Skip to content

feat: add multi-gateway namespace support with hybrid gateway capabil… #1325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
japerezjr wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat: add multi-gateway namespace support with hybrid gateway capabil… #1325

japerezjr wants to merge 2 commits into from

Conversation

@japerezjr
Copy link
Contributor

@japerezjr japerezjr commented Nov 21, 2025

…ities

This feature adds comprehensive multi-gateway support to the Envoy Gateway setup script, enabling flexible deployments that can separate external and internal services with appropriate security configurations.

Features:

  • Configuration file mode (--config) for YAML-based multi-gateway setup
  • Namespace isolation for each gateway (improved security and organization)
  • Hybrid gateway support (external-only, internal-only, or both)
  • Flexible certificate management (Let's Encrypt or self-signed per gateway)
  • Route and listener processing for multiple gateways
  • Support for multiple MetalLB pools per gateway
  • Internal gateways accessible on port 443 (same as external)
  • Backward compatibility with legacy single gateway mode

Configuration Format:
The new --config option accepts YAML files defining multiple gateways:
gateways:
- name: external-gateway namespace: external-gateway domain: cloud.example.com type: [external] metallb_pools: external: gateway-api-external issuer: type: letsencrypt email: [email protected] routes: - keystone - nova - neutron

Key Improvements:

  • Each gateway runs in its own namespace for better isolation
  • Routes are automatically created for each gateway type
  • Listeners are applied to all gateways
  • Support for multiple DNS providers (Cloudflare, Route53, Azure DNS, etc.)
  • Comprehensive error handling and validation

Files Added:

  • examples/gateway-config.yaml: Comprehensive example configuration
  • examples/simple-gateway-config.yaml: Simple setup example
  • docs/gateway-setup.md: Complete usage documentation

Files Modified:

  • bin/setup-envoy-gateway.sh: Enhanced with multi-gateway support

Backward Compatibility:

  • Legacy single gateway mode still works unchanged
  • Existing --email, --domain, --challenge options preserved
  • Interactive mode still available
  • All DNS plugins supported in both modes

@japerezjr japerezjr marked this pull request as draft November 21, 2025 06:22
@japerezjr
Copy link
Contributor Author

japerezjr commented Nov 21, 2025

I've done all the testing I can. I need some help testing the different challenge modes. Also, I need to figure out how we want to create the "internal" ipaddresspools and l2advertisemnets for metallb. Right now we have to manually create that if we try to deploy with an internal httproute.
Naming could probably still use some work.

@rackerchris
Copy link
Contributor

rackerchris commented Nov 21, 2025

checks failing. please fix and resubmit your pr

rackerchris
rackerchris requested changes Nov 24, 2025
View reviewed changes
base-kustomize/envoyproxy-gateway/base/kustomization.yaml
Copy link
Contributor

@rackerchris rackerchris Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add --- to beginning of file.

etc/gateway-api/routes/custom-longhorn-routes.yaml Outdated
namespace: envoy-gateway
sectionName: longhorn-https
rules:
- backendRefs:
Copy link
Contributor

@rackerchris rackerchris Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

incorrect indentation. You will need to run this pr through yamllint and correct any errors/warnings.

@japerezjr
feat: add multi-gateway namespace support with hybrid gateway capabil…
d669b4f 
…ities

This feature adds comprehensive multi-gateway support to the Envoy Gateway setup script,
enabling flexible deployments that can separate external and internal services with
appropriate security configurations.

Features:
- Configuration file mode (--config) for YAML-based multi-gateway setup
- Namespace isolation for each gateway (improved security and organization)
- Hybrid gateway support (external-only, internal-only, or both)
- Flexible certificate management (Let's Encrypt or self-signed per gateway)
- Route and listener processing for multiple gateways
- Support for multiple MetalLB pools per gateway
- Internal gateways accessible on port 443 (same as external)
- Backward compatibility with legacy single gateway mode

Configuration Format:
The new --config option accepts YAML files defining multiple gateways:
  gateways:
    - name: external-gateway
      namespace: external-gateway
      domain: cloud.example.com
      type: [external]
      metallb_pools:
        external: gateway-api-external
      issuer:
        type: letsencrypt
        email: [email protected]
      routes:
        - keystone
        - nova
        - neutron

Key Improvements:
- Each gateway runs in its own namespace for better isolation
- Routes are automatically created for each gateway type
- Listeners are applied to all gateways
- Support for multiple DNS providers (Cloudflare, Route53, Azure DNS, etc.)
- Comprehensive error handling and validation

Files Added:
- examples/gateway-config.yaml: Comprehensive example configuration
- examples/simple-gateway-config.yaml: Simple setup example
- docs/gateway-setup.md: Complete usage documentation

Files Modified:
- bin/setup-envoy-gateway.sh: Enhanced with multi-gateway support

Backward Compatibility:
- Legacy single gateway mode still works unchanged
- Existing --email, --domain, --challenge options preserved
- Interactive mode still available
- All DNS plugins supported in both modes
@japerezjr japerezjr force-pushed the feature/multi-gateway-namespaces branch 7 times, most recently from 1c2f75a to eb066bc Compare December 11, 2025 21:29
@japerezjr japerezjr force-pushed the feature/multi-gateway-namespaces branch from eb066bc to f8509f5 Compare December 11, 2025 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rackerchris rackerchris rackerchris requested changes

@aedan aedan Awaiting requested review from aedan

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@japerezjr @rackerchris