From 25a16b99475f12675be137d25e19e92013f36cc1 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 21 Mar 2026 11:07:48 -0400 Subject: [PATCH 1/8] feat: migrate manifests from Ingress to Gateway API (HTTPRoute) --- deploy/manifests/balancer/base/httproute.yaml | 18 +++++++++++++++ deploy/manifests/balancer/base/ingress.yaml | 23 ------------------- .../balancer/base/kustomization.yaml | 2 +- deploy/manifests/balancer/base/service.yaml | 2 +- .../balancer/overlays/dev/kustomization.yaml | 10 ++------ 5 files changed, 22 insertions(+), 33 deletions(-) create mode 100644 deploy/manifests/balancer/base/httproute.yaml delete mode 100644 deploy/manifests/balancer/base/ingress.yaml diff --git a/deploy/manifests/balancer/base/httproute.yaml b/deploy/manifests/balancer/base/httproute.yaml new file mode 100644 index 00000000..f9ca0df7 --- /dev/null +++ b/deploy/manifests/balancer/base/httproute.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: balancer +spec: + parentRefs: + - name: main-gateway + namespace: envoy-gateway-system + hostnames: + - HOSTNAME_PLACEHOLDER + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: balancer + port: 80 diff --git a/deploy/manifests/balancer/base/ingress.yaml b/deploy/manifests/balancer/base/ingress.yaml deleted file mode 100644 index fc98305b..00000000 --- a/deploy/manifests/balancer/base/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: balancer - annotations: {} -spec: - ingressClassName: nginx - tls: - - hosts: - - HOSTNAME_PLACEHOLDER - secretName: balancer-tls - rules: - - host: HOSTNAME_PLACEHOLDER - http: - paths: - # All traffic routes to balancer service (which serves both API and frontend) - - path: / - pathType: Prefix - backend: - service: - name: balancer - port: - number: 8000 diff --git a/deploy/manifests/balancer/base/kustomization.yaml b/deploy/manifests/balancer/base/kustomization.yaml index c7d2dcd1..ad95f5b1 100644 --- a/deploy/manifests/balancer/base/kustomization.yaml +++ b/deploy/manifests/balancer/base/kustomization.yaml @@ -5,4 +5,4 @@ resources: - namespace.yaml - deployment.yaml - service.yaml - - ingress.yaml + - httproute.yaml diff --git a/deploy/manifests/balancer/base/service.yaml b/deploy/manifests/balancer/base/service.yaml index 8f294d53..2c839248 100644 --- a/deploy/manifests/balancer/base/service.yaml +++ b/deploy/manifests/balancer/base/service.yaml @@ -7,7 +7,7 @@ metadata: spec: ports: - name: http - port: 8000 + port: 80 targetPort: 8000 selector: app: balancer diff --git a/deploy/manifests/balancer/overlays/dev/kustomization.yaml b/deploy/manifests/balancer/overlays/dev/kustomization.yaml index d3975eb2..f3e287fe 100644 --- a/deploy/manifests/balancer/overlays/dev/kustomization.yaml +++ b/deploy/manifests/balancer/overlays/dev/kustomization.yaml @@ -12,15 +12,9 @@ images: patches: - target: - kind: Ingress + kind: HTTPRoute name: balancer patch: |- - - op: add - path: /metadata/annotations/cert-manager.io~1cluster-issuer - value: letsencrypt-staging - op: replace - path: /spec/tls/0/hosts/0 - value: localhost - - op: replace - path: /spec/rules/0/host + path: /spec/hostnames/0 value: localhost From 1ea88947332a6f9e254ff589e09d083ccf71a788 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 21 Mar 2026 11:09:09 -0400 Subject: [PATCH 2/8] feat: configure HTTPRoute for sandbox.balancerproject.org --- deploy/manifests/balancer/base/httproute.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/manifests/balancer/base/httproute.yaml b/deploy/manifests/balancer/base/httproute.yaml index f9ca0df7..437d5d37 100644 --- a/deploy/manifests/balancer/base/httproute.yaml +++ b/deploy/manifests/balancer/base/httproute.yaml @@ -7,7 +7,7 @@ spec: - name: main-gateway namespace: envoy-gateway-system hostnames: - - HOSTNAME_PLACEHOLDER + - sandbox.balancerproject.org rules: - matches: - path: From 1484428bac3e67a655c1a35e4196da56d1af094b Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 21 Mar 2026 11:38:48 -0400 Subject: [PATCH 3/8] feat: add sandbox and production overlays for HTTPRoute --- deploy/manifests/balancer/base/httproute.yaml | 2 +- .../overlays/production/kustomization.yaml | 20 +++++++++++++++++++ .../overlays/sandbox/kustomization.yaml | 20 +++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 deploy/manifests/balancer/overlays/production/kustomization.yaml create mode 100644 deploy/manifests/balancer/overlays/sandbox/kustomization.yaml diff --git a/deploy/manifests/balancer/base/httproute.yaml b/deploy/manifests/balancer/base/httproute.yaml index 437d5d37..f9ca0df7 100644 --- a/deploy/manifests/balancer/base/httproute.yaml +++ b/deploy/manifests/balancer/base/httproute.yaml @@ -7,7 +7,7 @@ spec: - name: main-gateway namespace: envoy-gateway-system hostnames: - - sandbox.balancerproject.org + - HOSTNAME_PLACEHOLDER rules: - matches: - path: diff --git a/deploy/manifests/balancer/overlays/production/kustomization.yaml b/deploy/manifests/balancer/overlays/production/kustomization.yaml new file mode 100644 index 00000000..859020ae --- /dev/null +++ b/deploy/manifests/balancer/overlays/production/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: balancer + +resources: + - ../../base + +images: + - name: ghcr.io/codeforphilly/balancer-main/app + newTag: latest + +patches: + - target: + kind: HTTPRoute + name: balancer + patch: |- + - op: replace + path: /spec/hostnames/0 + value: balancerproject.org diff --git a/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml new file mode 100644 index 00000000..c609dc8b --- /dev/null +++ b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: balancer + +resources: + - ../../base + +images: + - name: ghcr.io/codeforphilly/balancer-main/app + newTag: latest + +patches: + - target: + kind: HTTPRoute + name: balancer + patch: |- + - op: replace + path: /spec/hostnames/0 + value: sandbox.balancerproject.org From 6f5088792bcd7bb3826b7b7889b021fe539a27bf Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 21 Mar 2026 11:41:44 -0400 Subject: [PATCH 4/8] cleanup: remove unused dev overlay --- .../balancer/overlays/dev/kustomization.yaml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 deploy/manifests/balancer/overlays/dev/kustomization.yaml diff --git a/deploy/manifests/balancer/overlays/dev/kustomization.yaml b/deploy/manifests/balancer/overlays/dev/kustomization.yaml deleted file mode 100644 index f3e287fe..00000000 --- a/deploy/manifests/balancer/overlays/dev/kustomization.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: balancer - -resources: - - ../../base - -images: - - name: ghcr.io/codeforphilly/balancer-main/app - newTag: latest - -patches: - - target: - kind: HTTPRoute - name: balancer - patch: |- - - op: replace - path: /spec/hostnames/0 - value: localhost From 4cbb38070b68f6fdb8625219ba4d36c7ff1b2d24 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:56:21 -0400 Subject: [PATCH 5/8] feat(gateway): implement self-service TLS via ListenerSet This change migrates the Gateway API configuration to use ListenerSets instead of attaching HTTPRoutes directly to the Gateway. This enables the self-service TLS model where the application manages its own listeners and certificates. --- .../balancer/base/gateway-listeners.yaml | 26 +++++++++++++++++++ deploy/manifests/balancer/base/httproute.yaml | 7 +++-- .../balancer/base/kustomization.yaml | 1 + 3 files changed, 30 insertions(+), 4 deletions(-) create mode 100644 deploy/manifests/balancer/base/gateway-listeners.yaml diff --git a/deploy/manifests/balancer/base/gateway-listeners.yaml b/deploy/manifests/balancer/base/gateway-listeners.yaml new file mode 100644 index 00000000..1572a1dd --- /dev/null +++ b/deploy/manifests/balancer/base/gateway-listeners.yaml @@ -0,0 +1,26 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: ListenerSet +metadata: + name: balancer-listeners + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + parentRef: + name: main-gateway + namespace: envoy-gateway-system + group: gateway.networking.k8s.io + kind: Gateway + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: HOSTNAME_PLACEHOLDER + - name: https + protocol: HTTPS + port: 443 + hostname: HOSTNAME_PLACEHOLDER + tls: + mode: Terminate + certificateRefs: + - name: balancer-tls + kind: Secret diff --git a/deploy/manifests/balancer/base/httproute.yaml b/deploy/manifests/balancer/base/httproute.yaml index f9ca0df7..1a16ce66 100644 --- a/deploy/manifests/balancer/base/httproute.yaml +++ b/deploy/manifests/balancer/base/httproute.yaml @@ -4,10 +4,9 @@ metadata: name: balancer spec: parentRefs: - - name: main-gateway - namespace: envoy-gateway-system - hostnames: - - HOSTNAME_PLACEHOLDER + - name: balancer-listeners + kind: ListenerSet + group: gateway.networking.k8s.io rules: - matches: - path: diff --git a/deploy/manifests/balancer/base/kustomization.yaml b/deploy/manifests/balancer/base/kustomization.yaml index ad95f5b1..13658e20 100644 --- a/deploy/manifests/balancer/base/kustomization.yaml +++ b/deploy/manifests/balancer/base/kustomization.yaml @@ -5,4 +5,5 @@ resources: - namespace.yaml - deployment.yaml - service.yaml + - gateway-listeners.yaml - httproute.yaml From cc3fbe9820810cb1e3710f13062b81c2cd3844ae Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:56:30 -0400 Subject: [PATCH 6/8] fix(gateway): update overlays to patch ListenerSet hostnames This updates the sandbox and production overlays to correctly patch the hostnames on both the ListenerSet and the HTTPRoute. --- .../overlays/production/kustomization.yaml | 16 +++++++++++++--- .../balancer/overlays/sandbox/kustomization.yaml | 16 +++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/deploy/manifests/balancer/overlays/production/kustomization.yaml b/deploy/manifests/balancer/overlays/production/kustomization.yaml index 859020ae..1a7ce9fa 100644 --- a/deploy/manifests/balancer/overlays/production/kustomization.yaml +++ b/deploy/manifests/balancer/overlays/production/kustomization.yaml @@ -12,9 +12,19 @@ images: patches: - target: - kind: HTTPRoute - name: balancer + kind: ListenerSet + name: balancer-listeners patch: |- - op: replace - path: /spec/hostnames/0 + path: /spec/listeners/0/hostname + value: balancerproject.org + - op: replace + path: /spec/listeners/1/hostname value: balancerproject.org + - target: + kind: HTTPRoute + name: balancer + patch: |- + - op: add + path: /spec/hostnames + value: ["balancerproject.org"] diff --git a/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml index c609dc8b..bdcf6ae8 100644 --- a/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml +++ b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml @@ -12,9 +12,19 @@ images: patches: - target: - kind: HTTPRoute - name: balancer + kind: ListenerSet + name: balancer-listeners patch: |- - op: replace - path: /spec/hostnames/0 + path: /spec/listeners/0/hostname + value: sandbox.balancerproject.org + - op: replace + path: /spec/listeners/1/hostname value: sandbox.balancerproject.org + - target: + kind: HTTPRoute + name: balancer + patch: |- + - op: add + path: /spec/hostnames + value: ["sandbox.balancerproject.org"] From b9c95913e656b99296d44af4735e3aba68413c48 Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:59:05 -0400 Subject: [PATCH 7/8] feat(gateway): implement HTTP to HTTPS redirect via ListenerSet This adds a redirect HTTPRoute targeting the port 80 listener of the ListenerSet, ensuring all HTTP traffic is upgraded to HTTPS. The main HTTPRoute is now pinned to the port 443 listener. --- deploy/manifests/balancer/base/httproute.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/deploy/manifests/balancer/base/httproute.yaml b/deploy/manifests/balancer/base/httproute.yaml index 1a16ce66..c8fef0fe 100644 --- a/deploy/manifests/balancer/base/httproute.yaml +++ b/deploy/manifests/balancer/base/httproute.yaml @@ -1,5 +1,24 @@ apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute +metadata: + name: balancer-redirect +spec: + parentRefs: + - name: balancer-listeners + kind: ListenerSet + group: gateway.networking.k8s.io + sectionName: http + hostnames: + - HOSTNAME_PLACEHOLDER + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: balancer spec: @@ -7,6 +26,9 @@ spec: - name: balancer-listeners kind: ListenerSet group: gateway.networking.k8s.io + sectionName: https + hostnames: + - HOSTNAME_PLACEHOLDER rules: - matches: - path: From fb7b270c8fde8fcbf9c5dcf529f5b5ef04a26e4e Mon Sep 17 00:00:00 2001 From: Christopher Tineo Date: Sat, 18 Apr 2026 18:59:11 -0400 Subject: [PATCH 8/8] fix(gateway): patch hostname for redirect HTTPRoute in overlays Updates the sandbox and production overlays to ensure the hostname is also patched on the new balancer-redirect HTTPRoute. --- .../balancer/overlays/production/kustomization.yaml | 7 +++++++ .../manifests/balancer/overlays/sandbox/kustomization.yaml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/deploy/manifests/balancer/overlays/production/kustomization.yaml b/deploy/manifests/balancer/overlays/production/kustomization.yaml index 1a7ce9fa..1386e907 100644 --- a/deploy/manifests/balancer/overlays/production/kustomization.yaml +++ b/deploy/manifests/balancer/overlays/production/kustomization.yaml @@ -28,3 +28,10 @@ patches: - op: add path: /spec/hostnames value: ["balancerproject.org"] + - target: + kind: HTTPRoute + name: balancer-redirect + patch: |- + - op: add + path: /spec/hostnames + value: ["balancerproject.org"] diff --git a/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml index bdcf6ae8..c9e9b4ea 100644 --- a/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml +++ b/deploy/manifests/balancer/overlays/sandbox/kustomization.yaml @@ -28,3 +28,10 @@ patches: - op: add path: /spec/hostnames value: ["sandbox.balancerproject.org"] + - target: + kind: HTTPRoute + name: balancer-redirect + patch: |- + - op: add + path: /spec/hostnames + value: ["sandbox.balancerproject.org"]