rackerlabs · skrobul · Nov 26, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
diff --git a/apps/appsets/project-understack-infra.yaml b/apps/appsets/project-understack-infra.yaml
@@ -15,6 +15,8 @@ spec:
     server: '*'
   - namespace: 'cilium'
     server: '*'
+  - namespace: 'envoy-gateway'
+    server: '*'
   - namespace: 'kube-system'
     server: '*'
   clusterResourceWhitelist:

diff --git a/apps/appsets/project-understack.yaml b/apps/appsets/project-understack.yaml
@@ -11,6 +11,8 @@ spec:
   destinations:
   - namespace: 'argo'
     server: '*'
+  - namespace: 'argocd'
+    server: '*'
   - namespace: 'argo-events'
     server: '*'
   - namespace: 'cert-manager'
@@ -29,6 +31,8 @@ spec:
     server: '*'
   - namespace: 'kube-system'
     server: '*'
+  - namespace: 'envoy-gateway'
+    server: '*'
   clusterResourceWhitelist:
   - group: '*'
     kind: '*'
diff --git a/apps/infra/cert-manager.yaml b/apps/infra/cert-manager.yaml
@@ -3,9 +3,13 @@ component: cert-manager
 sources:
   - repoURL: https://charts.jetstack.io
     chart: cert-manager
-    targetRevision: '1.18.2'
+    targetRevision: '1.19.2'
     helm:
       releaseName: cert-manager
       valuesObject:
         crds:
           enabled: true
+        config:
+          enableGatewayAPI: true
+          apiVersion: controller.config.cert-manager.io/v1alpha1
+          kind: ControllerConfiguration
diff --git a/apps/infra/envoy-gateway.yaml b/apps/infra/envoy-gateway.yaml
@@ -0,0 +1,17 @@
+---
+component: envoy-gateway
+sources:
+  - repoURL: docker.io/envoyproxy
+    chart: gateway-helm
+    path: gateway-helm
+    targetRevision: v1.6.0
+    helm:
+      releaseName: envoy-gateway
+      valueFiles:
+        - $understack/components/envoy-gateway/values.yaml
+        - $deploy/{{.name}}/helm-configs/envoy-gateway.yaml
+      ignoreMissingValueFiles: true
+  - ref: understack
+    path: 'components/envoy-gateway'
+  - ref: deploy
+    path: '{{.name}}/manifests/envoy-gateway'
diff --git a/apps/operators/external-dns.yaml b/apps/operators/external-dns.yaml
@@ -3,7 +3,7 @@ component: external-dns
 sources:
   - repoURL: ghcr.io/rackerlabs/charts
     chart: external-dns-rackspace
-    targetRevision: 0.1.0
+    targetRevision: 0.2.0
     helm:
       releaseName: external-dns-rackspace
       namespace: "external-dns"

diff --git a/apps/site/envoy-configs.yaml b/apps/site/envoy-configs.yaml
@@ -0,0 +1,14 @@
+---
+component: envoy-configs
+componentNamespace: envoy-gateway
+sources:
+  - ref: understack
+    path: components/envoy-configs
+    helm:
+      releaseName: envoy-configs
+      valueFiles:
+        - $understack/components/envoy-configs/values.yaml
+        - $deploy/{{.name}}/helm-configs/envoy-configs.yaml
+      ignoreMissingValueFiles: true
+  - ref: deploy
+    path: '{{.name}}/manifests/envoy-configs'
diff --git a/bootstrap/bootstrap.sh b/bootstrap/bootstrap.sh
@@ -19,7 +19,36 @@ wait_for_cert_manager() {
   echo " done."
 }
 
-kubectl kustomize --enable-helm bootstrap/cert-manager/ | kubectl apply --server-side -f -
+check_required_binaries() {
+  local missing_binaries=()
+
+  if ! command -v kubectl &>/dev/null; then
+    missing_binaries+=("kubectl")
+  fi
+
+  if ! command -v helm &>/dev/null; then
+    missing_binaries+=("helm")
+  fi
+
+  if [ ${#missing_binaries[@]} -ne 0 ]; then
+    echo "Error: Required binaries not found: ${missing_binaries[*]}"
+    exit 1
+  fi
+}
+
+check_required_binaries
+
+CM_CHART_VERSION=v1.19.2
+helm upgrade --install \
+  cert-manager oci://quay.io/jetstack/charts/cert-manager:${CM_CHART_VERSION} \
+  --create-namespace \
+  --namespace cert-manager \
+  --set crds.enabled=true \
+  --set config.enableGatewayApi=true \
+  --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
+  --set config.kind="ControllerConfiguration" \
+  cert-manager
+
 wait_for_cert_manager
 kubectl kustomize --enable-helm bootstrap | kubectl apply --server-side -f -
 kubectl apply -f bootstrap/cert-manager/issuer-kube-system-self-signed.yaml

diff --git a/bootstrap/cert-manager/kustomization.yaml b/bootstrap/cert-manager/kustomization.yaml
diff --git a/components/argo-workflows/ingress.yaml b/components/argo-workflows/ingress.yaml
diff --git a/components/argocd/values.yaml b/components/argocd/values.yaml
@@ -15,12 +15,7 @@ applicationSet:
       interval: 30s
 server:
   ingress:
-    enabled: true
-    ingressClassName: nginx
-    tls: true
-    annotations:
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    enabled: false
   metrics:
     enabled: true
     serviceMonitor:

diff --git a/components/cinder/values.yaml b/components/cinder/values.yaml
@@ -54,12 +54,6 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
-  api:
-    ingress:
-      annotations:
-        nginx.ingress.kubernetes.io/rewrite-target: /
-        # set our default issuer
-        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 pod:
   mounts:
@@ -232,6 +226,7 @@ manifests:
   secret_rabbitmq: false
   secret_registry: false
   service_ingress_api: false
+  ingress_api: false
   deployment_backup: false
   # We set the `secret_keystone` and `secret_ks_etc` to false in order to disable
   # Kubernetes section generation in OpenStack Helm, because we want those

diff --git a/components/dex/values.yaml b/components/dex/values.yaml
@@ -115,8 +115,4 @@ envVars:
         key: client-secret
 
 ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: understack-cluster-issuer
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  enabled: false
diff --git a/components/envoy-configs/.helmignore b/components/envoy-configs/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/components/envoy-configs/Chart.yaml b/components/envoy-configs/Chart.yaml
@@ -0,0 +1,15 @@
+apiVersion: v2
+name: envoy-configs
+description: Chart with configuration for Envoy Gateway
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.6.0"
diff --git a/components/envoy-configs/templates/_helpers.tpl b/components/envoy-configs/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "envoy-configs.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "envoy-configs.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "envoy-configs.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "envoy-configs.labels" -}}
+helm.sh/chart: {{ include "envoy-configs.chart" . }}
+{{ include "envoy-configs.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "envoy-configs.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "envoy-configs.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "envoy-configs.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "envoy-configs.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/components/envoy-configs/templates/gw-external.yaml.tpl b/components/envoy-configs/templates/gw-external.yaml.tpl
@@ -0,0 +1,78 @@
+{{- if .Values.gateways.external }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ .Values.gateways.external.name }}
+  namespace: {{ .Values.gateways.external.namespace }}
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.gateways.external.issuer | default "understack-cluster-issuer"}}
+  labels:
+    {{- include "envoy-configs.labels" . | nindent 4 }}
+spec:
+  gatewayClassName: {{ .Values.gateways.external.className }}
+  listeners:
+    {{- range .Values.routes.http }}
+    {{- $listenerName := .name | default (index (splitList "." .fqdn) 0) }}
+    - name: {{ $listenerName }}
+      port: {{ $.Values.gateways.external.port | default 443 }}
+      protocol: HTTPS
+      hostname: {{ .fqdn }}
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: {{ $listenerName }}-tls
+      allowedRoutes:
+        namespaces:
+          {{- if .selector }}
+          from: Selector
+          selector:
+            {{- .selector | toYaml | nindent 12 }}
+          {{- else }}
+          from: {{ .from | default "All" }}
+          {{- end }}
+    {{- end }}
+    {{- range .Values.routes.tls }}
+    {{- $listenerName := .name | default (index (splitList "." .fqdn) 0) }}
+    - name: {{ $listenerName }}
+      port: {{ $.Values.gateways.external.port | default 443 }}
+      protocol: TLS
+      hostname: {{ .fqdn | quote }}
+      tls:
+        mode: Passthrough
+        certificateRefs:
+          - name: {{ $listenerName }}-tls
+      allowedRoutes:
+        namespaces:
+          {{- if .selector }}
+          from: Selector
+          selector:
+            {{- .selector | toYaml | nindent 12 }}
+          {{- else }}
+          from: {{ .from | default "All" }}
+          {{- end }}
+    {{- end }}
+  {{- if .Values.gateways.external.serviceAnnotations }}
+  infrastructure:
+    parametersRef:
+          group: gateway.envoyproxy.io
+          kind: EnvoyProxy
+          name: {{ .Values.gateways.external.name }}-proxy
+  {{- end }}
+{{- if .Values.gateways.external.serviceAnnotations }}
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: {{ .Values.gateways.external.name }}-proxy
+  namespace: {{ .Values.gateways.external.namespace }}
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyService:
+        annotations:
+          {{- .Values.gateways.external.serviceAnnotations | toYaml | nindent 10 }}
+        externalTrafficPolicy: {{ .Values.gateways.external.externalTrafficPolicy | default "Cluster" }}
+{{- end }}
+{{- end }}