Ingress Changes (#263)

* feat: implement Gateway API with HTTPRoute for ACME challenge and web traffic routing

* refactor: restructure HTTPRoutes and ReferenceGrants for improved namespace management

* bug: yaml error

* refactor: update HTTPRoute to use internal-gateway for improved routing

* feat: migrate from Istio VirtualServices to Gateway API HTTPRoutes with dual gateway access

* bug: configmap script syntax

* bug: configmap script syntax

* bug: configmap script syntax

* bug: virtual service

* bug: virtual service

* add: ingressclass

* add: ingressclass

* fix: update public IP retrieval in post-provision script to prefer DNS name

Author: danielscholl

charts/istio-certs/README.md

@@ -1,6 +1,6 @@
 # Istio Certs Helm Chart
 
-This chart configures DNS labels for Azure Kubernetes Service (AKS) LoadBalancer IPs, enabling automatic FQDN assignment for OSDU services.
+This chart configures DNS labels for Azure Kubernetes Service (AKS) LoadBalancer IPs associated with Gateway API gateways, enabling automatic FQDN assignment for OSDU services with Let's Encrypt certificate provisioning.
 
 --------------------------------------------------------------------------------
 
@@ -20,8 +20,8 @@ Modify the `values.yaml` for the chart or create a `custom_values.yaml` with the
 azure:
   region: <your_azure_region>          # Azure region, e.g. eastus
   dnsName: <your_dns_label>            # Unique DNS label for the cluster
-istioServiceName: istio-ingressgateway # Name of the Istio service
-istioNamespace: istio-system           # Namespace of the Istio service
+gatewayServiceName: external-gateway-istio # Name of the Gateway API service (LoadBalancer)
+gatewayNamespace: istio-system           # Namespace of the Gateway API service
 maxRetries: 30                         # Max retries for waiting on LoadBalancer IP
 retryInterval: 10                      # Seconds between retries
 ```

charts/istio-certs/templates/access_control.yaml

@@ -16,6 +16,10 @@ rules:
   - apiGroups: ["cert-manager.io"]
     resources: ["certificates"]
     verbs: ["get", "create", "update", "patch", "apply"]
+  # Gateway API permissions for Gateway and HTTPRoute management
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways", "httproutes"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

charts/istio-certs/templates/configmap.yaml

@@ -9,7 +9,6 @@ data:
   configure-dns.sh: |
     #!/usr/bin/env bash
     set -euo pipefail
-
     echo "================================================================="
     echo "  Starting DNS + Cert Configuration for AKS LoadBalancer"
     echo "================================================================="
@@ -22,13 +21,13 @@ data:
     }
 
     wait_for_loadbalancer_ip() {
-      echo "Waiting for LoadBalancer IP on service istio-ingress-external in istio-system..."
+      echo "Waiting for LoadBalancer IP on service external-gateway-istio in istio-system..."
       for ((i=0; i<60; i++)); do
-        EXTERNAL_IP=$(kubectl get svc istio-ingress-external -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || :)
+        EXTERNAL_IP=$(kubectl get svc external-gateway-istio -n istio-system -o jsonpath='{.status.loadBalancer.ingress[0].ip}' 2>/dev/null || :)
         if [[ -n "$EXTERNAL_IP" ]]; then
           echo "Found IP: $EXTERNAL_IP"
           return 0
-        fi
+        fi        
         echo "…retry $((i+1))/60"
         sleep 5
       done
@@ -38,7 +37,7 @@ data:
 
     annotate_service_with_dns() {
       echo "Annotating service with DNS label ${DNS_NAME}..."
-      kubectl annotate svc istio-ingress-external -n istio-system \
+      kubectl annotate svc external-gateway-istio -n istio-system \
         service.beta.kubernetes.io/azure-dns-label-name="${DNS_NAME}" --overwrite
     }
 
@@ -58,7 +57,6 @@ data:
     }
 
     main "$@"
-
   istio-certificate.yaml: |
     apiVersion: cert-manager.io/v1
     kind: Certificate
@@ -71,10 +69,18 @@ data:
       renewBefore: 360h # 15 days
       subject:
         organizations:
-          - Example Organization
+          - OSDU Developer
       commonName: __FQDN__
       dnsNames:
         - __FQDN__
       issuerRef:
         name: letsencrypt-staging
         kind: ClusterIssuer
+      # Use HTTP-01 challenge which will work with Gateway API HTTPRoute
+      # The ACME challenge solver will create temporary pods that need routing
+      privateKey:
+        algorithm: RSA
+        size: 2048
+      usages:
+      - digital signature
+      - key encipherment

charts/istio-certs/values.yaml

@@ -16,9 +16,9 @@ azure:
   dnsName: ""                          # DNS name to be used for the LoadBalancer IP
 
 ################################################################################
-# Istio configuration values
+# Gateway API configuration values
 #
-istioServiceName: "istio-ingressgateway" # Name of the Istio service
-istioNamespace: "istio-system"           # Namespace of the Istio service
-maxRetries: 30                          # Max retries for waiting on LoadBalancer IP
-retryInterval: 10                       # Seconds between retries
+gatewayServiceName: "external-gateway-istio" # Name of the Gateway API service (LoadBalancer)
+gatewayNamespace: "istio-system"             # Namespace of the Gateway API service  
+maxRetries: 30                              # Max retries for waiting on LoadBalancer IP
+retryInterval: 10                           # Seconds between retries

charts/istio-ingress/templates/certificate.yaml

@@ -0,0 +1,7 @@
+# Certificate will be created by the istio-certs chart after DNS configuration
+# This ensures proper FQDN is available for Let's Encrypt validation
+# The istio-certs Job handles:
+# 1. Waiting for LoadBalancer IP
+# 2. Setting DNS label annotation 
+# 3. Creating Certificate with correct FQDN
+# 4. HTTP-01 challenge routing via Gateway API

charts/istio-ingress/templates/gateways.yaml

@@ -1,60 +1,95 @@
 {{- define "gateway" -}}
-apiVersion: networking.istio.io/v1alpha3
+apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
   name: {{ .name | default (printf "%s-gateway" .gatewayType) }}
   namespace: istio-system
 spec:
-  selector:
-    {{- .selector | default (dict "istio" (printf "ingress-%s" .gatewayType)) | toYaml | nindent 4 }}
-  servers:
-    - port:
-        name: http2
-        number: 80
-        protocol: HTTP2
-      hosts:
-        {{- if .hosts }}
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-        {{- else }}
-        - "*"
-        {{- end }}
-    - port:
-        name: https
-        number: 443
-        protocol: HTTPS
-      hosts:
-        {{- if .hosts }}
-        {{- range .hosts }}
-        - {{ . | quote }}
-        {{- end }}
-        {{- else }}
-        - "*"
-        {{- end }}
+  gatewayClassName: istio
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: {{ printf "%s.%s.cloudapp.azure.com" .azure.dnsName .azure.region | quote }}
       tls:
-        {{- if .requireSSL }}
-        httpsRedirect: true # sends 301 redirect for http requests
-        {{- end }}
-        {{- with .tls }}
-        {{- toYaml . | nindent 8 }}  
-      {{- end }}
+        mode: Terminate
+        certificateRefs:
+        - kind: Secret
+          name: {{ .tls.credentialName | quote }}
+          namespace: istio-system
+      allowedRoutes:
+        namespaces:
+          from: All
 {{- end }}
 
-{{- if .Values.ingress }}
-  {{- if hasKey .Values.ingress "internalGateway" }}
-    {{- if .Values.ingress.internalGateway.enabled }}
+{{- if .Values.ingress.externalGateway.enabled }}
 ---
-{{- $internalGateway := merge (dict "gatewayType" "internal" "requireSSL" .Values.ingress.internalGateway.requireSSL) .Values.ingress.internalGateway -}}
-{{ include "gateway" $internalGateway }}
-    {{- end }}
-  {{- end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: external-gateway
+  namespace: istio-system
+  labels:
+    {{- include "istio-ingress.labels" . | nindent 4 }}
+    istio.io/gateway-name: external-gateway
+spec:
+  gatewayClassName: istio
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+        - kind: Secret
+          name: {{ .Values.ingress.externalGateway.tls.credentialName | quote }}
+          namespace: istio-system
+      allowedRoutes:
+        namespaces:
+          from: All
+{{- end }}
 
-  {{- if hasKey .Values.ingress "externalGateway" }}
-    {{- if .Values.ingress.externalGateway.enabled }}
+{{- if .Values.ingress.internalGateway.enabled }}
 ---
-{{- $externalGateway := merge (dict "gatewayType" "external" "requireSSL" .Values.ingress.externalGateway.requireSSL) .Values.ingress.externalGateway -}}
-{{ include "gateway" $externalGateway }}
-    {{- end }}
-  {{- end }}
-{{- end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: internal-gateway
+  namespace: istio-system
+  labels:
+    {{- include "istio-ingress.labels" . | nindent 4 }}
+    istio.io/gateway-name: internal-gateway
+spec:
+  gatewayClassName: istio
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+        - kind: Secret
+          name: {{ .Values.ingress.internalGateway.tls.credentialName | quote }}
+          namespace: istio-system
+      allowedRoutes:
+        namespaces:
+          from: All
+{{- end }}

charts/istio-ingress/templates/httproutes.yaml

@@ -0,0 +1,12 @@
+# HTTPRoutes for ACME challenge handling with Gateway API
+# 
+# Note: For Gateway API, cert-manager typically uses one of these approaches:
+# 1. Creates temporary Ingress resources that get converted to HTTPRoutes
+# 2. Uses Gateway API native challenge solvers (experimental)
+# 3. Relies on application HTTPRoutes to handle challenge paths
+#
+# Since this is infrastructure-level routing, we'll let individual applications
+# handle ACME challenge routing in their own HTTPRoutes, or cert-manager
+# will create temporary resources as needed.
+#
+# This avoids namespace dependency issues during deployment.

charts/istio-ingress/templates/referencegrants.yaml

@@ -0,0 +1,9 @@
+# ReferenceGrants are now managed by individual application charts
+# to avoid namespace dependency issues during deployment:
+# - web-site ReferenceGrant is in software/applications/web-site/
+# - cert-manager ReferenceGrant is managed by cert-manager operator
+#
+# This approach ensures that:
+# 1. istio-ingress can deploy without waiting for application namespaces
+# 2. Each application manages its own cross-namespace access permissions
+# 3. No circular dependencies between infrastructure and applications

charts/istio-ingress/values.yaml

@@ -9,11 +9,9 @@ ingress:
       - "*"
     tls:
       mode: SIMPLE
-      credentialName: wild-card-tls
+      credentialName: istio-ingressgateway-certs  # Match the secret created by istio-certs chart
   externalGateway:
     enabled: true
-    hosts:
-      - "*"
     tls:
       mode: SIMPLE
-      credentialName: wild-card-tls
+      credentialName: istio-ingressgateway-certs  # Match the secret created by istio-certs chart

charts/osdu-developer-auth/templates/http-route.yaml

@@ -0,0 +1,43 @@
+{{- $namespace := .Release.Namespace }}
+{{- if and .Values.hosts .Values.gateways }} 
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: osdu-auth-route
+  namespace: {{ $namespace }}
+spec:  parentRefs:
+  {{- range .Values.gateways }}
+  {{- $parts := split "/" . }}
+  {{- if eq (len $parts) 2 }}
+  - name: {{ index $parts 1 }}
+    namespace: {{ index $parts 0 }}
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  {{- else }}
+  - name: {{ . }}
+    namespace: istio-system
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  {{- end }}
+  {{- end }}
+  rules:
+  # Auth SPA route
+  - matches:
+    - path:
+        type: PathPrefix
+        value: {{ .Values.path }}spa/
+    backendRefs:
+    - name: osdu-auth-spa
+      port: 80
+      weight: 100
+  # Main auth route
+  - matches:
+    - path:
+        type: PathPrefix
+        value: {{ .Values.path }}
+    backendRefs:
+    - name: osdu-auth
+      port: 80
+      weight: 100
+{{- end }}