From 1a024ae8a29e6cc1cca496613451705331b3703f Mon Sep 17 00:00:00 2001 From: Robert Graeff Date: Tue, 11 Nov 2025 12:31:33 +0100 Subject: [PATCH 1/2] feat: gateway config with tls port --- ...eway.openmcp.cloud_gatewayserviceconfigs.yaml | 11 +++++++++++ api/gateway/v1alpha1/config_types.go | 9 +++++++++ api/gateway/v1alpha1/zz_generated.deepcopy.go | 16 ++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/api/crds/manifests/gateway.openmcp.cloud_gatewayserviceconfigs.yaml b/api/crds/manifests/gateway.openmcp.cloud_gatewayserviceconfigs.yaml index 7d26a37..c3dbdd7 100644 --- a/api/crds/manifests/gateway.openmcp.cloud_gatewayserviceconfigs.yaml +++ b/api/crds/manifests/gateway.openmcp.cloud_gatewayserviceconfigs.yaml @@ -156,9 +156,20 @@ spec: required: - chart type: object + gateway: + description: Gateway configuration. + properties: + tlsPort: + default: 9443 + description: TLSPort is the port on which the gateway will listen + for TLS traffic. + format: int32 + type: integer + type: object required: - dns - envoyGateway + - gateway type: object type: object served: true diff --git a/api/gateway/v1alpha1/config_types.go b/api/gateway/v1alpha1/config_types.go index ff15321..82a1bff 100644 --- a/api/gateway/v1alpha1/config_types.go +++ b/api/gateway/v1alpha1/config_types.go @@ -13,6 +13,9 @@ type GatewayServiceConfigSpec struct { // Clusters that should be included in the gateway configuration. Clusters []ClusterTerm `json:"clusters,omitempty"` + // Gateway configuration. + Gateway GatewayConfig `json:"gateway"` + // DNS configuration. DNS DNSConfig `json:"dns"` } @@ -88,6 +91,12 @@ type ImagesConfig struct { ImagePullSecrets []meta.LocalObjectReference `json:"imagePullSecrets,omitempty"` } +type GatewayConfig struct { + // TLSPort is the port on which the gateway will listen for TLS traffic. + // +kubebuilder:default=9443 + TLSPort int32 `json:"tlsPort,omitempty"` +} + type DNSConfig struct { // BaseDomain is the domain from which subdomains will be derived. Example: dev.openmcp.example.com. // +kubebuilder:validation:Required diff --git a/api/gateway/v1alpha1/zz_generated.deepcopy.go b/api/gateway/v1alpha1/zz_generated.deepcopy.go index e430c23..271c71d 100644 --- a/api/gateway/v1alpha1/zz_generated.deepcopy.go +++ b/api/gateway/v1alpha1/zz_generated.deepcopy.go @@ -127,6 +127,21 @@ func (in *EnvoyGatewayConfig) DeepCopy() *EnvoyGatewayConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *GatewayConfig) DeepCopyInto(out *GatewayConfig) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayConfig. +func (in *GatewayConfig) DeepCopy() *GatewayConfig { + if in == nil { + return nil + } + out := new(GatewayConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatewayServiceConfig) DeepCopyInto(out *GatewayServiceConfig) { *out = *in @@ -196,6 +211,7 @@ func (in *GatewayServiceConfigSpec) DeepCopyInto(out *GatewayServiceConfigSpec) (*in)[i].DeepCopyInto(&(*out)[i]) } } + out.Gateway = in.Gateway out.DNS = in.DNS } From fda7d963f7b320da724714a021ced2f6950a1441 Mon Sep 17 00:00:00 2001 From: Robert Graeff Date: Tue, 11 Nov 2025 12:56:49 +0100 Subject: [PATCH 2/2] feat: add tls port to gateway --- internal/controllers/cluster/controller.go | 1 + pkg/envoy/config.go | 12 +++++++++++- pkg/envoy/deployment.go | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/internal/controllers/cluster/controller.go b/internal/controllers/cluster/controller.go index c236fb0..ceb8cb0 100644 --- a/internal/controllers/cluster/controller.go +++ b/internal/controllers/cluster/controller.go @@ -228,6 +228,7 @@ func (r *ClusterReconciler) buildGatewayManager(ctx context.Context, req reconci gw := &envoy.Gateway{ Cluster: c, EnvoyConfig: r.Config.Spec.EnvoyGateway, + GatewayConfig: r.Config.Spec.Gateway, DNSConfig: r.Config.Spec.DNS, PlatformClient: r.PlatformCluster.Client(), ClusterClient: access.Client(), diff --git a/pkg/envoy/config.go b/pkg/envoy/config.go index 7f1b5f6..5b795ee 100644 --- a/pkg/envoy/config.go +++ b/pkg/envoy/config.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "strconv" "time" corev1 "k8s.io/api/core/v1" @@ -27,6 +28,7 @@ const ( gatewayClassName = "envoy-gateway" gatewayName = "default" gatewayNamespace = "openmcp-system" + tlsPortAnnotation = "gateway.openmcp.cloud/tls-port" baseDomainAnnotation = "dns.openmcp.cloud/base-domain" ) @@ -102,7 +104,7 @@ func (g *Gateway) reconcileGatewayFunc(obj *gatewayv1.Gateway) func() error { obj.Spec.Listeners = []gatewayv1.Listener{ { Name: "tls", - Port: 9443, + Port: g.getTLSPort(), Protocol: gatewayv1.TLSProtocolType, TLS: &gatewayv1.ListenerTLSConfig{ Mode: ptr.To(gatewayv1.TLSModePassthrough), @@ -124,6 +126,7 @@ func (g *Gateway) reconcileGatewayFunc(obj *gatewayv1.Gateway) func() error { } baseDomain := g.generateBaseDomain() + metav1.SetMetaDataAnnotation(&obj.ObjectMeta, tlsPortAnnotation, strconv.Itoa(int(g.getTLSPort()))) metav1.SetMetaDataAnnotation(&obj.ObjectMeta, baseDomainAnnotation, baseDomain) return nil @@ -134,6 +137,13 @@ func (g *Gateway) generateBaseDomain() string { return fmt.Sprintf("%s.%s.%s", g.Cluster.Name, g.Cluster.Namespace, g.DNSConfig.BaseDomain) } +func (g *Gateway) getTLSPort() int32 { + if g.GatewayConfig.TLSPort != 0 { + return g.GatewayConfig.TLSPort + } + return 9443 +} + // ----- EnvoyProxy ----- func getEnvoyProxy() *unstructured.Unstructured { diff --git a/pkg/envoy/deployment.go b/pkg/envoy/deployment.go index 66f661c..8c7d085 100644 --- a/pkg/envoy/deployment.go +++ b/pkg/envoy/deployment.go @@ -30,6 +30,7 @@ const ( type Gateway struct { Cluster *clustersv1alpha1.Cluster EnvoyConfig v1alpha1.EnvoyGatewayConfig + GatewayConfig v1alpha1.GatewayConfig DNSConfig v1alpha1.DNSConfig PlatformClient client.Client ClusterClient client.Client