Skip to content

Eai 5821 evaluate envoy gateway#705

Draft
johnl-amd wants to merge 22 commits intomainfrom
EAI_5821_evaluate_envoy_gateway
Draft

Eai 5821 evaluate envoy gateway#705
johnl-amd wants to merge 22 commits intomainfrom
EAI_5821_evaluate_envoy_gateway

Conversation

@johnl-amd
Copy link
Copy Markdown

@johnl-amd johnl-amd commented May 7, 2026

Validated locally (local Kind cluster, envoy-gateway branch):

  • Login flow via Keycloak completes correctly through envoy-gateway
  • AIRM and AIWB UIs accessible and functional
  • Model deployment via AIWB creates an HTTPRoute in the workbench namespace — aim-engine clusterRuntimeConfig
    is working correctly
  • Gateway accepts the HTTPRoute once the predictor pod becomes ready

Change added in this branch:

  • Enabled clusterRuntimeConfig in aim-engine values (sources/aim-engine/0.2.2/values.yaml) pointing at
    envoy-gateway-system — without this, HTTPRoutes for deployed models were not being created

Still to validate on hosted cluster:

  • HTTPRoute acceptance with real TLS and real DNS
  • Model inference traffic actually reaches the predictor through the gateway
  • Any existing deployed models/InferenceServices pick up routing correctly after the config is applied

woojae-siloai and others added 22 commits April 23, 2026 11:28
@woojae-siloai
Add envoy-gateway v1.7.1 source from helm chart
2a22bba
@woojae-siloai
Add envoy-gateway-config
7e867f1
@woojae-siloai
Add envoy-gateway-config Step 3 files with corrected access logging
15fbf8a
@woojae-siloai
Add chart and values for envoy-gateway-config
03eada2
@woojae-siloai
Fix TLS migration job to properly split certificate chains
6f5cd27
@woojae-siloai
Replace kgateway with envoy-gateway in root values
8b51fdc
@woojae-siloai
Update root values for all cluster sizes (small/medium/large)
3eea2f5
@woojae-siloai
Remove legacy kgateway source directories
42592c7
@woojae-siloai
PHASE 2: Update HTTPRoute namespace references
2e6f986 
- Update all HTTPRoute parentRefs from kgateway-system to envoy-gateway-system
- ArgoCD, Gitea, Openbao, Keycloak, and MinIO HTTPRoutes updated
- Maintains exact functionality while pointing to new envoy-gateway location
- Part of kgateway to envoy-gateway v1.7.1 migration

Files updated:
- sources/argocd-config/http-route.yaml
- sources/gitea-config/templates/gitea-httproute.yaml
- sources/keycloak-config/templates/keycloak-httproute.yaml
- sources/minio-tenant-config/templates/minio-httproute.yaml
- sources/openbao-config/0.1.0/templates/openbao-httproute.yaml
@woojae-siloai
Add kgateway.namespace helmParameter overrides for AIWB and AIRM
c96b417
@woojae-siloai
Migrate cluster-auth from kgateway CRDs to envoy-gateway SecurityPolicy
550ef84
@woojae-siloai
Fix keycloak HTTPRoute namespace reference for envoy-gateway migration
48d9841
@woojae-siloai
Fix aim-engine Gateway examples to use real Gateway
511fe66
@woojae-siloai
Remove conflicting kgateway GatewayExtension file from cluster-auth
c6c8b0f
@woojae-siloai
Rename gateway-extension-kgateway-system.yaml to security-policy-exta…
c003c9f 
…uth.yaml for clarity
@woojae-siloai
Update TLS migration job to create envoy-gateway-system namespace first
dff8a10 
- Add explicit Namespace resource creation before other resources
- Remove redundant namespace creation logic from script
- Add proper error handling for missing namespace
- Ensures namespace exists before ServiceAccount and Job creation
@woojae-siloai
Revert "Update TLS migration job to create envoy-gateway-system names…
b3d0906 
…pace first"

This reverts commit 45cc49b.
@woojae-siloai
Update TLS migration job to create envoy-gateway-system namespace first
bc1c328
@woojae-siloai
Add TLS secret copy job without certificate modification
8e124a6
@woojae-siloai
Update restart job service account for envoy-gateway migration
e3c1f17
@woojae-siloai
remove PreSync hooks from ExternalSecrets to resolve ArgoCD sync bloc…
bc00d21 
…king
@johnl-amd
EAI-5821: Enable aim-engine clusterRuntimeConfig for envoy-gateway
7c824dd
@johnl-amd
Copy link
Copy Markdown
Author

johnl-amd commented May 8, 2026

Validated this branch locally on a Kind cluster with envoy-gateway. Everything works end-to-end. Added one commit to enable clusterRuntimeConfig in aim-engine so HTTPRoutes for deployed models point at envoy-gateway-system instead of the default kgateway-system.

A few questions while reviewing the diff:

1. Duplicate SecurityPolicy for ExtAuth
Both sources/envoy-gateway-config/templates/security-policy-extauth.yaml and sources/cluster-auth/0.5.0/templates/security-policy-extauth.yaml create a SecurityPolicy targeting the same https gateway. One has cluster-auth hardcoded, the other uses the Helm template name. Which one is intentional? Having two competing auth policies on the same gateway could cause unexpected behavior.

2. TLS migration jobs are not in ArgoCD
job-cluster-tls-copy.yaml and job-cluster-tls-migration.yaml are raw manifests at the repo root — not part of any Helm chart or ArgoCD application. They won't run automatically on deployment. Is there a manual step required here that should be documented?

3. TLS jobs assume migration from kgateway
Both jobs check if cluster-tls exists in kgateway-system and exit successfully if it doesn't. On a fresh cluster that never had kgateway, envoy-gateway ends up with no TLS certificate. Is there a separate mechanism for fresh installs, or is this branch only intended for migrating existing clusters?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnl-amd @woojae-siloai