docs(networking): Cilium Gateway API — architecture, security, migration

[lexfrei]

What this PR does

Adds a new networking/gateway-api.md page to the next/ docs trunk describing the Cilium-backed Gateway API feature that lands in cozystack/cozystack#2470 (and its dependency stack on #2464 / #2468).

The page is intentionally detailed because the feature introduces:

• a new platform-level toggle (gateway.enabled) and a new tenant-level toggle (tenant.spec.gateway);
• a migration away from ingress-nginx for every cozystack-native exposed service (dashboard, keycloak via HTTPRoute; kubeapiserver, vm-exportproxy, cdi-uploadproxy via TLSRoute passthrough; harbor and bucket attached to per-tenant Gateways);
• a new per-tenant cert-manager Issuer that gives every tenant an isolated ACME account, so child tenants no longer share HTTP-01 state with the parent;
• a four-layer runtime admission defence against cross-tenant hostname hijacking (cozystack-gateway-hostname-policy, cozystack-tenant-host-policy, cozystack-namespace-host-label-policy, cozystack-gateway-attached-namespaces-policy) plus the listener allowedRoutes namespace whitelist;
• a render-time safety net against misconfiguring publishing.gateway.attachedNamespaces with tenant namespaces.

Sections:

• Overview — one-paragraph summary, opt-in defaults, coexistence with ingress-nginx.
• Architecture — traffic-path mermaid, listener layout per tenant Gateway.
• Enabling Gateway API — platform-level Package example and per-tenant Tenant example, with full attachedNamespaces list.
• Per-service routing — tables for HTTPRoute (termination) and TLSRoute (passthrough), mapping service → namespace → route name → backend → listener.
• Security — mermaid diagram and one paragraph per admission layer, explaining what each one enforces and what is explicitly left to trust boundaries (cluster-admin credentials, DNS control, shared LB IP pool).
• Certificates — per-tenant Issuer, supported ACME servers, Let's Encrypt rate limits and mitigations.
• Migration from ingress-nginx — step-by-step for new and existing clusters.
• Known limitations — shared IP pool, TLSRoute v1alpha2, tenant.spec.host admin responsibility, upstream application gaps.
• Troubleshooting — concrete kubectl commands for the four most likely "stuck" states.
• See also — upstream Gateway API, Cilium docs, KEP-5707, Let's Encrypt rate-limits.

Target branch

next/ — the version-agnostic trunk. When cozystack/cozystack#2470 lands in a minor release, this page ships with that version's docs automatically.

Not included

The legacy v1/networking/gateway-api.md page on the abandoned docs/gateway-api branch (from the Envoy Gateway proposal in cozystack/cozystack#2213) is unrelated to this PR. That PR proposed a different architecture that has since been superseded. This PR ships fresh docs for the new Cilium-based design.

Release note

NONE

Summary by CodeRabbit

• Documentation
  • New Gateway API guide covering the Cilium-based, opt‑in platform + per‑tenant gateway model, per‑tenant HTTPRoute/TLSRoute rendering, SNI passthrough vs HTTPS termination, and per‑tenant LoadBalancer IP publication.
  • Platform package docs: publishing.exposure modes and new gateway enablement and attachedNamespaces configuration.
  • Cert‑manager per‑tenant Issuer/wildcard guidance, Let’s Encrypt prod/stage mapping, rate‑limit mitigations, migration steps, security controls, and operational troubleshooting.

[netlify]

✅ Deploy Preview for cozystack ready!

Name	Link
🔨 Latest commit	6888f84
🔍 Latest deploy log	https://app.netlify.com/projects/cozystack/deploys/69ef55e17c47b40008d161a0
😎 Deploy Preview	https://deploy-preview-509--cozystack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds documentation and platform configuration for a Cilium-based Gateway API: platform opt-in plus per-tenant Gateways, Envoy DaemonSet for TLS termination and passthrough, tenant-scoped load balancer IPs, cert-manager Issuers, validating admission policies, migration notes, and troubleshooting.

Changes

Cohort / File(s)	Summary
Gateway API Documentation content/en/docs/next/networking/gateway-api.md	New comprehensive guide for the Cilium Gateway API: platform and per-tenant opt-in, Gateway/GatewayClass model, HTTPRoute/TLSRoute behavior (including SNI passthrough and coexisting listeners), Envoy DaemonSet, tenant-scoped CiliumLoadBalancerIPPool, cert-manager Issuer/certificate setup (prod/stage) and rate-limit knobs, four ValidatingAdmissionPolicies plus allowedRoutes namespace whitelist and render-time guard, ingress-nginx coexistence/migration, and troubleshooting steps.
Platform package docs / schema content/en/docs/next/operations/configuration/platform-package.md	Adds publishing.exposure docs and updates platform package reference with new gateway.enabled and gateway.attachedNamespaces fields; documents how publishing modes map to Service types (externalIPs vs LoadBalancer) and cites fail-fast/validation behaviors.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Platform as Platform Helm/Values
    participant Kubernetes
    participant Tenant as Tenant Namespace
    participant CertManager
    participant Envoy as Cilium Envoy DaemonSet
    participant LBPool as CiliumLoadBalancerIPPool

    User->>Platform: enable gateway.enabled
    Platform->>Kubernetes: apply GatewayClass, admission policies, values
    User->>Kubernetes: create tenant with spec.gateway: true
    Kubernetes->>Tenant: render Gateway, HTTPRoute/TLSRoute, Issuer, Certificate
    Tenant->>CertManager: request ACME certificate (prod/stage)
    CertManager-->>Tenant: certificate issued
    Kubernetes->>LBPool: allocate tenant load balancer IP
    Envoy->>Kubernetes: attach/listen (HTTPS + TLS passthrough listeners)
    User->>Envoy: client traffic (terminate or passthrough)
    Envoy->>Tenant: route to services per HTTPRoute/TLSRoute

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through Gateways, wild and neat,

Per-tenant doors open, certs tidy and sweet,
Envoy hums by each namespace street,
LB IPs lined up, admission checks meet,
I left a nibble of docs — a crunchy treat.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the primary content addition—a comprehensive Gateway API documentation page covering architecture, security model, and migration path from ingress-nginx.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/gateway-api-cilium

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces comprehensive documentation for the Gateway API support in Cozystack, detailing its architecture, security model, and migration path from ingress-nginx. The review feedback identifies opportunities to improve technical accuracy and consistency, specifically by clarifying that namespace whitelisting applies to both HTTPRoute and TLSRoute resources and resolving a naming inconsistency for the Kubernetes API route.

[gemini-code-assist]

The documentation mentions that attachedNamespaces restricts HTTPRoute attachments. However, the architecture also utilizes TLSRoute for services like the Kubernetes API and KubeVirt proxies (as shown in the routing tables). It would be more accurate to state that this list applies to both HTTPRoute and TLSRoute (or Gateway API routes in general).

Suggested change

	The `attachedNamespaces` list restricts which namespaces may attach `HTTPRoute`s to tenant Gateways through the listener `allowedRoutes` whitelist (see [Security](#security)). It is also guarded by a runtime `ValidatingAdmissionPolicy` that rejects any `tenant-*` entry.
	The attachedNamespaces list restricts which namespaces may attach HTTPRoutes and TLSRoutes to tenant Gateways through the listener allowedRoutes whitelist (see [Security](#security)). It is also guarded by a runtime ValidatingAdmissionPolicy that rejects any tenant-* entry.

[lexfrei]

Fixed in 1ea0093: the paragraph now says HTTPRoute or TLSRoute. The allowedRoutes whitelist on the listener is route-kind-agnostic, so in practice it restricts every route type that attaches to the Gateway — including the TLSRoutes used for the Kubernetes API, vm-exportproxy, and cdi-uploadproxy.

[gemini-code-assist]

There is an inconsistency in naming the Kubernetes API route. It is referred to as cozystack-api in the Mermaid diagram (line 27) and the migration section (line 265), but as kubernetes-api in this table. Using a consistent name throughout the document would improve clarity.

Suggested change

	| Kubernetes API | `default` | `kubernetes-api` | `kubernetes:443` | `tls-api` |
	| Kubernetes API | default | cozystack-api | kubernetes:443 | tls-api |

[lexfrei]

Fixed in dcb805c by aligning the Mermaid diagram to the real resource name. The TLSRoute is literally named kubernetes-api (see packages/system/cozystack-api/templates/api-tlsroute.yaml), so the table at line 144 is the source of truth. cozystack-api in the diagram referred to the cozystack package that ships this route, which was misleading. The diagram now says kubernetes-api and the migration prose clarifies the relationship (cozystack-api (Kubernetes API)).

[gemini-code-assist]

Similar to the comment on line 101, this section should clarify that the whitelist applies to both HTTPRoute and TLSRoute, as both are used in the described architecture.

Suggested change

	The whitelist is the publishing tenant's namespace (always, implicit) plus `publishing.gateway.attachedNamespaces`. A namespace outside the list literally cannot attach any `HTTPRoute` to the Gateway.
	The whitelist is the publishing tenant's namespace (always, implicit) plus publishing.gateway.attachedNamespaces. A namespace outside the list literally cannot attach any HTTPRoute or TLSRoute to the Gateway.

[lexfrei]

Fixed in e15d865: the Layer 1 description now explicitly says HTTPRoute or TLSRoute. Same root cause as the line 101 comment — the listener-level whitelist applies to every route kind attaching to that listener.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@content/en/docs/next/networking/gateway-api.md`:
- Line 56: The in-page anchor "#tls-passthrough" in the sentence "Plus one extra
listener per TLS-passthrough service (see [TLS passthrough](`#tls-passthrough`)
below)" doesn't match the actual heading ID; locate the "TLS passthrough"
section heading in this document and either rename that heading (or add an
explicit HTML anchor/id) to produce the ID tls-passthrough, or update the link
fragment to the existing heading ID (for example whatever the generated slug
is); ensure the link target and the heading ID for the TLS passthrough section
are identical so the anchor works.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1a003edc-54d7-4122-a90c-e40d9592e1c7

📥 Commits

Reviewing files that changed from the base of the PR and between 5415111 and 2a68b49.

📒 Files selected for processing (1)

• content/en/docs/next/networking/gateway-api.md

[myasnikovdaniil]

No explanation of publishing.exposure flag in platform package, needs to be added

[lexfrei]

@myasnikovdaniil Added a publishing.exposure subsection to the Migration section in 927ca5f.

It covers what the flag does (ingress-nginx Service shape: ClusterIP+externalIPs vs LoadBalancer), why a Gateway API rollout is the natural moment to flip it (so ingress-nginx and the per-tenant Gateway draw from the same Cilium-managed pool), the KEP-5707 deprecation timeline that forces the move before Kubernetes v1.40, and the loadBalancer-mode caveats lifted from the platform values.yaml: non-empty publishing.externalIPs, externalTrafficPolicy: Local, no built-in Cilium announcement, brief ingress interruption when switching, and the scope limit to ingress-nginx (vpn and similar still need separate migration).

[myasnikovdaniil]

Platform parameters must also land into platform package reference

[lexfrei]

@myasnikovdaniil Done — added the platform parameters to the Platform Package Reference in 6888f84:

• publishing.exposure row in the Publishing table.
• New Gateway section between Authentication and Scheduling with gateway.enabled and gateway.attachedNamespaces, including the default whitelist verbatim.

Schema was verified against packages/core/platform/values.yaml on chore/gateway-api-crds-v1.5.1 (the parent PR is not yet merged). Side note: that verification surfaced one inconsistency in the Gateway API page itself — Layer 1 of the Security section called the whitelist publishing.gateway.attachedNamespaces, while the actual key is the root-level gateway.attachedNamespaces (consumed at packages/core/platform/templates/apps.yaml as .Values.gateway.attachedNamespaces). Fixed in 7db740b. The publishing.gateway path also appears in the upstream PR description and packages/extra/gateway/README.md; might be worth a one-line nit upstream.

The branch was rebased onto main to pick up the latest telemetry fixes, so SHAs from earlier comments shifted (10b1e7c1 → 927ca5f).

[coderabbitai]

🧹 Nitpick comments (2)

content/en/docs/next/operations/configuration/platform-package.md (2)

108-108: Minor: Consider consistent spelling variant.

Line 108 uses "Materialising" (British English). While both variants are correct, using consistent spelling throughout the documentation improves polish. Consider "Materializing" if the project prefers American English, or keep the current form if British English is the standard.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@content/en/docs/next/operations/configuration/platform-package.md` at line
108, The documentation uses the British English spelling "Materialising" in the
description for `gateway.enabled`; update that word to the project's chosen
variant (e.g., change "Materialising" to "Materializing") for consistency with
the rest of the docs—edit the text in the `gateway.enabled` description to the
preferred spelling.

---

66-66: Consider breaking up the dense table description for better scannability.

The publishing.exposure description packs mode definitions, deprecation timeline, validation behavior, and a caveat link into a single paragraph. Users scanning the table may miss the critical deprecation warning or the fail-fast validation note.

♻️ Suggested restructure for improved readability

-| `publishing.exposure` | `"externalIPs"` | Mode for the ingress-nginx Service. `externalIPs` creates a `ClusterIP` Service with `Service.spec.externalIPs` populated from `publishing.externalIPs`. `loadBalancer` creates a `type: LoadBalancer` Service backed by a `CiliumLoadBalancerIPPool` populated with the same addresses. `Service.spec.externalIPs` is deprecated upstream in Kubernetes v1.36 ([KEP-5707][kep-5707]) — switch to `loadBalancer` before upgrading past v1.40. The chart fails fast if `loadBalancer` is set with an empty `publishing.externalIPs`. See [Gateway API → ingress-nginx Service mode]({{% ref "/docs/next/networking/gateway-api#publishingexposure--ingress-nginx-service-mode" %}}) for the full caveat list. |
+| `publishing.exposure` | `"externalIPs"` | Mode for the ingress-nginx Service.<br/><br/>`externalIPs`: Creates a `ClusterIP` Service with `Service.spec.externalIPs` populated from `publishing.externalIPs`.<br/><br/>`loadBalancer`: Creates a `type: LoadBalancer` Service backed by a `CiliumLoadBalancerIPPool` using the same addresses.<br/><br/>**Deprecation notice:** `Service.spec.externalIPs` is deprecated in Kubernetes v1.36 ([KEP-5707][kep-5707]). Switch to `loadBalancer` before upgrading to v1.40.<br/><br/>**Validation:** The chart returns an error if `loadBalancer` is set with an empty `publishing.externalIPs`.<br/><br/>See [Gateway API → ingress-nginx Service mode]({{% ref "/docs/next/networking/gateway-api#publishingexposure--ingress-nginx-service-mode" %}}) for additional caveats. |

This uses <br/> tags (permitted by unsafe: true Goldmark config) to create visual breaks within the table cell, making each concept easier to locate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@content/en/docs/next/operations/configuration/platform-package.md` at line
66, The table cell for publishing.exposure is too dense; split its single
paragraph into separate sentences or lines (using permitted <br/> tags) that
each cover: the two modes and what they do (externalIPs vs loadBalancer and that
loadBalancer uses CiliumLoadBalancerIPPool), the deprecation of
Service.spec.externalIPs (KEP-5707) with the upgrade advice to switch before
v1.40, the validation/fail-fast behavior when loadBalancer is set but
publishing.externalIPs is empty, and the link to Gateway API → ingress-nginx
Service mode, so readers can scan and find the deprecation and validation notes
quickly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@content/en/docs/next/operations/configuration/platform-package.md`:
- Line 108: The documentation uses the British English spelling "Materialising"
in the description for `gateway.enabled`; update that word to the project's
chosen variant (e.g., change "Materialising" to "Materializing") for consistency
with the rest of the docs—edit the text in the `gateway.enabled` description to
the preferred spelling.
- Line 66: The table cell for publishing.exposure is too dense; split its single
paragraph into separate sentences or lines (using permitted <br/> tags) that
each cover: the two modes and what they do (externalIPs vs loadBalancer and that
loadBalancer uses CiliumLoadBalancerIPPool), the deprecation of
Service.spec.externalIPs (KEP-5707) with the upgrade advice to switch before
v1.40, the validation/fail-fast behavior when loadBalancer is set but
publishing.externalIPs is empty, and the link to Gateway API → ingress-nginx
Service mode, so readers can scan and find the deprecation and validation notes
quickly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 144efd7e-3b34-413f-890f-38c874ba5c84

📥 Commits

Reviewing files that changed from the base of the PR and between 10b1e7c and 6888f84.

📒 Files selected for processing (2)

• content/en/docs/next/networking/gateway-api.md
• content/en/docs/next/operations/configuration/platform-package.md

🚧 Files skipped from review as they are similar to previous changes (1)

• content/en/docs/next/networking/gateway-api.md