Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
64 commits
Select commit Hold shift + click to select a range
f3a0ef5
wip
smatting Mar 9, 2026
eb734a9
checkboxes
smatting Mar 9, 2026
34b0a2e
mention nginx-ingress-services in the backwards compatbility section
smatting Mar 9, 2026
3dcd29f
scaffolding + helpers
smatting Mar 9, 2026
98f715b
modify .envrc for development
smatting Mar 9, 2026
0201e4e
update plan
smatting Mar 10, 2026
6bb3be0
phase 2-3
smatting Mar 10, 2026
5c8b760
Allow for externally created secret
smatting Mar 12, 2026
a7354e0
nginz routes
smatting Mar 12, 2026
6c73756
more routes
smatting Mar 13, 2026
19705d0
Adjust plan: routes together with services
smatting Mar 13, 2026
8c92a84
team settings and account pages
smatting Mar 13, 2026
8f930bb
fake-s3 route
smatting Mar 13, 2026
dcdb0d0
complete federator phase
smatting Mar 16, 2026
4d7a772
use different secret name for federators certificate
smatting Mar 17, 2026
aea6297
udpate plan notes for federation helper
smatting Mar 17, 2026
7366934
wip integrations tests
smatting Mar 17, 2026
3f5ba90
Add post-upgrade hook to all tests
smatting Mar 18, 2026
64743f1
use type: ClusterIP on gateway instead of LoadBlancer, use port 10443
smatting Mar 18, 2026
0ce80c1
make mtls client cert validation optional at the ingress level
smatting Mar 18, 2026
7c751ed
add todo
smatting Mar 18, 2026
7d4de25
support sharing envoyproxy objects
smatting Mar 19, 2026
730b55c
remove skipPriviledgedPortCheck
smatting Mar 19, 2026
d0169cb
integration chart: remove ingress (and service targeting ingress)
smatting Mar 19, 2026
779b88e
complete todo
smatting Mar 19, 2026
7261a9b
drop customSolversSecrets
smatting Mar 19, 2026
2ebd7db
update README
smatting Mar 19, 2026
d005795
add TODO
smatting Mar 19, 2026
f83f957
integration tests: fix originDomains
smatting Mar 19, 2026
c705f7a
add go.sh
smatting Mar 20, 2026
9948132
force explicit hostnames in gateway listeners
smatting Mar 20, 2026
4e5cc08
fix trailing dot problem of integration tests.
smatting Mar 20, 2026
2968d59
remove unused ExternalName service from previous attempts
smatting Mar 20, 2026
8551c60
Revert "integration chart: remove ingress (and service targeting ingr…
smatting Mar 20, 2026
2c688b6
wip integration envoy
smatting Mar 23, 2026
22eaab1
fix (workaround): [emerg] 850#850: too long path in the unix domain …
smatting Mar 23, 2026
015789f
wip
smatting Mar 23, 2026
23327b2
use new build in go.sh
smatting Mar 23, 2026
151e59d
run all tests
smatting Mar 23, 2026
8979fbf
add TODOs
smatting Mar 24, 2026
ca69188
make ingress mode configurable for integration tests
smatting Mar 24, 2026
a184d2a
replace envoy-gateway-system hardcoded name with var
smatting Mar 24, 2026
7b2bff9
envoy patch policies
smatting Mar 24, 2026
24cc3f9
rename federation-test-helper.yaml to service-test-fed.yaml
smatting Mar 24, 2026
60ce5af
update parameter documentation
smatting Mar 24, 2026
6163c60
use a different patch policy to support the FQDMs
smatting Mar 24, 2026
52b18e4
test envoy by default
smatting Mar 24, 2026
b7c1bfa
follow-up to patch policies: make configurable
smatting Mar 25, 2026
46b5ea4
update envoypatchpolicy section
smatting Mar 25, 2026
c5999d8
wip migration guide
smatting Mar 25, 2026
57a4159
polish a bit
smatting Mar 25, 2026
e3df974
move planning out of readme
smatting Mar 25, 2026
26ddbde
small corrections
smatting Mar 25, 2026
1bed378
revert to normal
smatting Mar 25, 2026
b0313a0
remove unused file
smatting Mar 25, 2026
6518213
revert file
smatting Mar 25, 2026
d293c8e
update comment
smatting Mar 25, 2026
24b354b
rename file ingress-envoy.aml to envoy-gateway.yaml
smatting Mar 25, 2026
4e4e758
add missing backentrafficpolicy to support websockets
smatting Mar 25, 2026
83b86e7
remove CLAUDE.md
smatting Mar 25, 2026
aec2051
moved todo to ticket
smatting Mar 25, 2026
7f2173d
prevent any untested changes to the nginx-ingress-services chart
smatting Mar 27, 2026
3cc3c42
remove PLAN.md
smatting Mar 27, 2026
f8ead45
add changelog entry
smatting Mar 27, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ DOCKER_TAG ?= $(USER)
# default helm chart version must be 0.0.42 for local development (because 42 is the answer to the universe and everything)
HELM_SEMVER ?= 0.0.42
# The list of helm charts needed on internal kubernetes testing environments
CHARTS_INTEGRATION := wire-server databases-ephemeral rabbitmq fake-aws ingress-nginx-controller nginx-ingress-services fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
CHARTS_INTEGRATION := wire-server databases-ephemeral rabbitmq fake-aws ingress-nginx-controller nginx-ingress-services wire-ingress fluent-bit kibana restund k8ssandra-test-cluster wire-server-enterprise
# The list of helm charts to publish on S3
# FUTUREWORK: after we "inline local subcharts",
# (e.g. move charts/brig to charts/wire-server/brig)
Expand All @@ -18,7 +18,8 @@ fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice \
calling-test demo-smtp elasticsearch-curator elasticsearch-external \
elasticsearch-ephemeral minio-external cassandra-external \
ingress-nginx-controller nginx-ingress-services reaper restund \
k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise
k8ssandra-test-cluster ldap-scim-bridge wire-server-enterprise \
wire-ingress
KIND_CLUSTER_NAME := wire-server
HELM_PARALLELISM ?= 1 # 1 for sequential tests; 6 for all-parallel tests
PSQL_DB ?= backendA
Expand Down
1 change: 1 addition & 0 deletions changelog.d/5-internal/WPB-23903
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
New `wire-ingress` Helm chart — Gateway API / Envoy Gateway replacement for `nginx-ingress-services`. Not yet production-ready.
2 changes: 1 addition & 1 deletion charts/backoffice/templates/tests/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: ConfigMap
metadata:
name: "stern-integration"
annotations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
data:
integration.yaml: |
Expand Down
6 changes: 3 additions & 3 deletions charts/federator/templates/tests/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ kind: ConfigMap
metadata:
name: "federator-integration"
annotations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
data:
integration.yaml: |
Expand All @@ -23,6 +23,6 @@ data:
host: cargohold
port: 8080
nginxIngress:
host: federation-test-helper.{{ .Release.Namespace }}.svc.cluster.local
host: {{ .Values.tests.nginxIngressHost }}
port: 443
originDomain: federation-test-helper.{{ .Release.Namespace }}.svc.cluster.local
originDomain: {{ .Values.tests.nginxIngressHost }}
4 changes: 4 additions & 0 deletions charts/federator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ podSecurityContext:
type: RuntimeDefault

tests:
# The host used for the nginxIngress endpoint and originDomain in the integration
# test config. Depends on the release name of the "wire-ingress" helm chart
# (see federation-test-helper.yaml in that chart).
nginxIngressHost: "set-me"
config: {}
# config:
# uploadXml:
Expand Down
44 changes: 44 additions & 0 deletions charts/integration/templates/_helpers.tpl
Original file line number Diff line number Diff line change
@@ -1,4 +1,48 @@

{{/*
Name of the Gateway resource for dynamic backends in envoy mode.
*/}}
{{- define "integration.getDynBackendsGatewayName" -}}
{{- if .Values.envoy.gateway.name -}}
{{ .Values.envoy.gateway.name }}
{{- else -}}
{{ .Release.Name }}-dynamic-backends
{{- end -}}
{{- end -}}

{{/*
Federation origin domain for a given namespace (used as originDomain in the config).
Returns the SRV hostname that other backends use to reach this namespace's federator.
Args: list $namespace $envoyEnabled $controllerNamespace
*/}}
{{- define "integration.federationOriginDomain" -}}
{{- $namespace := index . 0 -}}
{{- $envoyEnabled := index . 1 -}}
{{- $controllerNs := index . 2 -}}
{{- if $envoyEnabled -}}
{{- printf "%s-fed.%s.svc.cluster.local" $namespace $controllerNs -}}
{{- else -}}
{{- printf "federation-test-helper.%s.svc.cluster.local" $namespace -}}
{{- end -}}
{{- end -}}

{{/*
Domain for a dynamic backend. Returns the correct hostname depending on whether
envoy mode is enabled.
Args: list $dynamicBackend $namespace $envoyEnabled $controllerNamespace
*/}}
{{- define "integration.dynamicBackendDomain" -}}
{{- $dynamicBackend := index . 0 -}}
{{- $namespace := index . 1 -}}
{{- $envoyEnabled := index . 2 -}}
{{- $controllerNs := index . 3 -}}
{{- if $envoyEnabled -}}
{{- printf "%s-%s.%s.svc.cluster.local" $dynamicBackend.federatorExternalHostPrefix $namespace $controllerNs -}}
{{- else -}}
{{- printf "%s.%s.svc.cluster.local" $dynamicBackend.federatorExternalHostPrefix $namespace -}}
{{- end -}}
{{- end -}}

{{/* Allow KubeVersion to be overridden. */}}
{{- define "kubeVersion" -}}
{{- default $.Capabilities.KubeVersion.Version $.Values.kubeVersionOverride -}}
Expand Down
6 changes: 3 additions & 3 deletions charts/integration/templates/configmap.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ data:
apiPort: 5380
dohPort: 5381

originDomain: federation-test-helper.{{ .Release.Namespace }}.svc.cluster.local
originDomain: {{ include "integration.federationOriginDomain" (list .Release.Namespace .Values.envoy.enabled .Values.envoy.controllerNamespace) }}

rabbitmq:
host: rabbitmq
Expand Down Expand Up @@ -158,12 +158,12 @@ data:

rabbitMqVHost: /

originDomain: federation-test-helper.{{ .Release.Namespace }}-fed2.svc.cluster.local
originDomain: {{ include "integration.federationOriginDomain" (list (printf "%s-fed2" .Release.Namespace) .Values.envoy.enabled .Values.envoy.controllerNamespace) }}

dynamicBackends:
{{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
{{ $name }}:
domain: {{ $dynamicBackend.federatorExternalHostPrefix }}.{{ $.Release.Namespace }}.svc.cluster.local
domain: {{ include "integration.dynamicBackendDomain" (list $dynamicBackend $.Release.Namespace $.Values.envoy.enabled $.Values.envoy.controllerNamespace) }}
federatorExternalPort: {{ $dynamicBackend.federatorExternalPort }}
mlsPrivateKeyPaths:
removal:
Expand Down
154 changes: 154 additions & 0 deletions charts/integration/templates/envoy-gateway.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
{{- if .Values.envoy.enabled }}
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the five kinds here carry chart/release label

{{- $gatewayName := include "integration.getDynBackendsGatewayName" . }}
{{- $httpsPort := int .Values.envoy.gateway.listeners.https.port }}
{{- $controllerNs := .Values.envoy.controllerNamespace }}
{{- if lt $httpsPort 1024 }}
{{- fail (printf "envoy.gateway.listeners.https.port is %d (privileged, <1024). Envoy Gateway remaps it to %d on the proxy pod. Set envoy.gateway.listeners.https.port to the actual container port (e.g. %d)." $httpsPort (add $httpsPort 10000) (add $httpsPort 10000)) }}
{{- end }}
---
# EnvoyProxy configures the proxy deployment/service for the dynamic-backends Gateway.
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: {{ $gatewayName }}
spec:
provider:
type: Kubernetes
kubernetes:
envoyService:
# ClusterIP: no external load balancer needed for in-cluster integration tests.
type: ClusterIP
---
# Gateway for all dynamic backends. A single HTTPS listener covers all backend hostnames.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: {{ $gatewayName }}
spec:
gatewayClassName: {{ required "envoy.gateway.className is required when envoy.enabled is true" .Values.envoy.gateway.className | quote }}
infrastructure:
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: {{ $gatewayName | quote }}
listeners:
- name: https
port: {{ $httpsPort }}
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: {{ .Values.envoy.federator.tls.secretName | quote }}
kind: Secret
---
# ClientTrafficPolicy enforces optional mTLS client cert validation on all dynamic-backend
# connections (mirrors the nginx auth-tls-verify-client: "on" annotation).
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: {{ $gatewayName }}-mtls
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: {{ $gatewayName | quote }}
sectionName: https
tls:
clientValidation:
optional: true
caCertificateRefs:
- name: federator-ca
kind: ConfigMap
---
# EnvoyPatchPolicy strips the trailing dot that Kubernetes DNS appends to FQDNs.
# Wire federator resolves targets via SRV and sends the raw FQDN (with trailing dot)
# as the HTTP/2 :authority header; strip_trailing_host_dot normalises it before
# Envoy's virtual-host matching, preventing route_not_found errors.
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyPatchPolicy
metadata:
name: {{ $gatewayName }}-strip-dot
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: {{ $gatewayName | quote }}
type: JSONPatch
jsonPatches:
- type: "type.googleapis.com/envoy.config.listener.v3.Listener"
# Single HTTPS listener → only one filter chain at index 0.
name: {{ printf "%s/%s/https" .Release.Namespace $gatewayName | quote }}
operation:
op: add
path: "/filter_chains/0/filters/0/typed_config/strip_trailing_host_dot"
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't you use the same approach las in charts/wire-ingress/templates/envoypatchpolicy-federator.yaml:36-41

value: true
{{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
{{- $httpRouteName := printf "%s-dynbackend-%s" $gatewayName $name }}
{{- $svcDomain := printf "%s-%s.%s.svc.cluster.local" $dynamicBackend.federatorExternalHostPrefix $.Release.Namespace $controllerNs }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $httpRouteName }}
spec:
parentRefs:
- name: {{ $gatewayName | quote }}
namespace: {{ $.Release.Namespace | quote }}
kind: Gateway
sectionName: https
hostnames:
- {{ $svcDomain | quote }}
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: integration
port: {{ $dynamicBackend.federatorExternalPort }}
kind: Service
---
# EnvoyExtensionPolicy injects the mTLS client certificate as X-SSL-Certificate request
# header, matching the nginx $ssl_client_escaped_cert behaviour expected by federator.
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyExtensionPolicy
metadata:
name: {{ $httpRouteName }}-cert-header
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: {{ $httpRouteName }}
lua:
- type: Inline
inline: |
function envoy_on_request(request_handle)
local ssl = request_handle:connection():ssl()
Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same headers():add issue

if ssl ~= nil then
local cert = ssl:urlEncodedPemEncodedPeerCertificate()
if cert ~= nil and cert ~= "" then
request_handle:headers():add("X-SSL-Certificate", cert)
end
end
end
---
# ClusterIP service in {{ $controllerNs }} selects the Envoy proxy pods for this Gateway.
# The service name determines the SRV record used by federation discovery:
# _wire-server-federator._tcp.{{ $svcDomain }}
apiVersion: v1
kind: Service
metadata:
name: {{ $dynamicBackend.federatorExternalHostPrefix }}-{{ $.Release.Namespace }}
namespace: {{ $controllerNs }}
spec:
type: ClusterIP
ports:
- name: wire-server-federator
port: 443
protocol: TCP
targetPort: {{ $httpsPort }}
selector:
gateway.envoyproxy.io/owning-gateway-name: {{ $gatewayName }}
gateway.envoyproxy.io/owning-gateway-namespace: {{ $.Release.Namespace }}
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
{{- if not .Values.envoy.enabled }}
{{- $newLabels := eq (include "integrationTestHelperNewLabels" .) "true" -}}
{{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
---
apiVersion: networking.k8s.io/v1
Expand Down Expand Up @@ -29,4 +31,25 @@ spec:
name: integration
port:
number: {{ $dynamicBackend.federatorExternalPort }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $dynamicBackend.federatorExternalHostPrefix }}
spec:
ports:
- name: wire-server-federator
port: 443
protocol: TCP
targetPort: https
selector:
{{- if $newLabels }}
app.kubernetes.io/component: controller
app.kubernetes.io/name: ingress-nginx
{{- else }}
app: nginx-ingress
component: controller
{{- end }}
type: ClusterIP
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ spec:
integration-dynamic-backends-ses.sh {{ .Values.config.sesEndpointUrl }}
integration-dynamic-backends-s3.sh {{ .Values.config.s3EndpointUrl }}
{{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
integration-dynamic-backends-vhosts.sh {{ $.Values.config.rabbitmqPutVHostUrl }} {{ $dynamicBackend.federatorExternalHostPrefix}}.{{ $.Release.Namespace }}.svc.cluster.local
integration-dynamic-backends-vhosts.sh {{ $.Values.config.rabbitmqPutVHostUrl }} {{ include "integration.dynamicBackendDomain" (list $dynamicBackend $.Release.Namespace $.Values.envoy.enabled $.Values.envoy.controllerNamespace) }}
{{- end }}
resources:
requests:
Expand Down
24 changes: 0 additions & 24 deletions charts/integration/templates/service.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{{- $newLabels := eq (include "integrationTestHelperNewLabels" .) "true" -}}
---
apiVersion: v1
kind: Service
Expand Down Expand Up @@ -26,26 +25,3 @@ spec:
selector:
app: integration-integration
type: ClusterIP

{{- range $name, $dynamicBackend := .Values.config.dynamicBackends }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $dynamicBackend.federatorExternalHostPrefix }}
spec:
ports:
- name: wire-server-federator
port: 443
protocol: TCP
targetPort: https
selector:
{{- if $newLabels }}
app.kubernetes.io/component: controller
app.kubernetes.io/name: ingress-nginx
{{- else }}
app: nginx-ingress
component: controller
{{- end }}
type: ClusterIP
{{- end }}
23 changes: 23 additions & 0 deletions charts/integration/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -129,4 +129,27 @@ tls:
ingress:
class: nginx

envoy:
# Set to true to deploy Gateway API resources instead of nginx Ingress objects
# for the dynamic backends. Requires an Envoy Gateway controller in the cluster.
enabled: false
# Namespace where the Envoy Gateway controller runs its proxy pods.
# Change only if you installed Envoy Gateway into a non-default namespace.
controllerNamespace: envoy-gateway-system
gateway:
# Name of the Gateway resource. Defaults to <release-name>-dynamic-backends if empty.
name: ""
# Name of the GatewayClass installed by the Envoy Gateway controller (e.g. "envoy").
className: ""
listeners:
https:
# Use a non-privileged port (>=1024) to avoid the +10000 container-port
# remapping applied by Envoy Gateway to privileged ports.
port: 10443
federator:
tls:
# Name of the TLS Secret presented by the Gateway for the dynamic-backend
# listeners. Must exist before deploying (created by the wire-ingress chart).
secretName: "federator-certificate-secret"

secrets: {}
Loading