Envoy Gateway support

[theboringstuff]

Description

It is required to support Envoy Gateway plugin. Also, it should be possible to configure HAProxy to target Envoy instead of Ingress-NGINX. Also, dashboard Ingress should be migrated to HTTPRoute.

Solution

• Manually added copies of qubership Envoy Gateway chart version 2.2.0 to KubeMarine
  • There is currently no automation in scripts/thirdparties/sync.py to download Envoy Gateway charts, charts should be downloaded manually. Sync takes downloaded chart and simply updates images versions in compatibility map.
• Added envoy-gateway plugin
  • It is not installed by default.
  • It allows to configure installation namespace, chart release name and CR chart release name
  • PSS labels are configured for the namespace
  • Backend and EnvoyPatchPolicy extensions are enabled by defult
  • Only external gateway is installed by default, internal one is disabled.
  • Certificates could be specified for External Gateway, in this case HTTPS listener is added
  • External Gateway service uses ClusterIP type.
  • External Gateway is daemonset with envoy-external-gateway name
  • ClientTrafficPolicy allows underscore in headers and adds X-Forwarded-Host header with respective value
  • Images registry could be specified as usual, but there is dedicated kubectlRegistry option for qubership kubectl image from ghcr.io
  • User can overwrite chart values using valuesOverride and crValuesOverride
• Added services.loadbalancer.target_backend option, which allows to select who should take HAProxy target_ports - either nginx (default) or envoy.
• Added HTTPRoute for dashboard, which is created if Envoy Gateway is installed. Also Dashboard ingress now has converter ignore annotation.
• All procedures are impacted by these changes, but following especially:
  • install should now install envoy-gateway and dashboard HTTPRoute (if envoy is enabled)
  • upgrade should support envoy-gateway upgrade, but currently there is no new envoy-gateway version to upgrade to
  • cert_renew should support adding/renewing envoy-gateway certificates
  • migrate_kubemarine should support envoy-gateway patches, but currently there is no patch
  • check_paas checks were extended to also check envoy-gateway
  • scripts/thirdparties/sync.py should support envoy-gateway in compatibility map, but chart should be downloaded manually
• Build process was updated to include Envoy Gateway resources
• CI process was updated to install Envoy Gateway
• Existing tests were adjusted to new changes, but no new tests were added
• Updated documentation
  • Highlight that Envoy Gateway is recommended and Nginx is not recommended
  • Highlight supported configuration options for Envoy Gateway plugins
  • Highlight new option services.loadbalancer.target_backend

Test Cases

Test case 1

Install KubeMarine cluster as usual, using Ingress-NGINX, without enabling Envoy plugin.

Installation should succeed and cluster should work notmally.

Test case 2

Install KubeMarine cluster with following additional configuration (do not change anything else)

rbac:
  accounts:
  - name: superadmin
    role: cluster-admin
  admission: pss
  pss:
    pod-security: enabled
    defaults:
      enforce: restricted
      enforce-version: latest
      audit: restricted
      audit-version: latest
      warn: restricted
      warn-version: latest
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: ["kube-system"]

plugins:
  envoy-gateway:
    install: true
    externalGateway:
      hostPorts:
        http: 80
        https: 443
      certificate:
        cert: |
          -----BEGIN CERTIFICATE-----
          ..... skipped ....
          -----END CERTIFICATE-----
        key: |-
          -----BEGIN RSA PRIVATE KEY-----
          .... skipped ....
          -----END RSA PRIVATE KEY-----

Cluster should be installed with both Ingress-NGINX and Envoy Gateway. Ingress-NGINX should continue to work as LB backend, Ingresses should work as usual. Envoy Gateway should be accessible on ports 80/443

Test case 3

Install KubeMarine cluster with following additional configuration (do not change anything else)

rbac:
  accounts:
  - name: superadmin
    role: cluster-admin
  admission: pss
  pss:
    pod-security: enabled
    defaults:
      enforce: restricted
      enforce-version: latest
      audit: restricted
      audit-version: latest
      warn: restricted
      warn-version: latest
    exemptions:
      usernames: []
      runtimeClasses: []
      namespaces: ["kube-system"]

services:
  loadbalancer:
    target_backend: "envoy"

plugins:
  envoy-gateway:
    install: true
    externalGateway:
      certificate:
        cert: |
          -----BEGIN CERTIFICATE-----
          ..... skipped ....
          -----END CERTIFICATE-----
        key: |-
          -----BEGIN RSA PRIVATE KEY-----
          .... skipped ....
          -----END RSA PRIVATE KEY-----

Cluster should be installed with both Ingress-NGINX and Envoy Gateway. Envoy Gateway will be used as LB backend, HTTPRoutes should become accessible (e.g. dashboard) instead of Ingresses. Ingresses should stop working. Ingress-NGINX pods should not use 20080/20443 hotsPorts, instead they should be used by Envoy external Gateway pods. Verify check_paas procedure succeeds.

Test case 4

Renew Envoy Gateway certificates using cert_renew procedure.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• There is no breaking changes, or migration patch is provided
• Integration CI passed
• Unit tests. If Yes list of new/changed tests with brief description
• There is no merge conflicts

[alexarefev]

Are we going to provide any description how to migrate from nginx-ingress-controller to envoy-gateway?

[theboringstuff]

Are we going to provide any description how to migrate from nginx-ingress-controller to envoy-gateway?

I think we will need to update our Gateway API Migration documentation. I forgot to do it as part of this activity, I suggest to do it in separate activity, since these changes become too big

[alexarefev]

There is no obligation to install envoy or nginx. They could be both disabled

[alexarefev]

Some reference to migration from nginx to envoy gateway is needed