Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Gateway API support #203

Open
1 of 2 tasks
amalic opened this issue May 14, 2024 · 6 comments
Open
1 of 2 tasks

Add Gateway API support #203

amalic opened this issue May 14, 2024 · 6 comments
Labels
devops

Comments

@amalic
Copy link

amalic commented May 14, 2024

Preflight Checklist

  • I could not find a solution in the existing issues, docs, nor discussions
  • I have joined the ZITADEL chat

Describe your problem

I would like the chart do add an opton to use Gateway API, similar to Ingress.

Describe your ideal solution

values.yaml

gateway-api:
  enabled: true
  gateway-class: 
  http-route:
    ...

Version

7.14.0

App version

2.51.2

Additional Context

I got a cluster running with Envoy Gateway, and would love if the Zitadel chart could support Gateway API in general.
@hifabienne hifabienne moved this to 🧐 Investigating in Product Management May 15, 2024
@danielloader danielloader mentioned this issue May 27, 2024
Closed
2 tasks
@eliobischof
Copy link
Member

I see the value of this feature.
But I give it a lower priority than #207, as you can achieve the same result with #207 and more

@eliobischof eliobischof moved this from 🧐 Investigating to 📨 Product Backlog in Product Management Jun 13, 2024
@gecube
Copy link

gecube commented Jun 16, 2024

@amalic Hi! Great improvement! But unfortunately, there are many options how to deploy the API Gateway. Are you sure that you want to give here the whole set of options to change? I managed to deploy zitadel with API Gateway with the next manifests:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: zitadel-1
spec:
  parentRefs:
    - name: eg
      namespace: envoy-gateway-system
  hostnames:
    - "34-88-17-164.sslip.io"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: zitadel
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /zitadel.admin.v1.AdminService
        - path:
            type: PathPrefix
            value: /admin
        - path:
            type: PathPrefix
            value: /zitadel.auth.v1.AuthService
        - path:
            type: PathPrefix
            value: /auth
        - path:
            type: PathPrefix
            value: /zitadel.management.v1.ManagementService
        - path:
            type: PathPrefix
            value: /management
        - path:
            type: PathPrefix
            value: /zitadel.system.v1.SystemService
        - path:
            type: PathPrefix
            value: /system
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: zitadel-2
spec:
  parentRefs:
    - name: eg
      namespace: envoy-gateway-system
  hostnames:
    - "34-88-17-164.sslip.io"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: zitadel
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /assets
        - path:
            type: PathPrefix
            value: /ui
        - path:
            type: PathPrefix
            value: /oidc
        - path:
            type: PathPrefix
            value: /saml
        - path:
            type: PathPrefix
            value: /.well-known/openid-configuration
        - path:
            type: PathPrefix
            value: /openapi
        - path:
            type: PathPrefix
            value: /debug
        - path:
            type: PathPrefix
            value: /device
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: zitadel-3
spec:
  parentRefs:
    - name: eg
      namespace: envoy-gateway-system
  hostnames:
    - "34-88-17-164.sslip.io"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: zitadel
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /oauth

@danielloader
Copy link

That's definitely a more complex setup than throwing it on a subdomain with a single route to the service for sure. But the same criticism would be true of doing this with ingress resources instead of httproutes?

@bdalpe
Copy link

bdalpe commented Jun 17, 2024

You also can't assume that HTTPRoute is the only way to expose Zitadel with the Gateway API. It is possible to also use a TLSRoute resource and access via TLS SNI.

IMO, #207 is the best way to handle this.

@svilcu
Copy link

svilcu commented Aug 11, 2024
edited
Loading

If you are using Cilium as a gateway API with experimental specs, it is probably as simple as an Ingress.
In the zitadel installation use:

service:
   protocol: kubernetes.io/h2c

Gateway is standard, then use GRPCroute instead of HTTProute. My code is in Ansible:

- name: Delete secret holding cert for zitadel if it exists
  kubernetes.core.k8s:
    state: absent
    definition:
      api_version: v1
      kind: Secret
      metadata:
        name: "zitadel.{{ cluster_name }}.{{ default_domain }}"
        namespace: zitadel

- name: Create certificate for zitadel using cert-manager
  kubernetes.core.k8s:
    state: present
    definition:
      api_version: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: "zitadel.{{ cluster_name }}.{{ default_domain }}"
        namespace: zitadel
      spec:
        dnsNames:
          - "zitadel.{{ cluster_name }}.{{ default_domain }}"
        secretName: "zitadel.{{ cluster_name }}.{{ default_domain }}"
        issuerRef:
          name: ca-issuer
          kind: ClusterIssuer

- name: Add Zitadel dashboard Gateway
  kubernetes.core.k8s:
    wait: true
    state: present
    definition:
      apiVersion: gateway.networking.k8s.io/v1
      kind: Gateway
      metadata:
        name: zitadel-gateway
        namespace: zitadel
      spec:
        gatewayClassName: cilium
        listeners:
          - name: zitadel-ui
            protocol: HTTPS
            port: 443
            hostname: "zitadel.{{ cluster_name }}.{{ default_domain }}"
            tls:
              certificateRefs:
                - kind: Secret
                  name: "zitadel.{{ cluster_name }}.{{ default_domain }}"

- name: Add Zitadel GRPCRoute
  kubernetes.core.k8s:
    wait: true
    state: present
    definition:
      apiVersion: gateway.networking.k8s.io/v1
      kind: GRPCRoute
      metadata:
        name: zitadel-grpcroute
        namespace: zitadel
        annotations:
          external-dns.alpha.kubernetes.io/target: "zitadel.{{ cluster_name }}.{{ default_domain }}"
      spec:
        parentRefs:
          - name: zitadel-gateway
            namespace: zitadel
        hostnames:
          - "zitadel.{{ cluster_name }}.{{ default_domain }}"
        rules:
          - matches:
            - path:
                type: PathPrefix
                value: /
            backendRefs:
              - name: zitadel
                namespace: zitadel
                port: 8080

@eliobischof
Copy link
Member

FYI #207 to add extraManifests is released: https://github.com/zitadel/zitadel-charts/releases/tag/zitadel-8.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
devops
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@danielloader @gecube @amalic @svilcu @eliobischof @bdalpe @hifabienne