Skip to content

feat: multiple gateway support#1637

Open
pawan-bobbili-ntnx wants to merge 2 commits intomasterfrom
istio_multiple_gateway
Open

feat: multiple gateway support#1637
pawan-bobbili-ntnx wants to merge 2 commits intomasterfrom
istio_multiple_gateway

Conversation

@pawan-bobbili-ntnx
Copy link

@pawan-bobbili-ntnx pawan-bobbili-ntnx commented Feb 18, 2026
edited
Loading

What type of PR is this?
Feature to support multiple gateways in isti-helm.

Problem Statement:
The legacy Istio Operator (IstioOperator CRD) natively supported defining multiple gateways (ingress, egress, east-west) from a single configuration:

# Old IstioOperator CRD approach
istioOperator:
  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        hpaSpec:
          minReplicas: 2
        priorityClassName: "dkp-critical-priority"
    egressGateways:
    - name: istio-egressgateway
      enabled: true
      k8s:
        service:
          type: ClusterIP

When we migrated from the Istio Operator to istio-helm, the upstream Istio gateway Helm subchart (charts/gateway) only supports a single gateway per chart release. This means customers who previously ran multiple gateways (e.g., ingress + egress, or ingress + east-west) lost the ability to define them from a single values override and would need to deploy separate Helm releases for each gateway.

Solution Approach:
This PR introduces gateway.additional_gateways in the istio-helm-gateway wrapper chart that restores multi-gateway parity with the old Istio Operator — all from a single Helm release and a single values override, while keeping the primary gateway completely unchanged.

  • Fully backward compatible: The gateway: block and its default (enabled: true) is preserved exactly as-is. The existing cm.yaml in kommander-applications requires zero changes.
  • Additive, not exclusive: The primary gateway (subchart) and additional gateways (wrapper templates) work together — no need to disable one for the other.
  • Per-gateway resources: Each enabled entry in additional_gateways produces a complete set of Kubernetes resources: Deployment, Service, HPA, ServiceAccount, Role, RoleBinding, and PodDisruptionBudget.
  • Nil-safe: All wrapper templates are guarded so they safely no-op when gateways is empty, null, or undefined.

Operator -> Helm Mapping:

IstioOperator CRD New Helm gateway.additional_gateways
components.ingressGateways[].name gateway.additional_gateways[].name
components.ingressGateways[].enabled gateway.additional_gateways[].enabled
components.ingressGateways[].k8s.hpaSpec.minReplicas gateway.additional_gateways[].autoscaling.minReplicas
components.ingressGateways[].k8s.priorityClassName gateway.additional_gateways[].priorityClassName
components.ingressGateways[].k8s.service.type gateway.additional_gateways[].service.type
components.ingressGateways[].k8s.service.ports gateway.additional_gateways[].service.ports
components.ingressGateways[].k8s.nodeSelector gateway.additional_gateways[].nodeSelector
components.ingressGateways[].k8s.tolerations gateway.additional_gateways[].tolerations
components.ingressGateways[].k8s.resources gateway.additional_gateways[].resources
components.egressGateways[*] Same fields with service.type: ClusterIP

How To Use Multiple Gateways:

gateway:
  # Primary gateway — no changes needed, works as before
  revision: "istio-helm"
  name: istio-helm-ingressgateway
  autoscaling:
    enabled: true
    minReplicas: 2
    maxReplicas: 2
  labels:
    istio: istio-helm-ingressgateway
  service:
    ports:
      - port: 15021
        targetPort: 15021
        protocol: TCP
        name: status-port
      - port: 80
        targetPort: 8080
        protocol: TCP
        name: http2
      - port: 443
        targetPort: 8443
        protocol: TCP
        name: https

  # Add additional gateways here
  additional_gateways:
    - name: istio-helm-egressgateway
      enabled: true
      revision: "istio-helm"
      labels:
        istio: istio-helm-egressgateway
      service:
        type: ClusterIP
        ports:
          - port: 80
            targetPort: 8080
            protocol: TCP
            name: http2
          - port: 443
            targetPort: 8443
            protocol: TCP
            name: https
      autoscaling:
        enabled: true
        minReplicas: 1
        maxReplicas: 3
      priorityClassName: "dkp-critical-priority"

Each entry only needs to specify what differs from defaults (charts/gateway/values.yaml) — the rest is inherited automatically (resources, security context, Prometheus pod annotations, RBAC, etc.).

Which issue(s) this PR fixes:
https://jira.nutanix.com/browse/NCN-112392

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Checklist

  • If a chart is changed, the chart version is correctly incremented.
  • The commit message explains the changes and why are needed.
  • The code builds and passes lint/style checks locally.
  • The relevant subset of integration tests pass locally.
  • The core changes are covered by tests.
  • The documentation is updated where needed.

@pawan-bobbili-ntnx pawan-bobbili-ntnx requested review from a team as code owners February 18, 2026 13:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohitkumar0510 rohitkumar0510 Awaiting requested review from rohitkumar0510

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pawan-bobbili-ntnx

Comments