feat(netbird): add Gateway API support and reject ingressGrpc without TLS (#74)

.github/workflows/ci.yaml

@@ -210,6 +210,44 @@ jobs:
           echo "=== Events ==="
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
+  e2e-gateway:
+    name: "E2E — NetBird: Gateway API (Envoy Gateway)"
+    runs-on: ubuntu-latest
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: helms-e2e
+
+      - name: Run e2e test (gateway)
+        run: ci/scripts/netbird/e2e-gateway.sh
+
+      - name: Show debug info on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl -n netbird-gateway-e2e get pods -o wide || true
+          echo "=== Gateway status ==="
+          kubectl -n netbird-gateway-e2e get gateway netbird-gateway -o yaml || true
+          echo "=== Route statuses ==="
+          kubectl -n netbird-gateway-e2e get httproute,grpcroute -o yaml || true
+          echo "=== Envoy Gateway logs ==="
+          kubectl -n envoy-gateway-system logs deployment/envoy-gateway --tail=100 || true
+          echo "=== Server logs ==="
+          kubectl -n netbird-gateway-e2e logs deployment/netbird-gateway-e2e-server --all-containers --tail=100 || true
+          echo "=== Events ==="
+          kubectl -n netbird-gateway-e2e get events --sort-by='.lastTimestamp' || true
+
   e2e-oidc-embedded:
     name: "E2E — NetBird: OIDC (Embedded IdP)"
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -14,12 +14,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
   `https://netbird.example.com`). NetBird clients require the port — without
   it the daemon fails with `missing port in address`. Use
   `https://netbird.example.com:443` instead. Fixes #75.
+- **netbird**: Gateway API support as a mutually-exclusive alternative to
+  Kubernetes Ingress for every traffic class. New values:
+  `server.httpRoute` (`HTTPRoute`), `server.grpcRoute` (`GRPCRoute`),
+  `server.relayHttpRoute` (`HTTPRoute`), `server.relayTcpRoute`
+  (`TCPRoute`, v1alpha2), and `dashboard.httpRoute` (`HTTPRoute`). The
+  chart renders routes only; users provide `parentRefs` to a Gateway they
+  already manage. Omitted `backendRefs` auto-fill to the netbird
+  server / dashboard Service on port 80. Fixes #74 — controllers that
+  support plaintext h2c (Envoy Gateway, Traefik Gateway, …) can now expose
+  gRPC without TLS via `GRPCRoute`, sidestepping the nginx-ingress h2c
+  limitation that made `server.ingressGrpc` fail silently without a cert.
+- **netbird**: Fail-fast validation that rejects enabling both an Ingress
+  and its Gateway-API counterpart for the same traffic class (and between
+  `server.relayHttpRoute` / `server.relayTcpRoute`), or enabling a route
+  with an empty `parentRefs` list.
+- **netbird**: Fail-fast validation that rejects
+  `server.ingressGrpc.enabled=true` with an empty `server.ingressGrpc.tls`
+  list. gRPC over Kubernetes Ingress requires TLS (nginx-ingress cannot
+  negotiate plaintext h2c, and the default `ssl-redirect: "true"`
+  annotation redirects plaintext gRPC to HTTPS) — previously this
+  misconfiguration failed silently. Fixes #74. Users who want plaintext
+  gRPC should use `server.grpcRoute` with a Gateway API controller that
+  supports h2c.
 
 ### Changed
 
 - **netbird**: README and `values.yaml` examples now show
   `exposedAddress` with an explicit `:443` port and document that the
   port is required even when it matches the scheme default.
+- **netbird**: README gains a "Gateway API as an alternative to Ingress"
+  section with copy-pasteable examples, parameter tables for the new
+  route blocks, and an updated architecture diagram.
 
 ## [0.4.1] — 2026-04-14
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: lint unittest e2e e2e-netbird e2e-sqlite e2e-postgres e2e-mysql e2e-oidc-keycloak e2e-oidc-zitadel e2e-keycloak e2e-keycloak-dev e2e-keycloak-postgres e2e-keycloak-replicas e2e-setup e2e-teardown test compat-matrix
+.PHONY: lint unittest e2e e2e-netbird e2e-sqlite e2e-postgres e2e-mysql e2e-gateway e2e-oidc-keycloak e2e-oidc-zitadel e2e-keycloak e2e-keycloak-dev e2e-keycloak-postgres e2e-keycloak-replicas e2e-setup e2e-teardown test compat-matrix
 
 CHARTS := $(wildcard charts/*)
 
@@ -36,6 +36,9 @@ e2e-postgres: e2e-setup
 e2e-mysql: e2e-setup
 	ci/scripts/netbird/e2e.sh mysql
 
+e2e-gateway: e2e-setup
+	ci/scripts/netbird/e2e-gateway.sh
+
 e2e-oidc-keycloak: e2e-setup
 	ci/scripts/netbird/e2e-oidc.sh keycloak
 
@@ -46,6 +49,7 @@ e2e-netbird: e2e-setup
 	ci/scripts/netbird/e2e.sh sqlite
 	ci/scripts/netbird/e2e.sh postgres
 	ci/scripts/netbird/e2e.sh mysql
+	ci/scripts/netbird/e2e-gateway.sh
 	ci/scripts/netbird/e2e-oidc.sh keycloak
 	ci/scripts/netbird/e2e-oidc.sh zitadel