.Values.assistant).enabled) }} + - matches: + - method: {service: "cloudidl.workflow.AssistantService"} + backendRefs: + - name: execution-service + port: 80 + {{- end }} {{- end }} {{- end }} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml index 9381b76a..dcc8589d 100644 --- a/charts/controlplane/templates/common/_httproute-protected.yaml +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -88,6 +88,23 @@ spec: - name: artifacts-service port: 81 {{- end }} + {{- if ((.Values.workspaceService).enabled) }} + # Workspace service HTTP + - matches: + - path: {type: PathPrefix, value: "/workspace_registry"} + - path: {type: PathPrefix, value: "/workspace_instance"} + backendRefs: + - name: execution-service + port: 81 + {{- end }} + {{- if (((.Values.dataproxy).prometheus).enabled) }} + # Prometheus (via dataproxy) + - matches: + - path: {type: PathPrefix, value: "/prometheus"} + backendRefs: + - name: dataproxy-service + port: 81 + {{- end }} # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading - matches: - path: {type: PathPrefix, value: "/console"} From f4959380f5f70ac4cc6178833c513e7f4ae30b82 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 12:15:36 -0700 Subject: [PATCH 12/46] Moving to using values.yaml --- charts/envoy-gateway-config/Chart.yaml | 6 +++++ .../templates/backend-traffic-policy.yaml | 11 ++++++++ .../templates/envoy-patch-policy.yaml | 26 +++++++++++++++++++ .../templates/envoyproxy.yaml | 24 +++++++++++++++++ .../templates/gatewayclass.yaml | 11 ++++++++ charts/envoy-gateway-config/values.yaml | 19 ++++++++++++++ 6 files changed, 97 insertions(+) create mode 100644 charts/envoy-gateway-config/Chart.yaml create mode 100644 charts/envoy-gateway-config/templates/backend-traffic-policy.yaml create mode 100644 charts/envoy-gateway-config/templates/envoy-patch-policy.yaml create mode 100644 charts/envoy-gateway-config/templates/envoyproxy.yaml create mode 100644 charts/envoy-gateway-config/templates/gatewayclass.yaml create mode 100644 charts/envoy-gateway-config/values.yaml diff --git a/charts/envoy-gateway-config/Chart.yaml b/charts/envoy-gateway-config/Chart.yaml new file mode 100644 index 00000000..fdf88dda --- /dev/null +++ b/charts/envoy-gateway-config/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: envoy-gateway-config +description: Cluster-operator resources for Envoy Gateway — GatewayClass, EnvoyProxy, BackendTrafficPolicy, and EnvoyPatchPolicy. +type: application +version: 0.1.0 +kubeVersion: '>= 1.28.0-0' diff --git a/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml b/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml new file mode 100644 index 00000000..7b323dc2 --- /dev/null +++ b/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml @@ -0,0 +1,11 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: flyteadmin-h2c + namespace: {{ .Values.clusterGatewayConfig.controlplaneNamespace }} +spec: + targetRefs: + - group: "" + kind: Service + name: flyteadmin + http2: {} diff --git a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml new file mode 100644 index 00000000..773931a4 --- /dev/null +++ b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml @@ -0,0 +1,26 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyPatchPolicy +metadata: + name: control-plane-auth + namespace: {{ .Values.clusterGatewayConfig.controlplaneNamespace }} +spec: + targetRef: + group: gateway.networking.k8s.io + kind: Gateway + name: controlplane + type: JSONPatch + jsonPatches: + {{- range $idx, $pluginName := .Values.clusterGatewayConfig.httpFilters }} + - type: type.googleapis.com/envoy.config.listener.v3.Listener + name: {{ $.Values.clusterGatewayConfig.controlplaneNamespace }}/controlplane/https + operation: + op: add + path: /filter_chains/0/filters/0/typed_config/http_filters/{{ $idx }} + value: + name: envoy.filters.http.golang + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config + library_id: control-plane-auth + library_path: /lib/control-plane-auth.so + plugin_name: {{ $pluginName }} + {{- end }} diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml new file mode 100644 index 00000000..8bb06335 --- /dev/null +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -0,0 +1,24 @@ +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: envoy-proxy-config + namespace: envoy-gateway-system +spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + type: LoadBalancer + {{- if .Values.clusterGatewayConfig.loadBalancerClass }} + loadBalancerClass: {{ .Values.clusterGatewayConfig.loadBalancerClass }} + {{- end }} + {{- if .Values.clusterGatewayConfig.serviceAnnotations }} + annotations: + {{- toYaml .Values.clusterGatewayConfig.serviceAnnotations | nindent 10 }} + {{- end }} + envoyDeployment: + pod: + annotations: + # Disable Linkerd sidecar injection — Envoy is itself a proxy; + # double-proxying causes routing conflicts. + linkerd.io/inject: disabled diff --git a/charts/envoy-gateway-config/templates/gatewayclass.yaml b/charts/envoy-gateway-config/templates/gatewayclass.yaml new file mode 100644 index 00000000..515838eb --- /dev/null +++ b/charts/envoy-gateway-config/templates/gatewayclass.yaml @@ -0,0 +1,11 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{ .Values.clusterGatewayConfig.gatewayClassName }} +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: envoy-proxy-config + namespace: envoy-gateway-system diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml new file mode 100644 index 00000000..e8895e2f --- /dev/null +++ b/charts/envoy-gateway-config/values.yaml @@ -0,0 +1,19 @@ +clusterGatewayConfig: + # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. + gatewayClassName: envoy + + # Namespace where controlplane resources (BackendTrafficPolicy, EnvoyPatchPolicy) live. + controlplaneNamespace: union-cp + + # Annotations applied to the Envoy fleet LoadBalancer Service (provider-specific NLB config). + serviceAnnotations: {} + + # loadBalancerClass sets spec.loadBalancerClass on the envoy fleet Service (e.g. eks.amazonaws.com/nlb). + # Omitted when null. + loadBalancerClass: null + + # httpFilters lists the plugin_name values to inject into the Envoy HCM filter chain, in order. + # All plugins must be registered in /lib/control-plane-auth.so. + httpFilters: + - identity-auth # strips spoofable X-User-* headers, enforces credential validation + - auth-proxy-cache # caches OAuth2 token responses for the auth-proxy token endpoint From f73c6bdd103b2215400c50574d648607e2ac4851 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 12:33:01 -0700 Subject: [PATCH 13/46] Refactoring charts for envoy gateway --- .../templates/backend-traffic-policy.yaml | 11 ----------- charts/envoy-gateway-config/values.yaml | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 charts/envoy-gateway-config/templates/backend-traffic-policy.yaml diff --git a/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml b/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml deleted file mode 100644 index 7b323dc2..00000000 --- a/charts/envoy-gateway-config/templates/backend-traffic-policy.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: BackendTrafficPolicy -metadata: - name: flyteadmin-h2c - namespace: {{ .Values.clusterGatewayConfig.controlplaneNamespace }} -spec: - targetRefs: - - group: "" - kind: Service - name: flyteadmin - http2: {} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index e8895e2f..758f65e3 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -2,7 +2,7 @@ clusterGatewayConfig: # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. gatewayClassName: envoy - # Namespace where controlplane resources (BackendTrafficPolicy, EnvoyPatchPolicy) live. + # Namespace where controlplane resources (EnvoyPatchPolicy) live. controlplaneNamespace: union-cp # Annotations applied to the Envoy fleet LoadBalancer Service (provider-specific NLB config). From 923f4dfc0a9ed542508142b0085e15e87958f382 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 13:10:10 -0700 Subject: [PATCH 14/46] Adding backend policy for http/2 on grpc for selfmanaged/hosted --- .../common/_backendtrafficpolicy.yaml | 28 +++++++++++++++++++ .../templates/flyte-core-app.yaml | 2 ++ 2 files changed, 30 insertions(+) create mode 100644 charts/controlplane/templates/common/_backendtrafficpolicy.yaml diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml new file mode 100644 index 00000000..7a9c3680 --- /dev/null +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -0,0 +1,28 @@ +{{- define "control-plane-library.backendtrafficpolicy" }} +# BackendTrafficPolicy — enables HTTP/2 (h2c) for Envoy→gRPC backend connections. +# All GRPCRoute backends speak gRPC over HTTP/2; without this Envoy defaults to HTTP/1.1. +# One policy per GRPCRoute so h2c is scoped to gRPC traffic only. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-grpc-protected-h2c + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: GRPCRoute + name: {{ template "flyte.name" . }}-grpc-protected + http2: {} +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-grpc-unprotected-h2c + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: GRPCRoute + name: {{ template "flyte.name" . }}-grpc-unprotected + http2: {} +{{- end }} diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index c7372413..12c7bba1 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -25,4 +25,6 @@ --- {{- include "control-plane-library.grpcroute-protected" . }} --- +{{- include "control-plane-library.backendtrafficpolicy" . }} +--- {{- end }} From e47c9267d31bcda8b4ad37e1368a8cabb3581c01 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 13:33:23 -0700 Subject: [PATCH 15/46] Adding timeouts and buffer limits to connections --- .../common/_backendtrafficpolicy.yaml | 22 +++++++++++++++--- .../common/_clienttrafficpolicy.yaml | 23 +++++++++++++++++++ .../templates/flyte-core-app.yaml | 2 ++ 3 files changed, 44 insertions(+), 3 deletions(-) create mode 100644 charts/controlplane/templates/common/_clienttrafficpolicy.yaml diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 7a9c3680..ae1b948b 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -1,7 +1,11 @@ {{- define "control-plane-library.backendtrafficpolicy" }} -# BackendTrafficPolicy — enables HTTP/2 (h2c) for Envoy→gRPC backend connections. -# All GRPCRoute backends speak gRPC over HTTP/2; without this Envoy defaults to HTTP/1.1. -# One policy per GRPCRoute so h2c is scoped to gRPC traffic only. +# BackendTrafficPolicy — configures Envoy→gRPC backend connection settings. +# Replaces nginx grpc_connect_timeout, grpc_read_timeout, grpc_send_timeout. +# Two policies (one per GRPCRoute) so h2c and timeouts are scoped to gRPC traffic only. +# +# requestTimeout applies to unary calls; maxStreamDuration applies to streaming calls. +# "0s" for maxStreamDuration means no limit (equivalent to grpc_read_timeout 604800s on streaming routes). +# Both protected and unprotected GRPCRoutes contain streaming methods so both get the same config. apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -12,6 +16,12 @@ spec: - group: gateway.networking.k8s.io kind: GRPCRoute name: {{ template "flyte.name" . }}-grpc-protected + timeout: + tcp: + connectTimeout: "1200s" # grpc_connect_timeout 1200s + http: + requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) + maxStreamDuration: "0s" # no limit for streaming (grpc_read_timeout 604800s on streaming routes) http2: {} --- apiVersion: gateway.envoyproxy.io/v1alpha1 @@ -24,5 +34,11 @@ spec: - group: gateway.networking.k8s.io kind: GRPCRoute name: {{ template "flyte.name" . }}-grpc-unprotected + timeout: + tcp: + connectTimeout: "1200s" # grpc_connect_timeout 1200s + http: + requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) + maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming http2: {} {{- end }} diff --git a/charts/controlplane/templates/common/_clienttrafficpolicy.yaml b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml new file mode 100644 index 00000000..d5c07c0b --- /dev/null +++ b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml @@ -0,0 +1,23 @@ +{{- define "control-plane-library.clienttrafficpolicy" }} +# ClientTrafficPolicy — configures inbound client connection settings on the Gateway. +# Replaces nginx server-snippet: client_header_timeout, client_body_timeout, +# client_header_buffer_size, and large_client_header_buffers. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-client-policy + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: {{ template "flyte.name" . }} + timeout: + http: + requestReceivedTimeout: "604800s" # client_header_timeout 604800 + streamIdleTimeout: "604800s" # client_body_timeout 604800 + connection: + # large_client_header_buffers 64 32k = 2Mi total; mitigates 400 errors from large cookies + # at the /me auth endpoint (see PE-1101). + bufferLimit: "2Mi" +{{- end }} diff --git a/charts/controlplane/templates/flyte-core-app.yaml b/charts/controlplane/templates/flyte-core-app.yaml index 12c7bba1..ede74cda 100644 --- a/charts/controlplane/templates/flyte-core-app.yaml +++ b/charts/controlplane/templates/flyte-core-app.yaml @@ -27,4 +27,6 @@ --- {{- include "control-plane-library.backendtrafficpolicy" . }} --- +{{- include "control-plane-library.clienttrafficpolicy" . }} +--- {{- end }} From 5485f25a271eff44beb31b57708c43c14aaaa563 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 20 Mar 2026 16:33:36 -0700 Subject: [PATCH 16/46] Adding bypass for unprotected endpoint and identity filter --- .../templates/envoy-patch-policy.yaml | 9 ++++++ charts/envoy-gateway-config/values.yaml | 30 +++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml index 773931a4..8f327106 100644 --- a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml +++ b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml @@ -23,4 +23,13 @@ spec: library_id: control-plane-auth library_path: /lib/control-plane-auth.so plugin_name: {{ $pluginName }} + {{- if and (eq $pluginName "identity-auth") $.Values.clusterGatewayConfig.identityAuth.bypassPaths }} + plugin_config: + "@type": type.googleapis.com/xds.type.v3.TypedStruct + value: + bypassPaths: + {{- range $.Values.clusterGatewayConfig.identityAuth.bypassPaths }} + - {{ . | quote }} + {{- end }} + {{- end }} {{- end }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 758f65e3..789903ef 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -17,3 +17,33 @@ clusterGatewayConfig: httpFilters: - identity-auth # strips spoofable X-User-* headers, enforces credential validation - auth-proxy-cache # caches OAuth2 token responses for the auth-proxy token endpoint + + # identityAuth configures the identity-auth HCM filter. + identityAuth: + # bypassPaths lists path prefixes that skip credential validation. + # Identity headers (X-User-*) are still stripped on these paths to prevent spoofing. + # Mirrors the paths in the unprotected HTTPRoute and GRPCRoute templates. + bypassPaths: + # OIDC / auth flows (flyteadmin:80) + - "/.well-known" + - "/login" + - "/logout" + - "/callback" + - "/config" + - "/oauth2" + - "/auth" + - "/me" + - "/healthcheck" + # OpenAPI docs (flyteadmin:87) + - "/openapi" + # Console healthcheck + - "/healthz" + # Webhooks (usage-service, hooks-service) + - "/enqueue_metronome_request/" + - "/enqueue_stripe_request/" + - "/okta_event_webhook/" + # Unprotected gRPC services (path format: /./) + - "/flyteidl.service.HealthService/" + - "/flyteidl.service.AuthMetadataService/" + - "/flyteidl2.auth.AuthMetadataService/" + - "/flyteidl.service.WatchService/WatchExecutionStatusUpdates" From 5859dae9be961798b83184ce4e9cd2f909adf6b5 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 23 Mar 2026 13:39:35 -0700 Subject: [PATCH 17/46] Fixing validation error on timeouts --- .../controlplane/templates/common/_clienttrafficpolicy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/controlplane/templates/common/_clienttrafficpolicy.yaml b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml index d5c07c0b..6d2d2785 100644 --- a/charts/controlplane/templates/common/_clienttrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml @@ -14,8 +14,8 @@ spec: name: {{ template "flyte.name" . }} timeout: http: - requestReceivedTimeout: "604800s" # client_header_timeout 604800 - streamIdleTimeout: "604800s" # client_body_timeout 604800 + requestReceivedTimeout: "0s" # client_header_timeout 604800 + streamIdleTimeout: "0s" # client_body_timeout 604800 connection: # large_client_header_buffers 64 32k = 2Mi total; mitigates 400 errors from large cookies # at the /me auth endpoint (see PE-1101). From 7808e3551b6bf300fcd69351f7c2a7603cafec19 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 23 Mar 2026 16:11:45 -0700 Subject: [PATCH 18/46] Adding redis caching for rate limiting --- .../common/_backendtrafficpolicy.yaml | 27 ++++++++++++ .../envoy-gateway-config/templates/redis.yaml | 43 +++++++++++++++++++ charts/envoy-gateway-config/values.yaml | 25 +++++++++++ 3 files changed, 95 insertions(+) create mode 100644 charts/envoy-gateway-config/templates/redis.yaml diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index ae1b948b..970a6f9a 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -41,4 +41,31 @@ spec: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming http2: {} +{{- if and .Values.global.rateLimitEnabled (or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both")) }} +--- +# Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation. +# Requires EG rateLimit backend (envoyproxy/ratelimit + Redis) to be running. +# Enable via global.rateLimitEnabled: true once the backend is confirmed healthy. +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: {{ template "flyte.name" . }}-global-rate-limit + namespace: {{ template "flyte.namespace" . }} +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: {{ template "flyte.name" . }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.global.rateLimitRequestsPerUnit | default 100 }} + unit: {{ .Values.global.rateLimitUnit | default "Second" }} +{{- end }} {{- end }} diff --git a/charts/envoy-gateway-config/templates/redis.yaml b/charts/envoy-gateway-config/templates/redis.yaml new file mode 100644 index 00000000..12778240 --- /dev/null +++ b/charts/envoy-gateway-config/templates/redis.yaml @@ -0,0 +1,43 @@ +{{- if .Values.redis.enabled }} +# Minimal Redis deployment for envoyproxy/ratelimit. +# When config.envoyGateway.rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit +# in this namespace and expects a Redis instance at the configured URL. +# Service name: redis-ratelimit → URL: redis://redis-ratelimit.envoy-gateway-system.svc.cluster.local:6379 +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-ratelimit + namespace: envoy-gateway-system +spec: + replicas: 1 + selector: + matchLabels: + app: redis-ratelimit + template: + metadata: + labels: + app: redis-ratelimit + annotations: + # Redis is only accessed within the cluster by envoyproxy/ratelimit — no Linkerd proxy needed. + linkerd.io/inject: disabled + spec: + containers: + - name: redis + image: {{ .Values.redis.image }} + ports: + - containerPort: 6379 + resources: + {{- toYaml .Values.redis.resources | nindent 12 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-ratelimit + namespace: envoy-gateway-system +spec: + selector: + app: redis-ratelimit + ports: + - port: 6379 + targetPort: 6379 +{{- end }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 789903ef..b2ac9792 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -1,3 +1,21 @@ +# Redis deployment for envoyproxy/ratelimit (deployed in envoy-gateway-system). +# Disabled by default; enabled via Terraform when rate limiting is configured. +redis: + enabled: false + image: redis:7-alpine + resources: + requests: + cpu: "50m" + memory: "64Mi" + limits: + memory: "128Mi" + +# Passed through to the gateway-helm EnvoyGateway CR via the config.envoyGateway values key. +# When rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit in envoy-gateway-system. +# Set by Terraform alongside redis.enabled when rate_limit_redis_url is configured. +config: + envoyGateway: {} + clusterGatewayConfig: # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. gatewayClassName: envoy @@ -18,6 +36,13 @@ clusterGatewayConfig: - identity-auth # strips spoofable X-User-* headers, enforces credential validation - auth-proxy-cache # caches OAuth2 token responses for the auth-proxy token endpoint + # rateLimit controls whether BackendTrafficPolicy rate limit rules are rendered in the tenant chart. + # Set by Terraform alongside config.envoyGateway.rateLimit when rate_limit_redis_url is configured. + rateLimit: + enabled: false + requestsPerUnit: 100 + unit: Second + # identityAuth configures the identity-auth HCM filter. identityAuth: # bypassPaths lists path prefixes that skip credential validation. From 36b774f4b842480119a914405868ff0270af3ab7 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 09:33:38 -0700 Subject: [PATCH 19/46] Renaming some configs --- .../templates/common/_backendtrafficpolicy.yaml | 8 ++++---- charts/controlplane/templates/common/_gateway.yaml | 2 +- charts/controlplane/values.yaml | 7 ++++++- charts/envoy-gateway-config/templates/redis.yaml | 2 +- charts/envoy-gateway-config/values.yaml | 4 +--- 5 files changed, 13 insertions(+), 10 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 970a6f9a..2bbde7e1 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -41,11 +41,11 @@ spec: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming http2: {} -{{- if and .Values.global.rateLimitEnabled (or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both")) }} +{{- if and .Values.envoyGateway.rateLimit.enabled (or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both")) }} --- # Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation. # Requires EG rateLimit backend (envoyproxy/ratelimit + Redis) to be running. -# Enable via global.rateLimitEnabled: true once the backend is confirmed healthy. +# Enable via envoyGateway.rateLimit.enabled: true once the backend is confirmed healthy. apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -65,7 +65,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.global.rateLimitRequestsPerUnit | default 100 }} - unit: {{ .Values.global.rateLimitUnit | default "Second" }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- end }} diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml index 8ddd47ea..4d66ccef 100644 --- a/charts/controlplane/templates/common/_gateway.yaml +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "flyte.name" . }} namespace: {{ template "flyte.namespace" . }} spec: - gatewayClassName: {{ .Values.global.GATEWAY_CLASS_NAME }} + gatewayClassName: {{ .Values.envoyGateway.gatewayClassName }} listeners: - name: https protocol: HTTPS diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index b527048b..31f0313f 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -59,8 +59,13 @@ global: # Ingress controller provider. Options: "nginx", "envoy", "both" INGRESS_PROVIDER: nginx +envoyGateway: # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both". - GATEWAY_CLASS_NAME: envoy + gatewayClassName: envoy + rateLimit: + enabled: false + requestsPerUnit: 100 + unit: Second # OAuth2 client ID for service-to-service authentication (client_credentials flow). # Services use this to acquire tokens for internal calls through nginx. diff --git a/charts/envoy-gateway-config/templates/redis.yaml b/charts/envoy-gateway-config/templates/redis.yaml index 12778240..bbca9fae 100644 --- a/charts/envoy-gateway-config/templates/redis.yaml +++ b/charts/envoy-gateway-config/templates/redis.yaml @@ -1,4 +1,4 @@ -{{- if .Values.redis.enabled }} +{{- if dig "config" "envoyGateway" "rateLimit" "backend" "redis" "url" "" .Values }} # Minimal Redis deployment for envoyproxy/ratelimit. # When config.envoyGateway.rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit # in this namespace and expects a Redis instance at the configured URL. diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index b2ac9792..5c5b535d 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -1,7 +1,6 @@ # Redis deployment for envoyproxy/ratelimit (deployed in envoy-gateway-system). -# Disabled by default; enabled via Terraform when rate limiting is configured. +# Deployed automatically when config.envoyGateway.rateLimit.backend.redis.url is set. redis: - enabled: false image: redis:7-alpine resources: requests: @@ -12,7 +11,6 @@ redis: # Passed through to the gateway-helm EnvoyGateway CR via the config.envoyGateway values key. # When rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit in envoy-gateway-system. -# Set by Terraform alongside redis.enabled when rate_limit_redis_url is configured. config: envoyGateway: {} From 826f473529a228b2bd57845345059414ab74e4bb Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 09:41:39 -0700 Subject: [PATCH 20/46] Fixing usage of dig --- charts/envoy-gateway-config/templates/redis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/envoy-gateway-config/templates/redis.yaml b/charts/envoy-gateway-config/templates/redis.yaml index bbca9fae..518803dd 100644 --- a/charts/envoy-gateway-config/templates/redis.yaml +++ b/charts/envoy-gateway-config/templates/redis.yaml @@ -1,4 +1,4 @@ -{{- if dig "config" "envoyGateway" "rateLimit" "backend" "redis" "url" "" .Values }} +{{- if .Values.config.envoyGateway.rateLimit.backend.redis.url }} # Minimal Redis deployment for envoyproxy/ratelimit. # When config.envoyGateway.rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit # in this namespace and expects a Redis instance at the configured URL. From 26c9fb4183e121d42b82827bac4d5b84f041b7d6 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 10:21:43 -0700 Subject: [PATCH 21/46] Refactoring config names --- .../templates/envoy-patch-policy.yaml | 10 +++++----- charts/envoy-gateway-config/templates/envoyproxy.yaml | 8 ++++---- .../envoy-gateway-config/templates/gatewayclass.yaml | 2 +- charts/envoy-gateway-config/values.yaml | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml index 8f327106..a552ce28 100644 --- a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml +++ b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml @@ -2,7 +2,7 @@ apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyPatchPolicy metadata: name: control-plane-auth - namespace: {{ .Values.clusterGatewayConfig.controlplaneNamespace }} + namespace: {{ .Values.envoyGateway.controlplaneNamespace }} spec: targetRef: group: gateway.networking.k8s.io @@ -10,9 +10,9 @@ spec: name: controlplane type: JSONPatch jsonPatches: - {{- range $idx, $pluginName := .Values.clusterGatewayConfig.httpFilters }} + {{- range $idx, $pluginName := .Values.envoyGateway.httpFilters }} - type: type.googleapis.com/envoy.config.listener.v3.Listener - name: {{ $.Values.clusterGatewayConfig.controlplaneNamespace }}/controlplane/https + name: {{ $.Values.envoyGateway.controlplaneNamespace }}/controlplane/https operation: op: add path: /filter_chains/0/filters/0/typed_config/http_filters/{{ $idx }} @@ -23,12 +23,12 @@ spec: library_id: control-plane-auth library_path: /lib/control-plane-auth.so plugin_name: {{ $pluginName }} - {{- if and (eq $pluginName "identity-auth") $.Values.clusterGatewayConfig.identityAuth.bypassPaths }} + {{- if and (eq $pluginName "identity-auth") $.Values.envoyGateway.identityAuth.bypassPaths }} plugin_config: "@type": type.googleapis.com/xds.type.v3.TypedStruct value: bypassPaths: - {{- range $.Values.clusterGatewayConfig.identityAuth.bypassPaths }} + {{- range $.Values.envoyGateway.identityAuth.bypassPaths }} - {{ . | quote }} {{- end }} {{- end }} diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml index 8bb06335..cc8b55b0 100644 --- a/charts/envoy-gateway-config/templates/envoyproxy.yaml +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -9,12 +9,12 @@ spec: kubernetes: envoyService: type: LoadBalancer - {{- if .Values.clusterGatewayConfig.loadBalancerClass }} - loadBalancerClass: {{ .Values.clusterGatewayConfig.loadBalancerClass }} + {{- if .Values.envoyGateway.loadBalancerClass }} + loadBalancerClass: {{ .Values.envoyGateway.loadBalancerClass }} {{- end }} - {{- if .Values.clusterGatewayConfig.serviceAnnotations }} + {{- if .Values.envoyGateway.serviceAnnotations }} annotations: - {{- toYaml .Values.clusterGatewayConfig.serviceAnnotations | nindent 10 }} + {{- toYaml .Values.envoyGateway.serviceAnnotations | nindent 10 }} {{- end }} envoyDeployment: pod: diff --git a/charts/envoy-gateway-config/templates/gatewayclass.yaml b/charts/envoy-gateway-config/templates/gatewayclass.yaml index 515838eb..5ba4ea3e 100644 --- a/charts/envoy-gateway-config/templates/gatewayclass.yaml +++ b/charts/envoy-gateway-config/templates/gatewayclass.yaml @@ -1,7 +1,7 @@ apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: - name: {{ .Values.clusterGatewayConfig.gatewayClassName }} + name: {{ .Values.envoyGateway.gatewayClassName }} spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller parametersRef: diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 5c5b535d..f4f5dd79 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -14,7 +14,7 @@ redis: config: envoyGateway: {} -clusterGatewayConfig: +envoyGateway: # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. gatewayClassName: envoy From 5486748bb8675cb4e5659251506f129c12044ba6 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 11:19:18 -0700 Subject: [PATCH 22/46] Fixing naming of services --- .../common/_backendtrafficpolicy.yaml | 2 +- .../common/_grpcroute-protected.yaml | 52 +++++++++---------- .../common/_httproute-protected.yaml | 36 ++++++------- 3 files changed, 45 insertions(+), 45 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 2bbde7e1..52897bfc 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -41,7 +41,7 @@ spec: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming http2: {} -{{- if and .Values.envoyGateway.rateLimit.enabled (or (eq .Values.global.INGRESS_PROVIDER "envoy") (eq .Values.global.INGRESS_PROVIDER "both")) }} +{{- if .Values.envoyGateway.rateLimit.enabled }} --- # Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation. # Requires EG rateLimit backend (envoyproxy/ratelimit + Redis) to be running. diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index f66e1233..a9745a6b 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -27,15 +27,15 @@ spec: backendRefs: - name: flyteadmin port: 81 - # execution-service + # executions - matches: - method: {service: "cloudidl.execution.ExecutionService"} - method: {service: "cloudidl.echo.EchoService"} - method: {service: "cloudidl.app.AppService"} backendRefs: - - name: execution-service + - name: executions port: 80 - # cluster-service + # cluster - matches: - method: {service: "cloudidl.cluster.ClusterService"} - method: {service: "cloudidl.cluster.ClusterNodepoolService"} @@ -44,9 +44,9 @@ spec: - method: {service: "cloudidl.clusterpool.ClusterPoolService"} - method: {service: "cloudidl.clusterconfig.ClusterConfigService"} backendRefs: - - name: cluster-service + - name: cluster port: 80 - # identity-service + # identity - matches: - method: {service: "cloudidl.apikey.APIKeyService"} - method: {service: "cloudidl.identity.AppsService"} @@ -56,30 +56,30 @@ spec: - method: {service: "cloudidl.identity.PolicyService"} - method: {service: "cloudidl.identity.IdentityService"} backendRefs: - - name: identity-service + - name: identity port: 83 - matches: - method: {service: "cloudidl.identity.SelfServe"} backendRefs: - - name: identity-service + - name: identity port: 80 - # organizations-service + # organizations - matches: - method: {service: "cloudidl.org.OrgService"} backendRefs: - - name: organizations-service + - name: organizations port: 83 - # usage-service + # usage - matches: - method: {service: "cloudidl.usage.UsageService"} backendRefs: - - name: usage-service + - name: usage port: 80 - # authorizer-service + # authorizer - matches: - method: {service: "cloudidl.authorizer.AuthorizerService"} backendRefs: - - name: authorizer-service + - name: authorizer port: 83 # datacatalog - matches: @@ -94,7 +94,7 @@ spec: backendRefs: - name: cacheservice port: 89 - # dataproxy-service (gRPC) + # dataproxy (gRPC) - matches: - method: {service: "cloudidl.actor.ActorEnvironmentService"} - method: {service: "cloudidl.agent.AgentService"} @@ -108,9 +108,9 @@ spec: - method: {service: "flyteidl2.app.AppLogsService"} - method: {service: "flyteidl2.app.ReplicaService"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 80 - # queue-service + # queue - matches: - method: {service: "cloudidl.workflow.QueueService"} - method: {service: "cloudidl.workflow.StateService"} @@ -118,35 +118,35 @@ spec: - method: {service: "flyteidl2.workflow.QueueService"} - method: {service: "flyteidl2.workflow.StateService"} backendRefs: - - name: queue-service + - name: queue port: 80 - # image builder (dataproxy-service) + # image builder (dataproxy) - matches: - method: {service: "cloudidl.imagebuilder.ImageService"} - method: {service: "flyteidl2.imagebuilder.ImageService"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 80 {{- if .Values.flyte.common.ingress.secretService }} - matches: - method: {service: "cloudidl.secret.SecretService"} - method: {service: "flyteidl2.secret.SecretService"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 80 {{- end }} {{- if ((.Values.artifacts).enabled) }} - matches: - method: {service: "flyteidl.artifact.ArtifactRegistry"} backendRefs: - - name: artifacts-service + - name: artifacts port: 80 {{- end }} {{- if (((.Values.objectstore).controlPlane).enabled) }} - matches: - method: {service: "cloudidl.objectstore.v1.ObjectStoreService"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 80 {{- end }} {{- if ((.Values.hooksService).enabled) }} @@ -161,11 +161,11 @@ spec: - method: {service: "cloudidl.workspace.WorkspaceRegistryService"} - method: {service: "cloudidl.workspace.WorkspaceInstanceService"} backendRefs: - - name: execution-service + - name: executions port: 80 {{- end }} {{- if ((.Values.unionv2).enabled) }} - # Union v2 workflow services (execution-service) + # Union v2 workflow services (executions) - matches: - method: {service: "cloudidl.workflow.RunService"} - method: {service: "cloudidl.workflow.InternalRunService"} @@ -176,13 +176,13 @@ spec: - method: {service: "flyteidl2.task.TaskService"} - method: {service: "flyteidl2.trigger.TriggerService"} backendRefs: - - name: execution-service + - name: executions port: 80 {{- if ((.Values.assistant).enabled) }} - matches: - method: {service: "cloudidl.workflow.AssistantService"} backendRefs: - - name: execution-service + - name: executions port: 80 {{- end }} {{- end }} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml index dcc8589d..97e706b1 100644 --- a/charts/controlplane/templates/common/_httproute-protected.yaml +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -31,27 +31,27 @@ spec: - path: {type: PathPrefix, value: "/api/v1/dataproxy"} - path: {type: PathPrefix, value: "/cloudidl.support.SupportService"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 81 - # Execution service HTTP + # Executions HTTP - matches: - path: {type: PathPrefix, value: "/app"} - path: {type: PathPrefix, value: "/apps"} - path: {type: PathPrefix, value: "/echo"} - path: {type: PathPrefix, value: "/execution"} backendRefs: - - name: execution-service + - name: executions port: 81 - # Cluster service HTTP + # Cluster HTTP - matches: - path: {type: PathPrefix, value: "/cluster"} - path: {type: PathPrefix, value: "/clusterpool"} - path: {type: PathPrefix, value: "/clusterconfig"} - path: {type: PathPrefix, value: "/managed_cluster"} backendRefs: - - name: cluster-service + - name: cluster port: 81 - # Identity service HTTP + # Identity HTTP - matches: - path: {type: PathPrefix, value: "/oauth_app"} - path: {type: PathPrefix, value: "/users"} @@ -60,41 +60,41 @@ spec: - path: {type: PathPrefix, value: "/policies"} - path: {type: PathPrefix, value: "/identities"} backendRefs: - - name: identity-service + - name: identity port: 81 - # Organizations service HTTP + # Organizations HTTP - matches: - path: {type: PathPrefix, value: "/org"} backendRefs: - - name: organizations-service + - name: organizations port: 81 - # Authorizer service HTTP + # Authorizer HTTP - matches: - path: {type: PathPrefix, value: "/authorizer"} backendRefs: - - name: authorizer-service + - name: authorizer port: 81 - # Usage service HTTP + # Usage HTTP - matches: - path: {type: PathPrefix, value: "/usage"} backendRefs: - - name: usage-service + - name: usage port: 81 {{- if ((.Values.artifacts).enabled) }} - # Artifacts service HTTP + # Artifacts HTTP - matches: - path: {type: PathPrefix, value: "/artifacts"} backendRefs: - - name: artifacts-service + - name: artifacts port: 81 {{- end }} {{- if ((.Values.workspaceService).enabled) }} - # Workspace service HTTP + # Workspace HTTP - matches: - path: {type: PathPrefix, value: "/workspace_registry"} - path: {type: PathPrefix, value: "/workspace_instance"} backendRefs: - - name: execution-service + - name: executions port: 81 {{- end }} {{- if (((.Values.dataproxy).prometheus).enabled) }} @@ -102,7 +102,7 @@ spec: - matches: - path: {type: PathPrefix, value: "/prometheus"} backendRefs: - - name: dataproxy-service + - name: dataproxy port: 81 {{- end }} # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading From 115065b2421e312638a4954ccd87d1a0ccdaafb4 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 11:50:29 -0700 Subject: [PATCH 23/46] Removing unused services --- .../common/_grpcroute-protected.yaml | 25 ++----------------- .../common/_httproute-protected.yaml | 17 ------------- .../common/_httproute-unprotected.yaml | 6 +++-- 3 files changed, 6 insertions(+), 42 deletions(-) diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index a9745a6b..1d8fd90b 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -46,29 +46,6 @@ spec: backendRefs: - name: cluster port: 80 - # identity - - matches: - - method: {service: "cloudidl.apikey.APIKeyService"} - - method: {service: "cloudidl.identity.AppsService"} - - method: {service: "cloudidl.identity.UserService"} - - method: {service: "cloudidl.identity.MemberService"} - - method: {service: "cloudidl.identity.RoleService"} - - method: {service: "cloudidl.identity.PolicyService"} - - method: {service: "cloudidl.identity.IdentityService"} - backendRefs: - - name: identity - port: 83 - - matches: - - method: {service: "cloudidl.identity.SelfServe"} - backendRefs: - - name: identity - port: 80 - # organizations - - matches: - - method: {service: "cloudidl.org.OrgService"} - backendRefs: - - name: organizations - port: 83 # usage - matches: - method: {service: "cloudidl.usage.UsageService"} @@ -81,12 +58,14 @@ spec: backendRefs: - name: authorizer port: 83 + {{- if ((.Values.flyte.datacatalog).enabled) }} # datacatalog - matches: - method: {service: "datacatalog.DataCatalog"} backendRefs: - name: datacatalog port: 89 + {{- end }} # cacheservice - matches: - method: {service: "flyteidl.cacheservice.CacheService"} diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml index 97e706b1..df21e93a 100644 --- a/charts/controlplane/templates/common/_httproute-protected.yaml +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -51,23 +51,6 @@ spec: backendRefs: - name: cluster port: 81 - # Identity HTTP - - matches: - - path: {type: PathPrefix, value: "/oauth_app"} - - path: {type: PathPrefix, value: "/users"} - - path: {type: PathPrefix, value: "/members"} - - path: {type: PathPrefix, value: "/roles"} - - path: {type: PathPrefix, value: "/policies"} - - path: {type: PathPrefix, value: "/identities"} - backendRefs: - - name: identity - port: 81 - # Organizations HTTP - - matches: - - path: {type: PathPrefix, value: "/org"} - backendRefs: - - name: organizations - port: 81 # Authorizer HTTP - matches: - path: {type: PathPrefix, value: "/authorizer"} diff --git a/charts/controlplane/templates/common/_httproute-unprotected.yaml b/charts/controlplane/templates/common/_httproute-unprotected.yaml index f2d6c20d..6094f157 100644 --- a/charts/controlplane/templates/common/_httproute-unprotected.yaml +++ b/charts/controlplane/templates/common/_httproute-unprotected.yaml @@ -78,16 +78,18 @@ spec: - matches: - path: {type: PathPrefix, value: "/enqueue_metronome_request/v1"} backendRefs: - - name: usage-service + - name: usage port: 81 - matches: - path: {type: PathPrefix, value: "/enqueue_stripe_request/v1"} backendRefs: - - name: usage-service + - name: usage port: 81 + {{- if ((.Values.hooksService).enabled) }} - matches: - path: {type: PathPrefix, value: "/okta_event_webhook/v1"} backendRefs: - name: hooks-service port: 81 + {{- end }} {{- end }} From 581ca34fe95ba359b71d39af254455e7b5a6ade9 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 15:04:41 -0700 Subject: [PATCH 24/46] Fix redis url --- charts/envoy-gateway-config/templates/redis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/envoy-gateway-config/templates/redis.yaml b/charts/envoy-gateway-config/templates/redis.yaml index 518803dd..1ba2b96d 100644 --- a/charts/envoy-gateway-config/templates/redis.yaml +++ b/charts/envoy-gateway-config/templates/redis.yaml @@ -2,7 +2,7 @@ # Minimal Redis deployment for envoyproxy/ratelimit. # When config.envoyGateway.rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit # in this namespace and expects a Redis instance at the configured URL. -# Service name: redis-ratelimit → URL: redis://redis-ratelimit.envoy-gateway-system.svc.cluster.local:6379 +# Service name: redis-ratelimit → URL: redis-ratelimit.envoy-gateway-system.svc.cluster.local:6379 apiVersion: apps/v1 kind: Deployment metadata: From 030785800c5981e7140c90a19fb6d6affe1ef4d4 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Tue, 24 Mar 2026 15:19:29 -0700 Subject: [PATCH 25/46] Fixing backend traffic policy to merge rate limit and connenction timeout --- .../common/_backendtrafficpolicy.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 52897bfc..6299aaf2 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -6,6 +6,9 @@ # requestTimeout applies to unary calls; maxStreamDuration applies to streaming calls. # "0s" for maxStreamDuration means no limit (equivalent to grpc_read_timeout 604800s on streaming routes). # Both protected and unprotected GRPCRoutes contain streaming methods so both get the same config. +# +# Rate limit is also included here (when enabled) because route-level BTPs override gateway-level ones, +# so the gateway-level rate-limit BTP below would be suppressed for these two GRPCRoutes without it. apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy metadata: @@ -23,6 +26,19 @@ spec: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for streaming (grpc_read_timeout 604800s on streaming routes) http2: {} +{{- if .Values.envoyGateway.rateLimit.enabled }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -41,6 +57,19 @@ spec: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming http2: {} +{{- if .Values.envoyGateway.rateLimit.enabled }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} {{- if .Values.envoyGateway.rateLimit.enabled }} --- # Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation. From 30de1d85cfaee0299a59f8b655b7671ee2b1bf8a Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 25 Mar 2026 07:41:40 -0700 Subject: [PATCH 26/46] Bumping up the default value for rps --- .../templates/common/_backendtrafficpolicy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 6299aaf2..92fba89f 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -36,7 +36,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} --- @@ -67,7 +67,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- if .Values.envoyGateway.rateLimit.enabled }} @@ -94,7 +94,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- end }} From 5df5c6d6589ec0ff738522e2d3a1d240ff37c845 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 25 Mar 2026 08:12:16 -0700 Subject: [PATCH 27/46] Testing rate limiting --- .../templates/common/_backendtrafficpolicy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 92fba89f..b4b4c384 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -36,7 +36,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} --- @@ -67,7 +67,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- if .Values.envoyGateway.rateLimit.enabled }} @@ -94,7 +94,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 200 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- end }} From 0df936c22afd556c57f30d220261dfa0bddf4741 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 25 Mar 2026 08:32:45 -0700 Subject: [PATCH 28/46] Reverting rate limit rps back to desired value --- .../templates/common/_backendtrafficpolicy.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index b4b4c384..6299aaf2 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -36,7 +36,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} --- @@ -67,7 +67,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- if .Values.envoyGateway.rateLimit.enabled }} @@ -94,7 +94,7 @@ spec: type: Distinct value: "0.0.0.0/0" limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 10 }} + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} {{- end }} {{- end }} From 5f32f598ba82b1d2a6203822f66cce365310f17b Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 25 Mar 2026 09:08:11 -0700 Subject: [PATCH 29/46] Cleaning up rate limit config --- charts/envoy-gateway-config/values.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index f4f5dd79..f7f08e0b 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -34,13 +34,6 @@ envoyGateway: - identity-auth # strips spoofable X-User-* headers, enforces credential validation - auth-proxy-cache # caches OAuth2 token responses for the auth-proxy token endpoint - # rateLimit controls whether BackendTrafficPolicy rate limit rules are rendered in the tenant chart. - # Set by Terraform alongside config.envoyGateway.rateLimit when rate_limit_redis_url is configured. - rateLimit: - enabled: false - requestsPerUnit: 100 - unit: Second - # identityAuth configures the identity-auth HCM filter. identityAuth: # bypassPaths lists path prefixes that skip credential validation. From afa97314810cc87cfe6f50fd6b8b570be54a24fe Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Wed, 25 Mar 2026 15:08:30 -0700 Subject: [PATCH 30/46] Fixing grpc routes for self-managed/hosted to match ingress-nginx --- .../common/_grpcroute-protected.yaml | 32 ++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index 1d8fd90b..9772bdfa 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -1,5 +1,4 @@ {{- define "control-plane-library.grpcroute-protected" }} -# NOTE: Auth enforcement (SecurityPolicy/ExtAuthz) is added in M2. # Consolidates nginx protected-grpc, protected-grpc-streaming, apps-protected, # and protected-grpc-high-tput ingresses. GRPCRoute service-level matches # cover all methods; specific-method matches are used where routes vary by method. @@ -32,6 +31,10 @@ spec: - method: {service: "cloudidl.execution.ExecutionService"} - method: {service: "cloudidl.echo.EchoService"} - method: {service: "cloudidl.app.AppService"} + - method: {service: "cloudidl.workflow.RunLogsService"} + - method: {service: "cloudidl.workflow.TranslatorService"} + - method: {service: "flyteidl2.app.AppService"} + - method: {service: "flyteidl2.workflow.RunLogsService"} backendRefs: - name: executions port: 80 @@ -46,6 +49,29 @@ spec: backendRefs: - name: cluster port: 80 + # identity + - matches: + - method: {service: "cloudidl.apikey.APIKeyService"} + - method: {service: "cloudidl.identity.AppsService"} + - method: {service: "cloudidl.identity.UserService"} + - method: {service: "cloudidl.identity.MemberService"} + - method: {service: "cloudidl.identity.RoleService"} + - method: {service: "cloudidl.identity.PolicyService"} + - method: {service: "cloudidl.identity.IdentityService"} + backendRefs: + - name: identity + port: 83 + - matches: + - method: {service: "cloudidl.identity.SelfServe"} + backendRefs: + - name: identity + port: 80 + # organizations + - matches: + - method: {service: "cloudidl.org.OrgService"} + backendRefs: + - name: organizations + port: 83 # usage - matches: - method: {service: "cloudidl.usage.UsageService"} @@ -58,14 +84,12 @@ spec: backendRefs: - name: authorizer port: 83 - {{- if ((.Values.flyte.datacatalog).enabled) }} # datacatalog - matches: - method: {service: "datacatalog.DataCatalog"} backendRefs: - name: datacatalog port: 89 - {{- end }} # cacheservice - matches: - method: {service: "flyteidl.cacheservice.CacheService"} @@ -77,13 +101,13 @@ spec: - matches: - method: {service: "cloudidl.actor.ActorEnvironmentService"} - method: {service: "cloudidl.agent.AgentService"} + - method: {service: "cloudidl.support.SupportService"} - method: {service: "cloudidl.clouddataproxy.CloudDataProxyService"} - method: {service: "flyteidl.service.DataProxyService"} - method: {service: "flyteidl2.dataproxy.DataProxyService"} - method: {service: "cloudidl.logs.LogsService"} - method: {service: "cloudidl.app.AppLogsService"} - method: {service: "cloudidl.app.ReplicaService"} - - method: {service: "flyteidl2.app.AppService"} - method: {service: "flyteidl2.app.AppLogsService"} - method: {service: "flyteidl2.app.ReplicaService"} backendRefs: From 5ff7c7f60e8431f602d283a2f3db2de9293644df Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Thu, 26 Mar 2026 10:17:43 -0700 Subject: [PATCH 31/46] Fixing control plane auth plugins deployment --- .../templates/envoyproxy.yaml | 24 +++++++++++++++++++ charts/envoy-gateway-config/values.yaml | 17 ++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml index cc8b55b0..01aca20f 100644 --- a/charts/envoy-gateway-config/templates/envoyproxy.yaml +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -22,3 +22,27 @@ spec: # Disable Linkerd sidecar injection — Envoy is itself a proxy; # double-proxying causes routing conflicts. linkerd.io/inject: disabled + {{- if .Values.envoyGateway.envoyDeployment.pluginImage }} + volumes: + - name: envoy-plugins + emptyDir: {} + initContainers: + - name: envoy-plugins + image: {{ .Values.envoyGateway.envoyDeployment.pluginImage }} + command: ["sh", "-c", "cp /lib/*.so /mnt/lib/"] + volumeMounts: + - name: envoy-plugins + mountPath: /mnt/lib + {{- end }} + {{- if or .Values.envoyGateway.envoyDeployment.pluginImage .Values.envoyGateway.envoyDeployment.container.env }} + container: + {{- if .Values.envoyGateway.envoyDeployment.pluginImage }} + volumeMounts: + - name: envoy-plugins + mountPath: /lib + {{- end }} + {{- if .Values.envoyGateway.envoyDeployment.container.env }} + env: + {{- toYaml .Values.envoyGateway.envoyDeployment.container.env | nindent 12 }} + {{- end }} + {{- end }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index f7f08e0b..1ecaa4d8 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -12,7 +12,9 @@ redis: # Passed through to the gateway-helm EnvoyGateway CR via the config.envoyGateway values key. # When rateLimit.backend.redis.url is set, EG auto-deploys envoyproxy/ratelimit in envoy-gateway-system. config: - envoyGateway: {} + envoyGateway: + extensionApis: + enableEnvoyPatchPolicy: true envoyGateway: # GatewayClass name — must match what controlplane Helm templates reference via global.GATEWAY_CLASS_NAME. @@ -28,6 +30,19 @@ envoyGateway: # Omitted when null. loadBalancerClass: null + # envoyDeployment configures the Envoy proxy fleet managed by EG. + # pluginImage: init-container image built from Dockerfile.envoy-plugins-lite. + # When set, an init container copies /lib/*.so from this image into a shared + # emptyDir volume that the Envoy proxy mounts at /lib/, making the plugins + # available to the EnvoyPatchPolicy golang filter configuration. + # Leave empty to skip plugin injection (no auth filters loaded). + # container.env: extra env vars injected into the proxy container. + # CONTROL_PLANE_AUTHZ_AUTH_URL is required when pluginImage is set. + envoyDeployment: + pluginImage: "" + container: + env: [] + # httpFilters lists the plugin_name values to inject into the Envoy HCM filter chain, in order. # All plugins must be registered in /lib/control-plane-auth.so. httpFilters: From eaf5e12ecbc7f4458c2d53ecbbdae4640a8fd373 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Thu, 26 Mar 2026 13:11:45 -0700 Subject: [PATCH 32/46] Fixing filter plugins...I hope --- .../templates/envoyproxy.yaml | 16 +--------------- charts/envoy-gateway-config/values.yaml | 12 +++++++----- 2 files changed, 8 insertions(+), 20 deletions(-) diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml index 01aca20f..ad1735ad 100644 --- a/charts/envoy-gateway-config/templates/envoyproxy.yaml +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -22,24 +22,10 @@ spec: # Disable Linkerd sidecar injection — Envoy is itself a proxy; # double-proxying causes routing conflicts. linkerd.io/inject: disabled - {{- if .Values.envoyGateway.envoyDeployment.pluginImage }} - volumes: - - name: envoy-plugins - emptyDir: {} - initContainers: - - name: envoy-plugins - image: {{ .Values.envoyGateway.envoyDeployment.pluginImage }} - command: ["sh", "-c", "cp /lib/*.so /mnt/lib/"] - volumeMounts: - - name: envoy-plugins - mountPath: /mnt/lib - {{- end }} {{- if or .Values.envoyGateway.envoyDeployment.pluginImage .Values.envoyGateway.envoyDeployment.container.env }} container: {{- if .Values.envoyGateway.envoyDeployment.pluginImage }} - volumeMounts: - - name: envoy-plugins - mountPath: /lib + image: {{ .Values.envoyGateway.envoyDeployment.pluginImage }} {{- end }} {{- if .Values.envoyGateway.envoyDeployment.container.env }} env: diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 1ecaa4d8..32c8486a 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -31,11 +31,13 @@ envoyGateway: loadBalancerClass: null # envoyDeployment configures the Envoy proxy fleet managed by EG. - # pluginImage: init-container image built from Dockerfile.envoy-plugins-lite. - # When set, an init container copies /lib/*.so from this image into a shared - # emptyDir volume that the Envoy proxy mounts at /lib/, making the plugins - # available to the EnvoyPatchPolicy golang filter configuration. - # Leave empty to skip plugin injection (no auth filters loaded). + # pluginImage: custom Envoy proxy image built from Dockerfile.envoy-plugins-lite + # (contrib Envoy + control-plane-auth.so baked in). Set by the internal selfmanaged + # pipeline in the gitops values file at: + # selfmanaged-internal/envoy-gateway/{env}/{org}/values.yaml + # Must be a contrib-variant image — the standard distroless image does not include + # the envoy.filters.http.golang extension required by the EnvoyPatchPolicy. + # Leave empty to use the EG-managed default image (no Go filter support). # container.env: extra env vars injected into the proxy container. # CONTROL_PLANE_AUTHZ_AUTH_URL is required when pluginImage is set. envoyDeployment: From 1d7bc3ed3d26ef5e6d75c3ef4fea29fd97e29dbe Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 09:18:30 -0700 Subject: [PATCH 33/46] Updating the comment in values files --- charts/envoy-gateway-config/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 32c8486a..324f4127 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -31,7 +31,7 @@ envoyGateway: loadBalancerClass: null # envoyDeployment configures the Envoy proxy fleet managed by EG. - # pluginImage: custom Envoy proxy image built from Dockerfile.envoy-plugins-lite + # pluginImage: custom Envoy proxy image built from Dockerfile.envoy-plugins-ingress # (contrib Envoy + control-plane-auth.so baked in). Set by the internal selfmanaged # pipeline in the gitops values file at: # selfmanaged-internal/envoy-gateway/{env}/{org}/values.yaml @@ -39,7 +39,7 @@ envoyGateway: # the envoy.filters.http.golang extension required by the EnvoyPatchPolicy. # Leave empty to use the EG-managed default image (no Go filter support). # container.env: extra env vars injected into the proxy container. - # CONTROL_PLANE_AUTHZ_AUTH_URL is required when pluginImage is set. + # CONTROL_PLANE_AUTHZ_AUTHURL is required when pluginImage is set. envoyDeployment: pluginImage: "" container: From 4a377e323d10f04d2b8354790c6dd5e7e8ab679c Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 09:22:44 -0700 Subject: [PATCH 34/46] Cleaning up the values files --- charts/controlplane/values.yaml | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/charts/controlplane/values.yaml b/charts/controlplane/values.yaml index 31f0313f..d52e03b0 100644 --- a/charts/controlplane/values.yaml +++ b/charts/controlplane/values.yaml @@ -51,22 +51,9 @@ global: # Contact Union for controlplane access and distribution. IMAGE_REPOSITORY_PREFIX: "643379628101.dkr.ecr.us-east-1.amazonaws.com/union-cp" - # Authorization type for RBAC. Set to "union" to enable UserClouds-based authorization. - # Controls union-authz pod deployment and all four authorizer blocks (union services, - # flyteadmin, cacheservice). Leave empty or set to "noop" to disable (default). - # Visible to subcharts (flyte-core) via global scope. - AUTHZ_TYPE: "" # Ingress controller provider. Options: "nginx", "envoy", "both" INGRESS_PROVIDER: nginx -envoyGateway: - # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both". - gatewayClassName: envoy - rateLimit: - enabled: false - requestsPerUnit: 100 - unit: Second - # OAuth2 client ID for service-to-service authentication (client_credentials flow). # Services use this to acquire tokens for internal calls through nginx. # Example: "0oa3xyz4abc5def6g7h8" @@ -262,6 +249,14 @@ ingress: nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-User-Subject,X-User-Claim-Identitytype,X-User-Claim-Preferred-Username,X-User-Token" nginx.ingress.kubernetes.io/auth-cache-key: "$http_authorization$http_flyte_authorization$http_cookie" +envoyGateway: + # GatewayClass name for Envoy Gateway. Used when INGRESS_PROVIDER is "envoy" or "both". + gatewayClassName: envoy + rateLimit: + enabled: false + requestsPerUnit: 100 + unit: Second + # -- Central logging configuration. All controlplane services pull their log level from here. # Go services use level 1–6 (1=least verbose, 6=most verbose; 4=INFO, 6=DEBUG). # Log format options: json, text, gcp From 834b5b835be1fa63398c78b3db5bfc5678b7e2f1 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 13:01:08 -0700 Subject: [PATCH 35/46] Giving gateway service a consistent name --- charts/envoy-gateway-config/templates/envoyproxy.yaml | 3 +++ charts/envoy-gateway-config/values.yaml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/charts/envoy-gateway-config/templates/envoyproxy.yaml b/charts/envoy-gateway-config/templates/envoyproxy.yaml index ad1735ad..5cf75569 100644 --- a/charts/envoy-gateway-config/templates/envoyproxy.yaml +++ b/charts/envoy-gateway-config/templates/envoyproxy.yaml @@ -9,6 +9,9 @@ spec: kubernetes: envoyService: type: LoadBalancer + {{- if .Values.envoyGateway.proxyServiceName }} + name: {{ .Values.envoyGateway.proxyServiceName }} + {{- end }} {{- if .Values.envoyGateway.loadBalancerClass }} loadBalancerClass: {{ .Values.envoyGateway.loadBalancerClass }} {{- end }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 324f4127..04d9a7d2 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -26,6 +26,11 @@ envoyGateway: # Annotations applied to the Envoy fleet LoadBalancer Service (provider-specific NLB config). serviceAnnotations: {} + # proxyServiceName overrides the EG-generated Service name (which includes an unpredictable hash + # suffix in EG v1.2+). Setting a stable name allows CONTROLPLANE_INTRA_CLUSTER_HOST to be + # derived deterministically: .envoy-gateway-system.svc.cluster.local + proxyServiceName: envoy-controlplane + # loadBalancerClass sets spec.loadBalancerClass on the envoy fleet Service (e.g. eks.amazonaws.com/nlb). # Omitted when null. loadBalancerClass: null From afb1c61d98623397ea8ef917a3941cea33608ec4 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 15:27:43 -0700 Subject: [PATCH 36/46] Adding self-signed cert and route for handling intra cluster communication --- .../controlplane/templates/common/_gateway.yaml | 16 ++++++++++++++++ .../templates/common/_grpcroute-protected.yaml | 5 +++++ .../templates/common/_grpcroute-unprotected.yaml | 5 +++++ 3 files changed, 26 insertions(+) diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml index 4d66ccef..d488ebbe 100644 --- a/charts/controlplane/templates/common/_gateway.yaml +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -29,4 +29,20 @@ spec: namespace: {{ .Values.global.TLS_SECRET_NAMESPACE }} name: {{ .Values.global.TLS_SECRET_NAME }} {{- end }} + {{- $intraHost := .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if and $intraHost (ne $intraHost .Values.global.UNION_HOST) }} + {{- /* Intra-cluster TLS listener: dataplane operator and CP services connect using + CONTROLPLANE_INTRA_CLUSTER_HOST as SNI. EG routes by SNI so both listeners share + port 443 without conflict. A self-signed cert is used; clients set insecureSkipVerify=true. + Not rendered when CONTROLPLANE_INTRA_CLUSTER_HOST equals UNION_HOST (duplicate hostname). */ -}} + - name: https-intracluster + protocol: HTTPS + port: 443 + hostname: {{ $intraHost | quote }} + tls: + mode: Terminate + certificateRefs: + - kind: Secret + name: controlplane-intracluster-tls-secret + {{- end }} {{- end }} diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index 9772bdfa..4a9cbbfc 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -13,6 +13,11 @@ spec: namespace: {{ template "flyte.namespace" . }} hostnames: - {{ .Values.global.UNION_HOST | quote }} + {{- with .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if ne . $.Values.global.UNION_HOST }} + - {{ . | quote }} + {{- end }} + {{- end }} rules: # flyteadmin — protected gRPC (AdminService, ProjectService, IdentityService, etc.) - matches: diff --git a/charts/controlplane/templates/common/_grpcroute-unprotected.yaml b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml index 9c566cfc..ec3bc0cc 100644 --- a/charts/controlplane/templates/common/_grpcroute-unprotected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-unprotected.yaml @@ -15,6 +15,11 @@ spec: {{- if .Values.flyte.common.ingress.isServerless }} - {{ .Values.flyte.common.ingress.serverlessVanityHost | quote }} {{- end }} + {{- with .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} + {{- if ne . $.Values.global.UNION_HOST }} + - {{ . | quote }} + {{- end }} + {{- end }} rules: - matches: - method: From a03985de1235593822b9eee98ccdeacccc9fb3d1 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 15:34:55 -0700 Subject: [PATCH 37/46] Removing comment --- charts/controlplane/templates/common/_gateway.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/charts/controlplane/templates/common/_gateway.yaml b/charts/controlplane/templates/common/_gateway.yaml index d488ebbe..cb9f9bda 100644 --- a/charts/controlplane/templates/common/_gateway.yaml +++ b/charts/controlplane/templates/common/_gateway.yaml @@ -31,10 +31,6 @@ spec: {{- end }} {{- $intraHost := .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }} {{- if and $intraHost (ne $intraHost .Values.global.UNION_HOST) }} - {{- /* Intra-cluster TLS listener: dataplane operator and CP services connect using - CONTROLPLANE_INTRA_CLUSTER_HOST as SNI. EG routes by SNI so both listeners share - port 443 without conflict. A self-signed cert is used; clients set insecureSkipVerify=true. - Not rendered when CONTROLPLANE_INTRA_CLUSTER_HOST equals UNION_HOST (duplicate hostname). */ -}} - name: https-intracluster protocol: HTTPS port: 443 From 1b500fef7d23c8a68509cecce9b9deea9cb7e546 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 27 Mar 2026 17:31:56 -0700 Subject: [PATCH 38/46] Adding loginUrl for redirect --- .../controlplane/templates/common/_httproute-protected.yaml | 5 ++--- .../envoy-gateway-config/templates/envoy-patch-policy.yaml | 3 ++- charts/envoy-gateway-config/values.yaml | 5 +++++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/controlplane/templates/common/_httproute-protected.yaml b/charts/controlplane/templates/common/_httproute-protected.yaml index df21e93a..4eb263f6 100644 --- a/charts/controlplane/templates/common/_httproute-protected.yaml +++ b/charts/controlplane/templates/common/_httproute-protected.yaml @@ -88,22 +88,21 @@ spec: - name: dataproxy port: 81 {{- end }} - # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading + # Console (React SPA) — /console, /dashboard, /resources, /cost, /loading, and root catch-all - matches: - path: {type: PathPrefix, value: "/console"} - path: {type: PathPrefix, value: "/dashboard"} - path: {type: PathPrefix, value: "/resources"} - path: {type: PathPrefix, value: "/cost"} - path: {type: PathPrefix, value: "/loading"} + - path: {type: PathPrefix, value: "/"} backendRefs: - name: flyteconsole port: 80 - {{- if ((.Values.unionv2).enabled) }} # Union v2 console - matches: - path: {type: PathPrefix, value: "/v2"} backendRefs: - name: unionconsole port: 80 - {{- end }} {{- end }} diff --git a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml index a552ce28..fe84026b 100644 --- a/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml +++ b/charts/envoy-gateway-config/templates/envoy-patch-policy.yaml @@ -23,10 +23,11 @@ spec: library_id: control-plane-auth library_path: /lib/control-plane-auth.so plugin_name: {{ $pluginName }} - {{- if and (eq $pluginName "identity-auth") $.Values.envoyGateway.identityAuth.bypassPaths }} + {{- if eq $pluginName "identity-auth" }} plugin_config: "@type": type.googleapis.com/xds.type.v3.TypedStruct value: + loginURL: {{ $.Values.envoyGateway.identityAuth.loginURL | quote }} bypassPaths: {{- range $.Values.envoyGateway.identityAuth.bypassPaths }} - {{ . | quote }} diff --git a/charts/envoy-gateway-config/values.yaml b/charts/envoy-gateway-config/values.yaml index 04d9a7d2..b9fbe4b1 100644 --- a/charts/envoy-gateway-config/values.yaml +++ b/charts/envoy-gateway-config/values.yaml @@ -58,6 +58,11 @@ envoyGateway: # identityAuth configures the identity-auth HCM filter. identityAuth: + # loginURL is the path unauthenticated browser GET requests are redirected to. + # Mirrors nginx's auth-signin annotation: redirects to ?redirect_url=. + # Leave empty to return 401 for all unauthenticated requests (no redirect). + loginURL: "/login" + # bypassPaths lists path prefixes that skip credential validation. # Identity headers (X-User-*) are still stripped on these paths to prevent spoofing. # Mirrors the paths in the unprotected HTTPRoute and GRPCRoute templates. From 947ffc91baee0b8dde4f86d330c8c95f0a1dcdd7 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 10:10:20 -0700 Subject: [PATCH 39/46] Removing v2 gating --- charts/controlplane/templates/common/_grpcroute-protected.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/controlplane/templates/common/_grpcroute-protected.yaml b/charts/controlplane/templates/common/_grpcroute-protected.yaml index 4a9cbbfc..2dab2ab8 100644 --- a/charts/controlplane/templates/common/_grpcroute-protected.yaml +++ b/charts/controlplane/templates/common/_grpcroute-protected.yaml @@ -172,7 +172,6 @@ spec: - name: executions port: 80 {{- end }} - {{- if ((.Values.unionv2).enabled) }} # Union v2 workflow services (executions) - matches: - method: {service: "cloudidl.workflow.RunService"} @@ -193,5 +192,4 @@ spec: - name: executions port: 80 {{- end }} - {{- end }} {{- end }} From 3d3d179a7bf964b7b0ef52f0be9469a4703a72e9 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 11:21:23 -0700 Subject: [PATCH 40/46] Updating tests --- .../controlplane.aws.billing-enable.yaml | 699 ++++++++++++++++++ tests/generated/controlplane.aws.yaml | 699 ++++++++++++++++++ tests/generated/controlplane.userclouds.yaml | 699 ++++++++++++++++++ 3 files changed, 2097 insertions(+) diff --git a/tests/generated/controlplane.aws.billing-enable.yaml b/tests/generated/controlplane.aws.billing-enable.yaml index 4baab42c..70441d10 100644 --- a/tests/generated/controlplane.aws.billing-enable.yaml +++ b/tests/generated/controlplane.aws.billing-enable.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -332,6 +345,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4790,6 +4843,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5455,6 +5640,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5488,6 +5687,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5519,6 +5822,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5539,6 +5884,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5931,6 +6312,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9794,3 +10279,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union diff --git a/tests/generated/controlplane.aws.yaml b/tests/generated/controlplane.aws.yaml index 20595210..52b050f3 100644 --- a/tests/generated/controlplane.aws.yaml +++ b/tests/generated/controlplane.aws.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -332,6 +345,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4790,6 +4843,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5455,6 +5640,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5488,6 +5687,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5519,6 +5822,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5539,6 +5884,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5931,6 +6312,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9833,3 +10318,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union diff --git a/tests/generated/controlplane.userclouds.yaml b/tests/generated/controlplane.userclouds.yaml index 6fddeaf2..f8141bec 100644 --- a/tests/generated/controlplane.userclouds.yaml +++ b/tests/generated/controlplane.userclouds.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -332,6 +345,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4790,6 +4843,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5455,6 +5640,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5488,6 +5687,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5519,6 +5822,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5539,6 +5884,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5931,6 +6312,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9824,3 +10309,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union From 76040131def5d72694d37f8346180a5a8a7a0a36 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 12:53:46 -0700 Subject: [PATCH 41/46] Updating keep alive settings --- .../common/_backendtrafficpolicy.yaml | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 6299aaf2..7c8a5219 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -25,20 +25,15 @@ spec: http: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for streaming (grpc_read_timeout 604800s on streaming routes) - http2: {} -{{- if .Values.envoyGateway.rateLimit.enabled }} - rateLimit: - type: Global - global: - rules: - - clientSelectors: - - sourceCIDR: - type: Distinct - value: "0.0.0.0/0" - limit: - requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} - unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} -{{- end }} + tcpKeepalive: + probes: 9 + idleTime: "15s" + interval: "15s" + http2: + keepAlive: + probes: 9 + interval: "15s" + onTimeout: Close --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -56,7 +51,15 @@ spec: http: requestTimeout: "1200s" # grpc_read_timeout 1200s (unary calls) maxStreamDuration: "0s" # no limit for WatchExecutionStatusUpdates streaming - http2: {} + tcpKeepalive: + probes: 9 + idleTime: "15s" + interval: "15s" + http2: + keepAlive: + probes: 9 + interval: "15s" + onTimeout: Close {{- if .Values.envoyGateway.rateLimit.enabled }} rateLimit: type: Global From f1a44832a02829e82c840d2ff4fca1b2252e57be Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 12:57:09 -0700 Subject: [PATCH 42/46] Http2 keepalive is not valid --- .../templates/common/_backendtrafficpolicy.yaml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index 7c8a5219..d8624e4a 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -29,11 +29,7 @@ spec: probes: 9 idleTime: "15s" interval: "15s" - http2: - keepAlive: - probes: 9 - interval: "15s" - onTimeout: Close + http2: {} --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy @@ -55,11 +51,7 @@ spec: probes: 9 idleTime: "15s" interval: "15s" - http2: - keepAlive: - probes: 9 - interval: "15s" - onTimeout: Close + http2: {} {{- if .Values.envoyGateway.rateLimit.enabled }} rateLimit: type: Global From 552f9335fcf1eefcc8422a4957943bec9d0f6601 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 13:57:57 -0700 Subject: [PATCH 43/46] Adding missing rate limiting policy on protected grpc routes --- .../templates/common/_backendtrafficpolicy.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml index d8624e4a..27ca2a0f 100644 --- a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml +++ b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml @@ -30,6 +30,19 @@ spec: idleTime: "15s" interval: "15s" http2: {} +{{- if .Values.envoyGateway.rateLimit.enabled }} + rateLimit: + type: Global + global: + rules: + - clientSelectors: + - sourceCIDR: + type: Distinct + value: "0.0.0.0/0" + limit: + requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }} + unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }} +{{- end }} --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: BackendTrafficPolicy From 330abab9522efc550d30232ce001954304321513 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 14:28:01 -0700 Subject: [PATCH 44/46] Fixing values inconsistency for intracluster --- charts/controlplane/values.aws.selfhosted-intracluster.yaml | 4 ++++ charts/controlplane/values.gcp.selfhosted-intracluster.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/charts/controlplane/values.aws.selfhosted-intracluster.yaml b/charts/controlplane/values.aws.selfhosted-intracluster.yaml index d7c5b03c..cdf885ca 100644 --- a/charts/controlplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.aws.selfhosted-intracluster.yaml @@ -449,10 +449,14 @@ ingress-nginx: # Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists # in the environment directory. Manual override possible by setting enabled: true. +# Envoy Gateway controller installed through external chart. envoy-gateway: # Set to true when Envoy Gateway is installed alongside this controlplane. + # Automatically set by Terraform when envoy-gateway/revisions.yaml exists. enabled: false +# Configuration for the controlplane chart to use Envoy Gateway. +envoyGateway: # GatewayClass name created by the Envoy Gateway installation. # Must match the gatewayClassName in the Gateway resource rendered by the # controlplane chart when global.ingressProvider is "envoy" or "both". diff --git a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml index 3e07521f..eb93fbf0 100644 --- a/charts/controlplane/values.gcp.selfhosted-intracluster.yaml +++ b/charts/controlplane/values.gcp.selfhosted-intracluster.yaml @@ -408,10 +408,14 @@ ingress: # Automatically enabled by Terraform when envoy-gateway/revisions.yaml exists # in the environment directory. Manual override possible by setting enabled: true. +# Envoy Gateway controller installed through external chart. envoy-gateway: # Set to true when Envoy Gateway is installed alongside this controlplane. + # Automatically set by Terraform when envoy-gateway/revisions.yaml exists. enabled: false +# Configuration for the controlplane chart to use Envoy Gateway. +envoyGateway: # GatewayClass name created by the Envoy Gateway installation. # Must match the gatewayClassName in the Gateway resource rendered by the # controlplane chart when global.ingressProvider is "envoy" or "both". From df97756502d54403f027f073310e996e276f63ad Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Mon, 30 Mar 2026 14:49:40 -0700 Subject: [PATCH 45/46] Updating readme files --- charts/controlplane/README.md | 40 +++++++++++++++--- .../SELFHOSTED_INTRA_CLUSTER_AWS.md | 41 +++++++++++++++++-- .../SELFHOSTED_INTRA_CLUSTER_GCP.md | 41 +++++++++++++++++-- 3 files changed, 108 insertions(+), 14 deletions(-) diff --git a/charts/controlplane/README.md b/charts/controlplane/README.md index da3ed2ca..3d70c317 100644 --- a/charts/controlplane/README.md +++ b/charts/controlplane/README.md @@ -20,6 +20,9 @@ helm repo add flyte https://helm.flyte.org # Add Ingress NGINX Helm repository (if using ingress-nginx) helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +# Add Envoy Gateway Helm repository (if using Envoy Gateway) +helm repo add envoy-gateway oci://docker.io/envoyproxy + # Add ScyllaDB Helm repository (if using ScyllaDB) helm repo add scylla https://scylla-operator-charts.storage.googleapis.com/stable @@ -52,6 +55,7 @@ Kubernetes: `>= 1.28.0-0` |------------|------|---------|----------|-------| | https://helm.flyte.org | flyte-core(flyte) | v1.16.0-b2 | No | Required | | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.12.3 | Yes | Only if `ingress-nginx.enabled: true` | +| oci://docker.io/envoyproxy | gateway-helm(envoy-gateway) | v1.6.4 | Yes | Only if `envoy-gateway.enabled: true`; for selfmanaged deployments install via ArgoCD ApplicationSet instead | | https://scylla-operator-charts.storage.googleapis.com/stable | scylla-operator | v1.18.1 | Yes | Only if `scylla.enabled: true` | | https://scylla-operator-charts.storage.googleapis.com/stable | scylla | v1.18.1 | Yes | Only if `scylla.enabled: true` | | https://prometheus-community.github.io/helm-charts | monitoring(kube-prometheus-stack) | 80.8.0 | Yes | Only if `monitoring.enabled: true` | @@ -261,17 +265,41 @@ helm upgrade --install union-controlplane unionai/controlplane \ --values values.yaml ``` -### Installation with Ingress NGINX +### Ingress Controller + +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | -If you need ingress support: +#### Installation with Ingress NGINX ```yaml +global: + INGRESS_PROVIDER: nginx + ingress-nginx: enabled: true +``` + +#### Installation with Envoy Gateway + +Envoy Gateway can be installed as a sub-chart (managed deployments) or as a separate Helm release via ArgoCD (selfmanaged deployments — see [Self-Hosted Guides](#alternative-deployment-models)). + +For sub-chart installation: + +```yaml +global: + INGRESS_PROVIDER: envoy + +envoy-gateway: + enabled: true # installs gateway-helm as a sub-chart -ingress: - className: "controlplane" - secretService: true +envoyGateway: + gatewayClassName: envoy # must match the GatewayClass created by the EG install ``` ## Verification @@ -302,7 +330,7 @@ helm show values unionai/controlplane - **Postgres Configuration** (Required): Set `dbHost`, `dbName`, `dbUser`, and `dbPass` for the primary database used by all control plane services except the queue service - **ScyllaDB Configuration** (Required): Configure `scylla` section for the queue service database. Set `scylla.enabled: true` for embedded cluster or provide `scylla.externalHost` for external ScyllaDB - **Object Storage**: Configure `bucketName`, `artifactsBucketName`, and `region` for S3-compatible storage -- **Ingress**: Enable and configure ingress under `ingress-nginx` section +- **Ingress**: Set `global.INGRESS_PROVIDER` to `nginx`, `envoy`, or `both`. Enable the relevant controller (`ingress-nginx.enabled` or `envoy-gateway.enabled`) and configure `envoyGateway.gatewayClassName` when using Envoy Gateway --- diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md index 2a3ed017..3d75590a 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md @@ -275,13 +275,23 @@ global: # override is configured. ``` -### TLS Requirements +### Ingress Controller -gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration. +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | + +#### NGINX (default) + +TLS is required for gRPC over HTTP/2. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration. ```yaml global: - # Configure namespace and name of the Kubernetes TLS secret. + INGRESS_PROVIDER: nginx TLS_SECRET_NAMESPACE: "" TLS_SECRET_NAME: "" @@ -292,12 +302,35 @@ ingress-nginx: default-ssl-certificate: "/" ``` +#### Envoy Gateway + +Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it: + +1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`). +2. Set the ingress provider and gateway class in your overrides: + +```yaml +global: + INGRESS_PROVIDER: envoy # or "both" during parallel rollout + +envoyGateway: + gatewayClassName: controlplane-envoy # must match the GatewayClass created by the EG install +``` + +The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately: + +```yaml +envoy-gateway: + enabled: false # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart +``` + ### Service Discovery Control plane services discover each other via Kubernetes DNS: - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81` - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local` +- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG) - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local` ## Authentication (OIDC/OAuth2) @@ -403,7 +436,7 @@ flyte: useAuth: true ``` -This enables nginx auth-subrequest validation on protected ingress routes. +This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy). ### Verifying Authentication diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md index 6de7fe03..d2a846c5 100644 --- a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md +++ b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md @@ -287,13 +287,23 @@ global: # override is configured. ``` -### TLS Requirements +### Ingress Controller -gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration. +The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`: + +| Value | Behavior | +|-------|----------| +| `nginx` | Only nginx Ingress objects rendered (default) | +| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) | +| `both` | Both sets rendered simultaneously — use during migration | + +#### NGINX (default) + +TLS is required for gRPC over HTTP/2. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration. ```yaml global: - # Configure namespace and name of the Kubernetes TLS secret. + INGRESS_PROVIDER: nginx TLS_SECRET_NAMESPACE: "" TLS_SECRET_NAME: "" @@ -304,12 +314,35 @@ ingress-nginx: default-ssl-certificate: "/" ``` +#### Envoy Gateway + +Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it: + +1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`). +2. Set the ingress provider and gateway class in your overrides: + +```yaml +global: + INGRESS_PROVIDER: envoy # or "both" during parallel rollout + +envoyGateway: + gatewayClassName: controlplane-envoy # must match the GatewayClass created by the EG install +``` + +The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately: + +```yaml +envoy-gateway: + enabled: false # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart +``` + ### Service Discovery Control plane services discover each other via Kubernetes DNS: - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81` - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local` +- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG) - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local` ## Authentication (OIDC/OAuth2) @@ -415,7 +448,7 @@ flyte: useAuth: true ``` -This enables nginx auth-subrequest validation on protected ingress routes. +This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy). ### Verifying Authentication From b981d259ff41331f5ef835f57aa4a0aa65c7dd42 Mon Sep 17 00:00:00 2001 From: Laura Barton Date: Fri, 3 Apr 2026 10:57:46 -0700 Subject: [PATCH 46/46] Fixing expected helm charts for test --- .../controlplane.external-authz.yaml | 699 ++++++++++++++++++ 1 file changed, 699 insertions(+) diff --git a/tests/generated/controlplane.external-authz.yaml b/tests/generated/controlplane.external-authz.yaml index afa1a878..5197cb85 100644 --- a/tests/generated/controlplane.external-authz.yaml +++ b/tests/generated/controlplane.external-authz.yaml @@ -170,6 +170,19 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: envoy-gateway + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: v1 kind: ServiceAccount @@ -330,6 +343,46 @@ type: Opaque stringData: client_secret: foobar --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-config.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: envoy-gateway-config + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +data: + envoy-gateway.yaml: | + apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: EnvoyGateway + extensionApis: {} + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + logging: + level: + default: info + provider: + kubernetes: + rateLimitDeployment: + container: + image: docker.io/envoyproxy/ratelimit:3fb70258 + patch: + type: StrategicMerge + value: + spec: + template: + spec: + containers: + - imagePullPolicy: IfNotPresent + name: envoy-ratelimit + shutdownManager: + image: docker.io/envoyproxy/gateway:v1.6.4 + type: Kubernetes +--- # Source: controlplane/charts/flyte/templates/admin/configmap.yaml apiVersion: v1 kind: ConfigMap @@ -4795,6 +4848,138 @@ parameters: reclaimPolicy: Delete allowVolumeExpansion: true --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: release-name-envoy-gateway-envoy-gateway-role +rules: +- apiGroups: + - "" + resources: + - nodes + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - update +- apiGroups: + - multicluster.x-k8s.io + resources: + - serviceimports + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoyproxies + - envoypatchpolicies + - clienttrafficpolicies + - backendtrafficpolicies + - securitypolicies + - envoyextensionpolicies + - backends + - httproutefilters + verbs: + - get + - list + - watch +- apiGroups: + - gateway.envoyproxy.io + resources: + - envoypatchpolicies/status + - clienttrafficpolicies/status + - backendtrafficpolicies/status + - securitypolicies/status + - envoyextensionpolicies/status + - backends/status + verbs: + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - grpcroutes + - httproutes + - referencegrants + - tcproutes + - tlsroutes + - udproutes + - backendtlspolicies + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - grpcroutes/status + - httproutes/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + - backendtlspolicies/status + verbs: + - update +- apiGroups: + - "" + resources: + - pods + - pods/binding + verbs: + - get + - list + - patch + - update + - watch +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5460,6 +5645,20 @@ rules: - list - watch --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: release-name-envoy-gateway-envoy-gateway-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-envoy-gateway-envoy-gateway-role +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/charts/flyte/templates/admin/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -5493,6 +5692,110 @@ subjects: name: scylla-operator namespace: scylla-operator --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + - services + - configmaps + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - apps + resources: + - deployments + - daemonsets + verbs: + - create + - get + - delete + - deletecollection + - patch +- apiGroups: + - autoscaling + - policy + resources: + - horizontalpodautoscalers + - poddisruptionbudgets + verbs: + - create + - get + - list + - delete + - deletecollection + - patch +- apiGroups: + - certificates.k8s.io + resources: + - clustertrustbundles + verbs: + - list + - get + - watch +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-leader-election-role + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role @@ -5524,6 +5827,48 @@ rules: verbs: - '*' --- +# Source: controlplane/charts/envoy-gateway/templates/infra-manager-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-infra-manager + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-infra-manager' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/leader-election-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-leader-election-rolebinding + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-leader-election-role' +subjects: +- kind: ServiceAccount + name: 'envoy-gateway' + namespace: 'union' +--- # Source: controlplane/templates/flyte-core-app.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -5544,6 +5889,42 @@ subjects: name: flyteadmin namespace: union --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + selector: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + ports: + - name: grpc + port: 18000 + targetPort: 18000 + - name: ratelimit + port: 18001 + targetPort: 18001 + - name: wasm + port: 18002 + targetPort: 18002 + - name: metrics + port: 19001 + targetPort: 19001 + - name: webhook + port: 9443 + targetPort: 9443 +--- # Source: controlplane/charts/flyte/templates/admin/service.yaml apiVersion: v1 kind: Service @@ -5936,6 +6317,110 @@ spec: app.kubernetes.io/name: usage app.kubernetes.io/instance: release-name --- +# Source: controlplane/charts/envoy-gateway/templates/envoy-gateway-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-gateway + namespace: 'union' + labels: + control-plane: envoy-gateway + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + selector: + matchLabels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + template: + metadata: + annotations: + prometheus.io/port: "19001" + prometheus.io/scrape: "true" + labels: + control-plane: envoy-gateway + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + spec: + containers: + - args: + - server + - --config-path=/config/envoy-gateway.yaml + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: envoy-gateway + ports: + - containerPort: 18000 + name: grpc + - containerPort: 18001 + name: ratelimit + - containerPort: 18002 + name: wasm + - containerPort: 19001 + name: metrics + - name: webhook + containerPort: 9443 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + memory: 1024Mi + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /config + name: envoy-gateway-config + readOnly: true + - mountPath: /certs + name: certs + readOnly: true + imagePullSecrets: [] + serviceAccountName: envoy-gateway + terminationGracePeriodSeconds: 10 + volumes: + - configMap: + defaultMode: 420 + name: envoy-gateway-config + name: envoy-gateway-config + - name: certs + secret: + secretName: envoy-gateway +--- # Source: controlplane/charts/flyte/templates/admin/deployment.yaml apiVersion: apps/v1 kind: Deployment @@ -9835,3 +10320,217 @@ spec: storage: capacity: 100Gi storageClassName: scylladb +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - 'envoy-gateway-topology-injector.union' + verbs: + - update + - patch +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: 'release-name-envoy-gateway-certgen:union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: 'release-name-envoy-gateway-certgen:union' +subjects: + - kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create + - update +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" # Ensure rbac is created before the certgen job when using ArgoCD. +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: 'release-name-envoy-gateway-certgen' +subjects: +- kind: ServiceAccount + name: 'release-name-envoy-gateway-certgen' + namespace: 'union' +--- +# Source: controlplane/charts/envoy-gateway/templates/certgen.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: release-name-envoy-gateway-certgen + namespace: 'union' + labels: + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm + annotations: + "helm.sh/hook": pre-install, pre-upgrade +spec: + backoffLimit: 1 + completions: 1 + parallelism: 1 + template: + metadata: + labels: + app: certgen + spec: + containers: + - command: + - envoy-gateway + - certgen + env: + - name: ENVOY_GATEWAY_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: KUBERNETES_CLUSTER_DOMAIN + value: cluster.local + image: docker.io/envoyproxy/gateway:v1.6.4 + imagePullPolicy: IfNotPresent + name: envoy-gateway-certgen + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + imagePullSecrets: [] + restartPolicy: Never + serviceAccountName: release-name-envoy-gateway-certgen + ttlSecondsAfterFinished: 30 +--- +# Source: controlplane/charts/envoy-gateway/templates/envoy-proxy-topology-injector-webhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: 'envoy-gateway-topology-injector.union' + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "-1" + labels: + app.kubernetes.io/component: topology-injector + helm.sh/chart: envoy-gateway-v1.6.4 + app.kubernetes.io/name: envoy-gateway + app.kubernetes.io/instance: release-name + app.kubernetes.io/version: "v1.6.4" + app.kubernetes.io/managed-by: Helm +webhooks: + - name: topology.webhook.gateway.envoyproxy.io + admissionReviewVersions: ["v1"] + sideEffects: None + clientConfig: + service: + name: envoy-gateway + namespace: 'union' + path: "/inject-pod-topology" + port: 9443 + failurePolicy: Ignore + rules: + - operations: ["CREATE"] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods/binding"] + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + - union