From 1483157d2add6ec8fa50218bc1b18eb457b77a6f Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Tue, 10 Mar 2026 22:15:08 -0400 Subject: [PATCH 1/8] initial commit --- .../helm-chart/manifests.toml | 4 +++ .../envoy-gateway/helm-chart/manifests.toml | 4 +++ .../infra/gateway-api-crds/manifests.toml | 5 ++++ .holo/lenses/envoy-gateway-crds.toml | 17 ++++++++++++ .holo/lenses/envoy-gateway.toml | 18 +++++++++++++ .holo/sources/envoy-gateway-chart.toml | 3 +++ .holo/sources/gateway-api-crds.toml | 3 +++ infra/envoy-gateway-crds/helm-chart.toml | 5 ++++ infra/envoy-gateway-crds/release-values.yaml | 2 ++ .../gateway-class.yaml | 6 +++++ infra/envoy-gateway-manifests/gateway.yaml | 26 +++++++++++++++++++ infra/envoy-gateway/release-values.yaml | 2 ++ 12 files changed, 95 insertions(+) create mode 100644 .holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml create mode 100644 .holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml create mode 100644 .holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml create mode 100644 .holo/lenses/envoy-gateway-crds.toml create mode 100644 .holo/lenses/envoy-gateway.toml create mode 100644 .holo/sources/envoy-gateway-chart.toml create mode 100644 .holo/sources/gateway-api-crds.toml create mode 100644 infra/envoy-gateway-crds/helm-chart.toml create mode 100644 infra/envoy-gateway-crds/release-values.yaml create mode 100644 infra/envoy-gateway-manifests/gateway-class.yaml create mode 100644 infra/envoy-gateway-manifests/gateway.yaml create mode 100644 infra/envoy-gateway/release-values.yaml diff --git a/.holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml b/.holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml new file mode 100644 index 0000000..b8618ac --- /dev/null +++ b/.holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml @@ -0,0 +1,4 @@ +[holomapping] +holosource = "envoy-gateway-chart" +root = "charts/gateway-crds-helm" +files = "**" diff --git a/.holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml b/.holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml new file mode 100644 index 0000000..e2738d0 --- /dev/null +++ b/.holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml @@ -0,0 +1,4 @@ +[holomapping] +holosource = "envoy-gateway-chart" +root = "charts/gateway-helm" +files = "**" diff --git a/.holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml b/.holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml new file mode 100644 index 0000000..d6f0af3 --- /dev/null +++ b/.holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml @@ -0,0 +1,5 @@ +[holomapping] +holosource = "gateway-api-crds" +root = "config/crd/standard" +files = "*.yaml" +before = "*" diff --git a/.holo/lenses/envoy-gateway-crds.toml b/.holo/lenses/envoy-gateway-crds.toml new file mode 100644 index 0000000..a6d3833 --- /dev/null +++ b/.holo/lenses/envoy-gateway-crds.toml @@ -0,0 +1,17 @@ +[hololens] +container = "ghcr.io/hologit/lenses/helm3:latest" + +[hololens.input] +root = "infra/envoy-gateway-crds" +files = "**" + +[hololens.output] +merge = "replace" + +[hololens.helm] +release_name = "eg-crds" + +chart_path = "helm-chart" +value_files = [ + "release-values.yaml" +] diff --git a/.holo/lenses/envoy-gateway.toml b/.holo/lenses/envoy-gateway.toml new file mode 100644 index 0000000..bc7e173 --- /dev/null +++ b/.holo/lenses/envoy-gateway.toml @@ -0,0 +1,18 @@ +[hololens] +container = "ghcr.io/hologit/lenses/helm3:latest" + +[hololens.input] +root = "infra/envoy-gateway" +files = "**" + +[hololens.output] +merge = "replace" + +[hololens.helm] +namespace = "envoy-gateway-system" +release_name = "eg" + +chart_path = "helm-chart" +value_files = [ + "release-values.yaml" +] diff --git a/.holo/sources/envoy-gateway-chart.toml b/.holo/sources/envoy-gateway-chart.toml new file mode 100644 index 0000000..8a508f7 --- /dev/null +++ b/.holo/sources/envoy-gateway-chart.toml @@ -0,0 +1,3 @@ +[holosource] +url = "https://github.com/envoyproxy/gateway.git" +ref = "refs/tags/v1.7.0" diff --git a/.holo/sources/gateway-api-crds.toml b/.holo/sources/gateway-api-crds.toml new file mode 100644 index 0000000..0486c53 --- /dev/null +++ b/.holo/sources/gateway-api-crds.toml @@ -0,0 +1,3 @@ +[holosource] +url = "https://github.com/kubernetes-sigs/gateway-api.git" +ref = "refs/tags/v1.5.0" diff --git a/infra/envoy-gateway-crds/helm-chart.toml b/infra/envoy-gateway-crds/helm-chart.toml new file mode 100644 index 0000000..4621370 --- /dev/null +++ b/infra/envoy-gateway-crds/helm-chart.toml @@ -0,0 +1,5 @@ +[holomapping] +holosource = "envoy-gateway-chart" +root = "charts/gateway-crds-helm/templates" +files = "**" +before = "*" diff --git a/infra/envoy-gateway-crds/release-values.yaml b/infra/envoy-gateway-crds/release-values.yaml new file mode 100644 index 0000000..a8729b0 --- /dev/null +++ b/infra/envoy-gateway-crds/release-values.yaml @@ -0,0 +1,2 @@ +# Default values for Envoy Gateway CRDs +# See https://github.com/envoyproxy/gateway/blob/main/charts/gateway-crds-helm/values.yaml diff --git a/infra/envoy-gateway-manifests/gateway-class.yaml b/infra/envoy-gateway-manifests/gateway-class.yaml new file mode 100644 index 0000000..016605a --- /dev/null +++ b/infra/envoy-gateway-manifests/gateway-class.yaml @@ -0,0 +1,6 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: envoy +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller diff --git a/infra/envoy-gateway-manifests/gateway.yaml b/infra/envoy-gateway-manifests/gateway.yaml new file mode 100644 index 0000000..13041a7 --- /dev/null +++ b/infra/envoy-gateway-manifests/gateway.yaml @@ -0,0 +1,26 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: main-gateway + namespace: envoy-gateway-system +spec: + gatewayClassName: envoy + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All + - name: https + protocol: HTTPS + port: 443 + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - name: main-gateway-tls + kind: Secret + group: "" diff --git a/infra/envoy-gateway/release-values.yaml b/infra/envoy-gateway/release-values.yaml new file mode 100644 index 0000000..2c240b8 --- /dev/null +++ b/infra/envoy-gateway/release-values.yaml @@ -0,0 +1,2 @@ +# Default values for Envoy Gateway +# See https://github.com/envoyproxy/gateway/blob/main/charts/gateway/values.yaml From 50d54269551e493150f1b184536ee333ae755585 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 21 Mar 2026 10:52:37 -0400 Subject: [PATCH 2/8] infra: configure envoy gateway with cert-manager support --- infra/envoy-gateway-manifests/gateway.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/envoy-gateway-manifests/gateway.yaml b/infra/envoy-gateway-manifests/gateway.yaml index 13041a7..e579aa9 100644 --- a/infra/envoy-gateway-manifests/gateway.yaml +++ b/infra/envoy-gateway-manifests/gateway.yaml @@ -3,6 +3,8 @@ kind: Gateway metadata: name: main-gateway namespace: envoy-gateway-system + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod spec: gatewayClassName: envoy listeners: From 764e1ffc04f587be21cd7abc4fdc0555085b385e Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:39:55 -0400 Subject: [PATCH 3/8] fix(holo): restructure envoy gateway and gateway-api mappings and resolve cycle This change fixes a cyclic dependency in the hologit configuration for the k8s-manifests branch by removing redundant 'before' constraints and cleaning up the mapping directory structure. It also removes a misplaced mapping file. --- .../helm-chart/manifests.toml => envoy-gateway-crds.toml} | 0 .../helm-chart/manifests.toml => envoy-gateway.toml} | 0 .../manifests.toml => gateway-api-crds.toml} | 1 - infra/envoy-gateway-crds/helm-chart.toml | 5 ----- 4 files changed, 6 deletions(-) rename .holo/branches/k8s-manifests/infra/{envoy-gateway-crds/helm-chart/manifests.toml => envoy-gateway-crds.toml} (100%) rename .holo/branches/k8s-manifests/infra/{envoy-gateway/helm-chart/manifests.toml => envoy-gateway.toml} (100%) rename .holo/branches/k8s-manifests/infra/{gateway-api-crds/manifests.toml => gateway-api-crds.toml} (87%) delete mode 100644 infra/envoy-gateway-crds/helm-chart.toml diff --git a/.holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml b/.holo/branches/k8s-manifests/infra/envoy-gateway-crds.toml similarity index 100% rename from .holo/branches/k8s-manifests/infra/envoy-gateway-crds/helm-chart/manifests.toml rename to .holo/branches/k8s-manifests/infra/envoy-gateway-crds.toml diff --git a/.holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml b/.holo/branches/k8s-manifests/infra/envoy-gateway.toml similarity index 100% rename from .holo/branches/k8s-manifests/infra/envoy-gateway/helm-chart/manifests.toml rename to .holo/branches/k8s-manifests/infra/envoy-gateway.toml diff --git a/.holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml b/.holo/branches/k8s-manifests/infra/gateway-api-crds.toml similarity index 87% rename from .holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml rename to .holo/branches/k8s-manifests/infra/gateway-api-crds.toml index d6f0af3..5dd7ac0 100644 --- a/.holo/branches/k8s-manifests/infra/gateway-api-crds/manifests.toml +++ b/.holo/branches/k8s-manifests/infra/gateway-api-crds.toml @@ -2,4 +2,3 @@ holosource = "gateway-api-crds" root = "config/crd/standard" files = "*.yaml" -before = "*" diff --git a/infra/envoy-gateway-crds/helm-chart.toml b/infra/envoy-gateway-crds/helm-chart.toml deleted file mode 100644 index 4621370..0000000 --- a/infra/envoy-gateway-crds/helm-chart.toml +++ /dev/null @@ -1,5 +0,0 @@ -[holomapping] -holosource = "envoy-gateway-chart" -root = "charts/gateway-crds-helm/templates" -files = "**" -before = "*" From 86cc73e8fcfc8121feb87dabfb3d549981a1ba64 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:47:34 -0400 Subject: [PATCH 4/8] feat(gateway): add ListenerSet and HTTPRoute for balancer project This change implements the self-service TLS model using Gateway API v1.5 ListenerSets. The main-gateway is updated to allow ListenerSets from all namespaces, and the balancer project is configured with its own ListenerSet and HTTPRoute. --- balancer/gateway-listeners.yaml | 23 ++++++++++++++++++++++ balancer/http-route.yaml | 18 +++++++++++++++++ balancer/kustomization.yaml | 2 ++ infra/envoy-gateway-manifests/gateway.yaml | 3 +++ 4 files changed, 46 insertions(+) create mode 100644 balancer/gateway-listeners.yaml create mode 100644 balancer/http-route.yaml diff --git a/balancer/gateway-listeners.yaml b/balancer/gateway-listeners.yaml new file mode 100644 index 0000000..b2a394a --- /dev/null +++ b/balancer/gateway-listeners.yaml @@ -0,0 +1,23 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet +metadata: + name: balancer-listeners + namespace: balancer + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + parentRef: + name: main-gateway + namespace: envoy-gateway-system + group: gateway.networking.k8s.io + kind: Gateway + listeners: + - name: https + protocol: HTTPS + port: 443 + hostname: sandbox.balancerproject.org + tls: + mode: Terminate + certificateRefs: + - name: balancer-tls + kind: Secret diff --git a/balancer/http-route.yaml b/balancer/http-route.yaml new file mode 100644 index 0000000..8f30fdf --- /dev/null +++ b/balancer/http-route.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: balancer + namespace: balancer +spec: + parentRefs: + - name: balancer-listeners + kind: ListenerSet + group: gateway.networking.k8s.io + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: balancer + port: 80 diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml index 6a32015..cda2127 100644 --- a/balancer/kustomization.yaml +++ b/balancer/kustomization.yaml @@ -8,6 +8,8 @@ resources: - manifests/deployment.yaml - manifests/service.yaml - manifests/ingress.yaml + - gateway-listeners.yaml + - http-route.yaml images: - name: ghcr.io/codeforphilly/balancer-main/app diff --git a/infra/envoy-gateway-manifests/gateway.yaml b/infra/envoy-gateway-manifests/gateway.yaml index e579aa9..00e0117 100644 --- a/infra/envoy-gateway-manifests/gateway.yaml +++ b/infra/envoy-gateway-manifests/gateway.yaml @@ -7,6 +7,9 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod spec: gatewayClassName: envoy + allowedListeners: + namespaces: + from: All listeners: - name: http protocol: HTTP From 8c4aec119b02943c6733b4cac11eb0da961684cf Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:49:36 -0400 Subject: [PATCH 5/8] refactor(gateway): strip gateway resource to bare essentials and offload to listenerset This change removes annotations and explicit listeners from the main-gateway resource, delegating that responsibility entirely to ListenerSet resources as requested. The balancer ListenerSet is updated to include both HTTP and HTTPS listeners. --- balancer/gateway-listeners.yaml | 4 ++++ infra/envoy-gateway-manifests/gateway.yaml | 22 +--------------------- 2 files changed, 5 insertions(+), 21 deletions(-) diff --git a/balancer/gateway-listeners.yaml b/balancer/gateway-listeners.yaml index b2a394a..a03f506 100644 --- a/balancer/gateway-listeners.yaml +++ b/balancer/gateway-listeners.yaml @@ -12,6 +12,10 @@ spec: group: gateway.networking.k8s.io kind: Gateway listeners: + - name: http + protocol: HTTP + port: 80 + hostname: sandbox.balancerproject.org - name: https protocol: HTTPS port: 443 diff --git a/infra/envoy-gateway-manifests/gateway.yaml b/infra/envoy-gateway-manifests/gateway.yaml index 00e0117..9b0fdad 100644 --- a/infra/envoy-gateway-manifests/gateway.yaml +++ b/infra/envoy-gateway-manifests/gateway.yaml @@ -3,29 +3,9 @@ kind: Gateway metadata: name: main-gateway namespace: envoy-gateway-system - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod spec: gatewayClassName: envoy allowedListeners: namespaces: from: All - listeners: - - name: http - protocol: HTTP - port: 80 - allowedRoutes: - namespaces: - from: All - - name: https - protocol: HTTPS - port: 443 - allowedRoutes: - namespaces: - from: All - tls: - mode: Terminate - certificateRefs: - - name: main-gateway-tls - kind: Secret - group: "" + listeners: [] From ad0b2a55f725e2848ad5620828418fd9c74627bd Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:53:19 -0400 Subject: [PATCH 6/8] refactor(balancer): remove gateway resources Removing ListenerSet and HTTPRoute manifests from this repo as they will be managed in the balancer-main repository instead. --- balancer/gateway-listeners.yaml | 27 --------------------------- balancer/http-route.yaml | 18 ------------------ balancer/kustomization.yaml | 2 -- 3 files changed, 47 deletions(-) delete mode 100644 balancer/gateway-listeners.yaml delete mode 100644 balancer/http-route.yaml diff --git a/balancer/gateway-listeners.yaml b/balancer/gateway-listeners.yaml deleted file mode 100644 index a03f506..0000000 --- a/balancer/gateway-listeners.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: ListenerSet -metadata: - name: balancer-listeners - namespace: balancer - annotations: - cert-manager.io/cluster-issuer: letsencrypt-prod -spec: - parentRef: - name: main-gateway - namespace: envoy-gateway-system - group: gateway.networking.k8s.io - kind: Gateway - listeners: - - name: http - protocol: HTTP - port: 80 - hostname: sandbox.balancerproject.org - - name: https - protocol: HTTPS - port: 443 - hostname: sandbox.balancerproject.org - tls: - mode: Terminate - certificateRefs: - - name: balancer-tls - kind: Secret diff --git a/balancer/http-route.yaml b/balancer/http-route.yaml deleted file mode 100644 index 8f30fdf..0000000 --- a/balancer/http-route.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: balancer - namespace: balancer -spec: - parentRefs: - - name: balancer-listeners - kind: ListenerSet - group: gateway.networking.k8s.io - rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - name: balancer - port: 80 diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml index cda2127..6a32015 100644 --- a/balancer/kustomization.yaml +++ b/balancer/kustomization.yaml @@ -8,8 +8,6 @@ resources: - manifests/deployment.yaml - manifests/service.yaml - manifests/ingress.yaml - - gateway-listeners.yaml - - http-route.yaml images: - name: ghcr.io/codeforphilly/balancer-main/app From b222f377d588a82b184a4f150489484061ed59cb Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:55:03 -0400 Subject: [PATCH 7/8] chore(balancer): restore gateway resources to kustomization Restoring gateway-listeners.yaml and http-route.yaml to the kustomization.yaml resources list. While these files are no longer stored in this repository, they are expected to be provided via hologit projection from the balancer-main source. --- balancer/kustomization.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml index 6a32015..cda2127 100644 --- a/balancer/kustomization.yaml +++ b/balancer/kustomization.yaml @@ -8,6 +8,8 @@ resources: - manifests/deployment.yaml - manifests/service.yaml - manifests/ingress.yaml + - gateway-listeners.yaml + - http-route.yaml images: - name: ghcr.io/codeforphilly/balancer-main/app From ad6ec4e96d899d31e592ad14f2dab6af48c460ae Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:56:51 -0400 Subject: [PATCH 8/8] refactor(balancer): update kustomization for ListenerSet and HTTPRoute This change updates the balancer kustomization to reference the new projected manifests (gateway-listeners.yaml and httproute.yaml) and replaces the legacy Ingress patches with ListenerSet/HTTPRoute patches. --- balancer/kustomization.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/balancer/kustomization.yaml b/balancer/kustomization.yaml index cda2127..f60a002 100644 --- a/balancer/kustomization.yaml +++ b/balancer/kustomization.yaml @@ -7,9 +7,8 @@ resources: - manifests/namespace.yaml - manifests/deployment.yaml - manifests/service.yaml - - manifests/ingress.yaml - - gateway-listeners.yaml - - http-route.yaml + - manifests/gateway-listeners.yaml + - manifests/httproute.yaml images: - name: ghcr.io/codeforphilly/balancer-main/app @@ -17,21 +16,22 @@ images: patches: - target: - kind: Ingress - name: balancer + kind: ListenerSet + name: balancer-listeners patch: |- - - op: add - path: /metadata/annotations/cert-manager.io~1cluster-issuer - value: letsencrypt-prod - - op: add - path: /metadata/annotations/kubernetes.io~1ingress.class - value: nginx - op: replace - path: /spec/tls/0/hosts/0 + path: /spec/listeners/0/hostname value: sandbox.balancerproject.org - op: replace - path: /spec/rules/0/host + path: /spec/listeners/1/hostname value: sandbox.balancerproject.org + - target: + kind: HTTPRoute + name: balancer + patch: |- + - op: add + path: /spec/hostnames + value: ["sandbox.balancerproject.org"] - target: kind: Namespace name: balancer