feat(helm): gateway API support (#5744)

utils/helm/speckle-server/templates/gateway_api/_helpers.tpl

@@ -0,0 +1,3 @@
+{{ if (and .Values.gatewayAPI.enabled .Values.ingress.enabled) }}
+{{- fail "Error: gatewayAPI and ingress cannot both be enabled. Please choose one or the other." }}
+{{- end }}

utils/helm/speckle-server/templates/gateway_api/frontend.httproute.yml

@@ -0,0 +1,27 @@
+{{- if .Values.gatewayAPI.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: speckle-frontend
+  namespace: {{ .Values.namespace }}
+  labels:
+{{ include "speckle.labels" . | indent 4 }}
+spec:
+  parentRefs:
+    - name: {{ .Values.gatewayAPI.gateway.name }}
+      {{- if .Values.gatewayAPI.gateway.namespace }}
+      namespace: {{ .Values.gatewayAPI.gateway.namespace }}
+      {{- end }}
+      sectionName: {{ .Values.gatewayAPI.gateway.defaultListenerName }}
+  hostnames:
+    - {{ .Values.domain | quote}}
+  rules:
+  - matches:
+      - path:
+          type: PathPrefix
+          value: /
+    backendRefs:
+      - name: speckle-frontend-2
+        kind: Service
+        port: 8080
+{{- end }}

utils/helm/speckle-server/templates/gateway_api/gateway.yml

@@ -0,0 +1,44 @@
+{{- if (and .Values.gatewayAPI.enabled .Values.gatewayAPI.gateway.enabled) }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ .Values.gatewayAPI.gateway.name }}
+  namespace: {{ default .Values.namespace .Values.gatewayAPI.gateway.namespace }}
+  labels:
+{{ include "speckle.labels" . | indent 4 }}
+  annotations:
+    {{- if (and .Values.gatewayAPI.gateway.tls.enabled .Values.cert_manager_issuer) }}
+    cert-manager.io/cluster-issuer: {{ .Values.cert_manager_issuer }}
+    {{- end }}
+spec:
+  gatewayClassName: {{ .Values.gatewayAPI.gateway.gatewayClassName }}
+  listeners:
+  - name: {{ .Values.gatewayAPI.gateway.defaultListenerName }}
+    {{- if .Values.gatewayAPI.gateway.tls.enabled }}
+    protocol: HTTPS
+    port: 443
+    {{- else }}
+    protocol: HTTP
+    port: 80
+    {{- end }}
+    hostname: {{ .Values.domain | quote }}
+    allowedRoutes:
+      namespaces:
+        # The Gateway and the HTTPRoutes live in the same namespace. Using 'Same' keeps routing isolated and prevents other applications from using this entry point.
+        from: Same
+    {{- if .Values.gatewayAPI.gateway.tls.enabled }}
+    tls:
+      mode: Terminate
+      {{- if .Values.gatewayAPI.gateway.tls.certificateRefs }}
+      certificateRefs:
+{{ .Values.gatewayAPI.gateway.tls.certificateRefs | toYaml | indent 8 }}
+      {{- end }}
+      {{- if .Values.gatewayAPI.gateway.tls.options }}
+      options:
+{{ .Values.gatewayAPI.gateway.tls.options | toYaml | indent 8 }}
+      {{- end }}
+    {{- end }}
+{{- if .Values.gatewayAPI.gateway.additionalListeners }}
+{{ toYaml .Values.gatewayAPI.gateway.additionalListeners | indent 2 }}
+{{- end }}
+{{- end }}

utils/helm/speckle-server/templates/gateway_api/objects.httproute.yml

@@ -0,0 +1,53 @@
+{{- if .Values.gatewayAPI.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: speckle-objects
+  namespace: {{ .Values.namespace }}
+  labels:
+{{ include "speckle.labels" . | indent 4 }}
+# There is no equivalent of nginx.ingress.kubernetes.io/proxy-body-size for Gateway API
+spec:
+  parentRefs:
+    - name: {{ .Values.gatewayAPI.gateway.name }}
+      {{- if .Values.gatewayAPI.gateway.namespace }}
+      namespace: {{ .Values.gatewayAPI.gateway.namespace }}
+      {{- end }}
+      sectionName: {{ .Values.gatewayAPI.gateway.defaultListenerName }}
+  hostnames:
+    - {{ .Values.domain | quote}}
+  rules:
+  - matches:
+      - path:
+          type: PathPrefix
+          value: /api/
+      - path:
+          type: PathPrefix
+          value: /preview/
+      - path:
+          type: PathPrefix
+          value: "/api/getobjects/"
+      - path:
+          type: PathPrefix
+          value: "/api/objects/"
+      - path:
+          type: PathPrefix
+          value: "/api/diff/"
+      - path:
+          type: PathPrefix
+          value: "/objects/"
+      - path:
+          type: PathPrefix
+          value: "/api/file/"
+      - path:
+          type: PathPrefix
+          value: "/api/stream/"
+      - path:
+          type: PathPrefix
+          value: "/api/thirdparty/gendo"
+    backendRefs:
+      - name: speckle-objects
+        kind: Service
+        port: 3000
+
+{{- end }}

utils/helm/speckle-server/templates/gateway_api/redirects.httproute.yml

@@ -0,0 +1,42 @@
+{{- if .Values.gatewayAPI.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: speckle-redirects
+  namespace: {{ .Values.namespace }}
+  labels:
+{{ include "speckle.labels" . | indent 4 }}
+spec:
+  parentRefs:
+    - name: {{ .Values.gatewayAPI.gateway.name }}
+      {{- if .Values.gatewayAPI.gateway.namespace }}
+      namespace: {{ .Values.gatewayAPI.gateway.namespace }}
+      {{- end }}
+      sectionName: {{ .Values.gatewayAPI.gateway.defaultListenerName }}
+  hostnames:
+    - {{ .Values.domain | quote}}
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /metrics
+        - path:
+            type: Exact
+            value: /api/status
+        - path:
+            type: Exact
+            value: /liveness
+        - path:
+            type: Exact
+            value: /readiness
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            path:
+              type: ReplaceFullPath
+              replaceFullPath: /
+      backendRefs:
+        - name: speckle-frontend-2
+          kind: Service
+          port: 8080
+{{- end }}

utils/helm/speckle-server/templates/gateway_api/server.httproute.yml

@@ -0,0 +1,36 @@
+{{- if .Values.gatewayAPI.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: speckle-server
+  namespace: {{ .Values.namespace }}
+  labels:
+{{ include "speckle.labels" . | indent 4 }}
+spec:
+  parentRefs:
+    - name: {{ .Values.gatewayAPI.gateway.name }}
+      {{- if .Values.gatewayAPI.gateway.namespace }}
+      namespace: {{ .Values.gatewayAPI.gateway.namespace }}
+      {{- end }}
+      sectionName: {{ .Values.gatewayAPI.gateway.defaultListenerName }}
+  hostnames:
+    - {{ .Values.domain | quote }}
+  rules:
+  - matches:
+      - path:
+          type: Exact
+          value: "/graphql"
+      - path:
+          type: Exact
+          value: "/explorer"
+      - path:
+          type: PathPrefix
+          value: "/auth/"
+      - path:
+          type: PathPrefix
+          value: "/static/"
+    backendRefs:
+      - name: speckle-server
+        kind: Service
+        port: 3000
+{{- end }}

utils/helm/speckle-server/values.schema.json

@@ -192,7 +192,7 @@
       "properties": {
         "enabled": {
           "type": "boolean",
-          "description": "If enabled, the ingress resources will be deployed",
+          "description": "If enabled, the ingress resources will be deployed. Ingress or Gateway can be used, but not both.",
           "default": true
         },
         "namespace": {
@@ -212,6 +212,73 @@
         }
       }
     },
+    "gatewayAPI": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "If enabled, the Gateway resources will be deployed. Ingress or Gateway can be used, but probably not both.",
+          "default": false
+        },
+        "gateway": {
+          "type": "object",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "description": "If enabled, the Gateway resource templated within this helm chart will be deployed. If deploying your own Gateway resource separately - for example, a shared gateway - please disable, but update the 'name' and 'namespace' parameters to match.",
+              "default": true
+            },
+            "gatewayClassName": {
+              "type": "string",
+              "description": "The name of the GatewayClass to use for the Gateway resource",
+              "default": "cilium"
+            },
+            "name": {
+              "type": "string",
+              "description": "The name of the Gateway resource to deploy. If you have deployed your own gateway resource, please update this value to match the name of your Gateway resource.",
+              "default": "speckle-server"
+            },
+            "namespace": {
+              "type": "string",
+              "description": "The namespace in which the Gateway resource is deployed. If you have deployed your own gateway resource, please update this value to match the namespace of your Gateway resource. If not provided, defaults to the same namespace as this Helm Chart is deployed to.",
+              "default": ""
+            },
+            "defaultListenerName": {
+              "type": "string",
+              "description": "The name of the listener to use for the Gateway resource. If you have deployed your own gateway resource, please update this value to match the name of the listener in your Gateway resource.",
+              "default": "speckle-server-gateway-https"
+            },
+            "tls": {
+              "type": "object",
+              "properties": {
+                "enabled": {
+                  "type": "boolean",
+                  "description": "If enabled, TLS configuration will be added to the Gateway resource. cert_manager_issuer must also be set.",
+                  "default": true
+                },
+                "certificateRefs": {
+                  "type": "array",
+                  "description": "The certificateRefs to use for TLS configuration in the Gateway resource.",
+                  "default": [],
+                  "items": {}
+                },
+                "options": {
+                  "type": "object",
+                  "description": "(Optional) Additional options to provide for TLS configuration in the Gateway resource.",
+                  "default": {}
+                }
+              }
+            },
+            "additionalListeners": {
+              "type": "array",
+              "description": "(Optional) Additional listeners to add to the Gateway resource. This allows for more complex Gateway configurations, e.g. an additional http listener may be required for cert-manager http-01 challenge if cert-manager is being used for TLS certificate management.",
+              "default": [],
+              "items": {}
+            }
+          }
+        }
+      }
+    },
     "docker_image_tag": {
       "type": "string",
       "description": "DEPRECATED: Use `{service}.image` with full image name instead. Speckle is published as a Docker Image.  The version of the image which will be deployed is specified by this tag.",

utils/helm/speckle-server/values.yaml

@@ -102,15 +102,14 @@ networkPlugin:
   ## @param networkPlugin.type (Optional) Used to configure which type of NetworkPolicy is deployed. Options are 'kubernetes' or 'cilium'.
   type: 'kubernetes'
 
-## @section Ingress metadata for NetworkPolicy
+## @section Ingress configuration
 ## @descriptionStart
-## This section is ignored unless networkPolicy is enabled for frontend or server.
 ## The NetworkPolicy uses this value to enable connections from the ingress controller pod in this namespace to reach Speckle.
 ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
 ## @descriptionEnd
 ##
 ingress:
-  ## @param ingress.enabled If enabled, the ingress resources will be deployed
+  ## @param ingress.enabled If enabled, the ingress resources will be deployed. Ingress or Gateway can be used, but not both.
   ##
   enabled: true
   ## @param ingress.namespace The namespace in which the ingress controller is deployed.
@@ -123,6 +122,49 @@ ingress:
   ##
   client_max_body_size_mb: 10
 
+gatewayAPI:
+  ## @param gatewayAPI.enabled If enabled, the Gateway resources will be deployed. Ingress or Gateway can be used, but probably not both.
+  ##
+  enabled: false
+  gateway:
+    ## @param gatewayAPI.gateway.enabled If enabled, the Gateway resource templated within this helm chart will be deployed. If deploying your own Gateway resource separately - for example, a shared gateway - please disable, but update the 'name' and 'namespace' parameters to match.
+    ##
+    enabled: true
+    ## @param gatewayAPI.gateway.gatewayClassName The name of the GatewayClass to use for the Gateway resource
+    ##
+    gatewayClassName: cilium
+    ## @param gatewayAPI.gateway.name The name of the Gateway resource to deploy. If you have deployed your own gateway resource, please update this value to match the name of your Gateway resource.
+    ##
+    name: speckle-server
+    ## @param gatewayAPI.gateway.namespace The namespace in which the Gateway resource is deployed. If you have deployed your own gateway resource, please update this value to match the namespace of your Gateway resource. If not provided, defaults to the same namespace as this Helm Chart is deployed to.
+    ##
+    namespace: ''
+    ## @param gatewayAPI.gateway.defaultListenerName The name of the listener to use for the Gateway resource. If you have deployed your own gateway resource, please update this value to match the name of the listener in your Gateway resource.
+    ##
+    defaultListenerName: speckle-server-gateway-https
+    tls:
+      ## @param gatewayAPI.gateway.tls.enabled If enabled, TLS configuration will be added to the Gateway resource. cert_manager_issuer must also be set.
+      ##
+      enabled: true
+      ## @param gatewayAPI.gateway.tls.certificateRefs The certificateRefs to use for TLS configuration in the Gateway resource.
+      ## This should reference a Kubernetes secret containing the TLS certificate and private key. If cert_manager_issuer is set, this secret is expected to be automatically generated by the certificate manager.
+      ##
+      certificateRefs:
+        []
+        # Example, if using cert-manager or similar, uncomment and update the name to reference a secret containing the TLS certificate and private key
+        # - name: speckle-server-gateway-tls
+      ## @param gatewayAPI.gateway.tls.options (Optional) Additional options to provide for TLS configuration in the Gateway resource.
+      ##
+      options: {}
+    ## @param gatewayAPI.gateway.additionalListeners (Optional) Additional listeners to add to the Gateway resource. This allows for more complex Gateway configurations, e.g. an additional http listener may be required for cert-manager http-01 challenge if cert-manager is being used for TLS certificate management.
+    ##
+    additionalListeners:
+      []
+      # - name: cert-manager-http-01-challenge
+      #   protocol: HTTP
+      #   port: 80
+      #   hostname: "example.org"
+
 ## @section Common parameters
 ##
 ## @param docker_image_tag DEPRECATED: Use `{service}.image` with full image name instead. Speckle is published as a Docker Image.  The version of the image which will be deployed is specified by this tag.