Skip to content

feat(chart): Add Gateway API support and merge HTTP + GRPC traffic #2643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Filip7656 wants to merge 2 commits into
base: main
Choose a base branch
from
+262 −24
Draft

feat(chart): Add Gateway API support and merge HTTP + GRPC traffic #2643

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b3177e3
feat(chart): Add support for gateway API
Dec 31, 2025
ffba4ca
feat(chart): Update readme with httproute params
Jan 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 32 additions & 17 deletions deployment/chainloop/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -671,6 +671,14 @@ Once done, you can access with [two predefined users](https://github.com/chainlo
| `controlplane.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `controlplane.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` |
| `controlplane.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `controlplane.httpRoute.enabled` | Enable HTTPRoute generation for controlplane | `false` |
| `controlplane.httpRoute.annotations` | Additional annotations for the HTTPRoute resource | `{}` |
| `controlplane.httpRoute.labels` | Additional labels for the HTTPRoute resource | `{}` |
| `controlplane.httpRoute.parentRefs` | Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. | `[]` |
| `controlplane.httpRoute.hostnames` | List of hostnames matching HTTP header | `[]` |
| `controlplane.httpRoute.matches` | List of match rules applied to the HTTPRoute for the default svc backend reference | `[]` |
| `controlplane.httpRoute.filters` | List of filter rules applied to the HTTPRoute for the default svc backend reference | `[]` |
| `controlplane.httpRoute.extraRules` | List of extra rules applied to the HTTPRoute | `[]` |

### Controlplane Misc

Expand Down Expand Up @@ -847,6 +855,14 @@ Once done, you can access with [two predefined users](https://github.com/chainlo
| `cas.ingressAPI.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` |
| `cas.ingressAPI.secrets` | Custom TLS certificates as secrets | `[]` |
| `cas.ingressAPI.extraRules` | Additional rules to be covered with this ingress record | `[]` |
| `cas.httpRoute.enabled` | Enable HTTPRoute generation for CAS | `false` |
| `cas.httpRoute.annotations` | Additional annotations for the HTTPRoute resource | `{}` |
| `cas.httpRoute.labels` | Additional labels for the HTTPRoute resource | `{}` |
| `cas.httpRoute.parentRefs` | Gateways the HTTPRoute is attached to. If unspecified, it'll be attached to Gateway named 'gateway' in the same namespace. | `[]` |
| `cas.httpRoute.hostnames` | List of hostnames matching HTTP header | `[]` |
| `cas.httpRoute.matches` | List of match rules applied to the HTTPRoute for the default svc backend reference | `[]` |
| `cas.httpRoute.filters` | List of filter rules applied to the HTTPRoute for the default svc backend reference | `[]` |
| `cas.httpRoute.extraRules` | List of extra rules applied to the HTTPRoute | `[]` |

### CAS Misc

Expand Down Expand Up @@ -928,23 +944,22 @@ Once done, you can access with [two predefined users](https://github.com/chainlo

### Dependencies

| Name | Description | Value |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- |
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `chainloop` |
| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` |
| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `vault.server.args` | Arguments to pass to the vault server. This is useful for setting the server in development mode | `["server","-dev"]` |
| `vault.server.config` | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" {}
disable_mlock = true
ui = true
service_registration "kubernetes" {}` |
| `vault.server.extraEnvVars[0].name` | Root token for the vault server | `VAULT_DEV_ROOT_TOKEN_ID` |
| `vault.server.extraEnvVars[0].value` | The value of the root token. Default: notasecret | `notasecret` |
| `vault.server.extraEnvVars[1].name` | Address to listen on development mode | `VAULT_DEV_LISTEN_ADDRESS` |
| `vault.server.extraEnvVars[1].value` | The address to listen on. Default: [::]:8200 | `[::]:8200` |
| Name | Description | Value |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------------------------------- |
| `postgresql.enabled` | Switch to enable or disable the PostgreSQL helm chart | `true` |
| `postgresql.auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `false` |
| `postgresql.auth.username` | Name for a custom user to create | `chainloop` |
| `postgresql.auth.password` | Password for the custom user to create | `chainlooppwd` |
| `postgresql.auth.database` | Name for a custom database to create | `chainloop-cp` |
| `postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials | `""` |
| `vault.server.command` | Override default container command | `["/vault-init.sh"]` |
| `vault.server.args` | Override default container args | `[""]` |
| `vault.server.extraVolumes[0].name` | Name of the extra volume | `vault-init` |
| `vault.server.extraVolumes[0].configMap.name` | Name of the ConfigMap to mount | `{{ include "vault.server.fullname" . }}-init` |
| `vault.server.extraVolumes[0].configMap.defaultMode` | Default mode for the ConfigMap files | `755` |
| `vault.server.extraVolumeMounts[0].name` | Name of the volume to mount | `vault-init` |
| `vault.server.extraVolumeMounts[0].mountPath` | Path where the volume should be mounted | `/vault-init.sh` |
| `vault.server.extraVolumeMounts[0].subPath` | Subpath within the volume to mount | `vault-init.sh` |

## License

Expand Down
55 changes: 55 additions & 0 deletions deployment/chainloop/templates/cas/httproute.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{{- if or .Values.cas.httpRoute.enabled .Values.httpRoute.enabled }}
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- $fullName := include "chainloop.cas.fullname" . -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "chainloop.cas.labels" . | nindent 4 }}
{{- if or .Values.cas.httpRoute.annotations .Values.httpRoute.annotations }}
annotations:
{{- if .Values.cas.httpRoute.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.cas.httpRoute.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.httpRoute.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.httpRoute.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
spec:
parentRefs:
{{- if .Values.cas.httpRoute.parentRefs }}
{{- include "common.tplvalues.render" (dict "value" .Values.httpRoute.parentRefs "context" .) | nindent 4 }}
{{- else }}
- name: gateway
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}
hostnames: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.hostnames "context" .) | nindent 4 }}
rules:
{{- $port := coalesce .Values.cas.service.port .Values.cas.service.ports.http }}
- backendRefs:
- name: {{ include "chainloop.cas.fullname" . }}
port: {{ $port }}
{{- if .Values.cas.httpRoute.matches }}
matches: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.matches "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.cas.httpRoute.filters }}
filters: {{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.filters "context" .) | nindent 8 }}
{{- end }}
- matches:
- headers:
- name: content-type
value: application/grpc
{{- $portAPI := coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http }}
backendRefs:
- name: {{ include "chainloop.cas.fullname" . }}-api
kind: Service
namespace: {{ include "common.names.namespace" . | quote }}
port: {{ $portAPI }}
{{- if .Values.cas.httpRoute.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.cas.httpRoute.extraRules "context" .) | nindent 4 }}
{{- end }}
{{- end }}
1 change: 1 addition & 0 deletions deployment/chainloop/templates/cas/service-grpc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ spec:
{{- if not (eq $port .Values.cas.containerPorts.grpc) }}
targetPort: {{ .Values.cas.containerPorts.grpc }}
{{- end }}
appProtocol: kubernetes.io/h2c
protocol: TCP
{{- if and (or (eq .Values.cas.serviceAPI.type "NodePort") (eq .Values.cas.serviceAPI.type "LoadBalancer")) (not (empty .Values.cas.serviceAPI.nodePorts.http)) }}
nodePort: {{ .Values.cas.serviceAPI.nodePorts.http }}
Expand Down
55 changes: 55 additions & 0 deletions deployment/chainloop/templates/controlplane/httproute.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{{- if or .Values.controlplane.httpRoute.enabled .Values.httpRoute.enabled }}
{{- /*
Copyright Chainloop, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- $fullName := include "chainloop.controlplane.fullname" . -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
{{- if or .Values.controlplane.httpRoute.annotations .Values.httpRoute.annotations }}
annotations:
{{- if .Values.controlplane.httpRoute.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.httpRoute.annotations "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.httpRoute.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.httpRoute.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
spec:
parentRefs:
{{- if .Values.controlplane.httpRoute.parentRefs }}
{{- include "common.tplvalues.render" (dict "value" .Values.httpRoute.parentRefs "context" .) | nindent 4 }}
{{- else }}
- name: gateway
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}
hostnames: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.hostnames "context" .) | nindent 4 }}
rules:
{{- $port := coalesce .Values.controlplane.service.port .Values.controlplane.service.ports.http }}
- backendRefs:
- name: {{ include "chainloop.controlplane.fullname" . }}
port: {{ $port }}
{{- if .Values.controlplane.httpRoute.matches }}
matches: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.matches "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.controlplane.httpRoute.filters }}
filters: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.filters "context" .) | nindent 8 }}
{{- end }}
- matches:
- headers:
- name: content-type
value: application/grpc
{{- $portAPI := coalesce .Values.controlplane.serviceAPI.port .Values.controlplane.serviceAPI.ports.http }}
backendRefs:
- name: {{ include "chainloop.controlplane.fullname" . }}-api
kind: Service
namespace: {{ include "common.names.namespace" . | quote }}
port: {{ $portAPI }}
{{- if .Values.controlplane.httpRoute.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.controlplane.httpRoute.extraRules "context" .) | nindent 4 }}
{{- end }}
{{- end }}
1 change: 1 addition & 0 deletions deployment/chainloop/templates/controlplane/service-grpc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ spec:
targetPort: {{ .Values.controlplane.containerPorts.grpc }}
{{- end }}
protocol: TCP
appProtocol: kubernetes.io/h2c
{{- if and (or (eq .Values.controlplane.serviceAPI.type "NodePort") (eq .Values.controlplane.serviceAPI.type "LoadBalancer")) (not (empty .Values.controlplane.serviceAPI.nodePorts.http)) }}
nodePort: {{ .Values.controlplane.serviceAPI.nodePorts.http }}
{{- else if eq .Values.controlplane.serviceAPI.type "ClusterIP" }}
Expand Down
Loading
Loading