unionai · aviator-app · Apr 10, 2026 · Mar 9, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/charts/controlplane/Chart.yaml b/charts/controlplane/Chart.yaml
@@ -28,3 +28,8 @@ dependencies:
   version: 80.8.0
   alias: monitoring
   condition: monitoring.enabled
+- name: gateway-helm
+  alias: envoy-gateway
+  repository: oci://docker.io/envoyproxy
+  version: v1.6.4
+  condition: envoy-gateway.enabled
diff --git a/charts/controlplane/README.md b/charts/controlplane/README.md
@@ -20,6 +20,9 @@ helm repo add flyte https://helm.flyte.org
 # Add Ingress NGINX Helm repository (if using ingress-nginx)
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 
+# Add Envoy Gateway Helm repository (if using Envoy Gateway)
+helm repo add envoy-gateway oci://docker.io/envoyproxy
+
 # Add ScyllaDB Helm repository (if using ScyllaDB)
 helm repo add scylla https://scylla-operator-charts.storage.googleapis.com/stable
 
@@ -52,6 +55,7 @@ Kubernetes: `>= 1.28.0-0`
 |------------|------|---------|----------|-------|
 | https://helm.flyte.org | flyte-core(flyte) | v1.16.0-b2 | No | Required |
 | https://kubernetes.github.io/ingress-nginx | ingress-nginx | 4.12.3 | Yes | Only if `ingress-nginx.enabled: true` |
+| oci://docker.io/envoyproxy | gateway-helm(envoy-gateway) | v1.6.4 | Yes | Only if `envoy-gateway.enabled: true`; for selfmanaged deployments install via ArgoCD ApplicationSet instead |
 | https://scylla-operator-charts.storage.googleapis.com/stable | scylla-operator | v1.18.1 | Yes | Only if `scylla.enabled: true` |
 | https://scylla-operator-charts.storage.googleapis.com/stable | scylla | v1.18.1 | Yes | Only if `scylla.enabled: true` |
 | https://prometheus-community.github.io/helm-charts | monitoring(kube-prometheus-stack) | 80.8.0 | Yes | Only if `monitoring.enabled: true` |
@@ -261,17 +265,41 @@ helm upgrade --install union-controlplane unionai/controlplane \
   --values values.yaml
 ```
 
-### Installation with Ingress NGINX
+### Ingress Controller
+
+The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`:
+
+| Value | Behavior |
+|-------|----------|
+| `nginx` | Only nginx Ingress objects rendered (default) |
+| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) |
+| `both` | Both sets rendered simultaneously — use during migration |
 
-If you need ingress support:
+#### Installation with Ingress NGINX
 
 ```yaml
+global:
+  INGRESS_PROVIDER: nginx
+
 ingress-nginx:
   enabled: true
+```
+
+#### Installation with Envoy Gateway
+
+Envoy Gateway can be installed as a sub-chart (managed deployments) or as a separate Helm release via ArgoCD (selfmanaged deployments — see [Self-Hosted Guides](#alternative-deployment-models)).
+
+For sub-chart installation:
+
+```yaml
+global:
+  INGRESS_PROVIDER: envoy
+
+envoy-gateway:
+  enabled: true  # installs gateway-helm as a sub-chart
 
-ingress:
-  className: "controlplane"
-  secretService: true
+envoyGateway:
+  gatewayClassName: envoy  # must match the GatewayClass created by the EG install
 ```
 
 ## Verification
@@ -302,7 +330,7 @@ helm show values unionai/controlplane
 - **Postgres Configuration** (Required): Set `dbHost`, `dbName`, `dbUser`, and `dbPass` for the primary database used by all control plane services except the queue service
 - **ScyllaDB Configuration** (Required): Configure `scylla` section for the queue service database. Set `scylla.enabled: true` for embedded cluster or provide `scylla.externalHost` for external ScyllaDB
 - **Object Storage**: Configure `bucketName`, `artifactsBucketName`, and `region` for S3-compatible storage
-- **Ingress**: Enable and configure ingress under `ingress-nginx` section
+- **Ingress**: Set `global.INGRESS_PROVIDER` to `nginx`, `envoy`, or `both`. Enable the relevant controller (`ingress-nginx.enabled` or `envoy-gateway.enabled`) and configure `envoyGateway.gatewayClassName` when using Envoy Gateway
 
 ---
 

diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_AWS.md
@@ -275,13 +275,23 @@ global:
   # override is configured.
 ```
 
-### TLS Requirements
+### Ingress Controller
 
-gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration.
+The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`:
+
+| Value | Behavior |
+|-------|----------|
+| `nginx` | Only nginx Ingress objects rendered (default) |
+| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) |
+| `both` | Both sets rendered simultaneously — use during migration |
+
+#### NGINX (default)
+
+TLS is required for gRPC over HTTP/2. Refer to [values.aws.selfhosted-intracluster.yaml](./values.aws.selfhosted-intracluster.yaml) for example configuration.
 
 ```yaml
 global:
-  # Configure namespace and name of the Kubernetes TLS secret.
+  INGRESS_PROVIDER: nginx
   TLS_SECRET_NAMESPACE: ""
   TLS_SECRET_NAME: ""
 
@@ -292,12 +302,35 @@ ingress-nginx:
       default-ssl-certificate: "<TLS_SECRET_NAMESPACE>/<TLS_SECRET_NAME>"
 ```
 
+#### Envoy Gateway
+
+Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it:
+
+1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`).
+2. Set the ingress provider and gateway class in your overrides:
+
+```yaml
+global:
+  INGRESS_PROVIDER: envoy  # or "both" during parallel rollout
+
+envoyGateway:
+  gatewayClassName: controlplane-envoy  # must match the GatewayClass created by the EG install
+```
+
+The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately:
+
+```yaml
+envoy-gateway:
+  enabled: false  # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart
+```
+
 ### Service Discovery
 
 Control plane services discover each other via Kubernetes DNS:
 
 - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81`
 - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local`
+- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG)
 - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local`
 
 ## Authentication (OIDC/OAuth2)
@@ -403,7 +436,7 @@ flyte:
           useAuth: true
 ```
 
-This enables nginx auth-subrequest validation on protected ingress routes.
+This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy).
 
 ### Verifying Authentication
 

diff --git a/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md b/charts/controlplane/SELFHOSTED_INTRA_CLUSTER_GCP.md
@@ -287,13 +287,23 @@ global:
   # override is configured.
 ```
 
-### TLS Requirements
+### Ingress Controller
 
-gRPC requires TLS for HTTP/2 with NGINX. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration.
+The chart supports two ingress controllers, selected via `global.INGRESS_PROVIDER`:
+
+| Value | Behavior |
+|-------|----------|
+| `nginx` | Only nginx Ingress objects rendered (default) |
+| `envoy` | Only Envoy Gateway API resources rendered (HTTPRoute/GRPCRoute/Gateway) |
+| `both` | Both sets rendered simultaneously — use during migration |
+
+#### NGINX (default)
+
+TLS is required for gRPC over HTTP/2. Refer to [values.gcp.selfhosted-intracluster.yaml](./values.gcp.selfhosted-intracluster.yaml) for example configuration.
 
 ```yaml
 global:
-  # Configure namespace and name of the Kubernetes TLS secret.
+  INGRESS_PROVIDER: nginx
   TLS_SECRET_NAMESPACE: ""
   TLS_SECRET_NAME: ""
 
@@ -304,12 +314,35 @@ ingress-nginx:
       default-ssl-certificate: "<TLS_SECRET_NAMESPACE>/<TLS_SECRET_NAME>"
 ```
 
+#### Envoy Gateway
+
+Envoy Gateway is installed as a **separate Helm release** via an ArgoCD ApplicationSet — it is not a sub-chart of the controlplane chart. To enable it:
+
+1. Deploy the Envoy Gateway controller into the cluster (see `cloud/infra/argocd/deploy/manifests/appset-selfmanaged-envoy-gateway.yaml`).
+2. Set the ingress provider and gateway class in your overrides:
+
+```yaml
+global:
+  INGRESS_PROVIDER: envoy  # or "both" during parallel rollout
+
+envoyGateway:
+  gatewayClassName: controlplane-envoy  # must match the GatewayClass created by the EG install
+```
+
+The `envoy-gateway.enabled` key controls whether the chart's bundled sub-chart dependency is installed. For selfmanaged deployments this stays `false` because EG is managed separately:
+
+```yaml
+envoy-gateway:
+  enabled: false  # EG is installed via its own ArgoCD ApplicationSet, not as a sub-chart
+```
+
 ### Service Discovery
 
 Control plane services discover each other via Kubernetes DNS:
 
 - **Flyteadmin**: `flyteadmin.union-cp.svc.cluster.local:81`
 - **NGINX Ingress**: `controlplane-nginx-controller.union-cp.svc.cluster.local`
+- **Envoy Gateway**: `controlplane-envoy-gateway.union-cp.svc.cluster.local` (when using EG)
 - **Dataplane** (for dataproxy): `dataplane-nginx-controller.union.svc.cluster.local`
 
 ## Authentication (OIDC/OAuth2)
@@ -415,7 +448,7 @@ flyte:
           useAuth: true
 ```
 
-This enables nginx auth-subrequest validation on protected ingress routes.
+This enables auth validation on protected ingress routes (nginx auth-subrequest for the nginx path; the Envoy Gateway path uses an equivalent Go auth filter via EnvoyPatchPolicy).
 
 ### Verifying Authentication
 

diff --git a/charts/controlplane/templates/common/_backendtrafficpolicy.yaml b/charts/controlplane/templates/common/_backendtrafficpolicy.yaml
@@ -0,0 +1,108 @@
+{{- define "control-plane-library.backendtrafficpolicy" }}
+# BackendTrafficPolicy — configures Envoy→gRPC backend connection settings.
+# Replaces nginx grpc_connect_timeout, grpc_read_timeout, grpc_send_timeout.
+# Two policies (one per GRPCRoute) so h2c and timeouts are scoped to gRPC traffic only.
+#
+# requestTimeout applies to unary calls; maxStreamDuration applies to streaming calls.
+# "0s" for maxStreamDuration means no limit (equivalent to grpc_read_timeout 604800s on streaming routes).
+# Both protected and unprotected GRPCRoutes contain streaming methods so both get the same config.
+#
+# Rate limit is also included here (when enabled) because route-level BTPs override gateway-level ones,
+# so the gateway-level rate-limit BTP below would be suppressed for these two GRPCRoutes without it.
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: {{ template "flyte.name" . }}-grpc-protected-h2c
+  namespace: {{ template "flyte.namespace" . }}
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: GRPCRoute
+      name: {{ template "flyte.name" . }}-grpc-protected
+  timeout:
+    tcp:
+      connectTimeout: "1200s"  # grpc_connect_timeout 1200s
+    http:
+      requestTimeout: "1200s"  # grpc_read_timeout 1200s (unary calls)
+      maxStreamDuration: "0s"  # no limit for streaming (grpc_read_timeout 604800s on streaming routes)
+  tcpKeepalive:
+    probes: 9
+    idleTime: "15s"
+    interval: "15s"
+  http2: {}
+{{- if .Values.envoyGateway.rateLimit.enabled }}
+  rateLimit:
+    type: Global
+    global:
+      rules:
+        - clientSelectors:
+            - sourceCIDR:
+                type: Distinct
+                value: "0.0.0.0/0"
+          limit:
+            requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }}
+            unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }}
+{{- end }}
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: {{ template "flyte.name" . }}-grpc-unprotected-h2c
+  namespace: {{ template "flyte.namespace" . }}
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: GRPCRoute
+      name: {{ template "flyte.name" . }}-grpc-unprotected
+  timeout:
+    tcp:
+      connectTimeout: "1200s"  # grpc_connect_timeout 1200s
+    http:
+      requestTimeout: "1200s"  # grpc_read_timeout 1200s (unary calls)
+      maxStreamDuration: "0s"  # no limit for WatchExecutionStatusUpdates streaming
+  tcpKeepalive:
+    probes: 9
+    idleTime: "15s"
+    interval: "15s"
+  http2: {}
+{{- if .Values.envoyGateway.rateLimit.enabled }}
+  rateLimit:
+    type: Global
+    global:
+      rules:
+        - clientSelectors:
+            - sourceCIDR:
+                type: Distinct
+                value: "0.0.0.0/0"
+          limit:
+            requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }}
+            unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }}
+{{- end }}
+{{- if .Values.envoyGateway.rateLimit.enabled }}
+---
+# Global per-source-IP rate limit — replaces nginx.ingress.kubernetes.io/limit-rps annotation.
+# Requires EG rateLimit backend (envoyproxy/ratelimit + Redis) to be running.
+# Enable via envoyGateway.rateLimit.enabled: true once the backend is confirmed healthy.
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: BackendTrafficPolicy
+metadata:
+  name: {{ template "flyte.name" . }}-global-rate-limit
+  namespace: {{ template "flyte.namespace" . }}
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: {{ template "flyte.name" . }}
+  rateLimit:
+    type: Global
+    global:
+      rules:
+        - clientSelectors:
+            - sourceCIDR:
+                type: Distinct
+                value: "0.0.0.0/0"
+          limit:
+            requests: {{ .Values.envoyGateway.rateLimit.requestsPerUnit | default 100 }}
+            unit: {{ .Values.envoyGateway.rateLimit.unit | default "Second" }}
+{{- end }}
+{{- end }}
diff --git a/charts/controlplane/templates/common/_clienttrafficpolicy.yaml b/charts/controlplane/templates/common/_clienttrafficpolicy.yaml
@@ -0,0 +1,23 @@
+{{- define "control-plane-library.clienttrafficpolicy" }}
+# ClientTrafficPolicy — configures inbound client connection settings on the Gateway.
+# Replaces nginx server-snippet: client_header_timeout, client_body_timeout,
+# client_header_buffer_size, and large_client_header_buffers.
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: {{ template "flyte.name" . }}-client-policy
+  namespace: {{ template "flyte.namespace" . }}
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: {{ template "flyte.name" . }}
+  timeout:
+    http:
+      requestReceivedTimeout: "0s"  # client_header_timeout 604800
+      streamIdleTimeout: "0s"       # client_body_timeout 604800
+  connection:
+    # large_client_header_buffers 64 32k = 2Mi total; mitigates 400 errors from large cookies
+    # at the /me auth endpoint (see PE-1101).
+    bufferLimit: "2Mi"
+{{- end }}