silogen · johnl-amd · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -0,0 +1,102 @@
+---
+# Namespace for envoy-gateway-system (created first)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: envoy-gateway-system
+  labels:
+    app.kubernetes.io/name: envoy-gateway
+    app.kubernetes.io/part-of: cluster-forge
+---
+# ServiceAccount for TLS secret copy
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tls-copy-sa
+  namespace: envoy-gateway-system
+---
+# ClusterRole with permissions to manage secrets across namespaces
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tls-copy-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "create"]
+---
+# ClusterRoleBinding to grant permissions to ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tls-copy-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tls-copy-role
+subjects:
+- kind: ServiceAccount
+  name: tls-copy-sa
+  namespace: envoy-gateway-system
+---
+# Job to copy TLS secret from kgateway-system to envoy-gateway-system (without modification)
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tls-secret-copy
+  namespace: envoy-gateway-system
+spec:
+  template:
+    spec:
+      serviceAccountName: tls-copy-sa
+      restartPolicy: OnFailure
+      containers:
+      - name: copy-tls
+        image: alpine/k8s:1.28.13
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Starting TLS secret copy from kgateway-system to envoy-gateway-system"
+
+          # Check if source secret exists
+          if ! kubectl get secret cluster-tls -n kgateway-system >/dev/null 2>&1; then
+            echo "Source secret cluster-tls not found in kgateway-system namespace"
+            echo "This is expected during initial deployment - no copy needed"
+            exit 0
+          fi
+
+          # Verify target namespace exists
+          if ! kubectl get namespace envoy-gateway-system >/dev/null 2>&1; then
+            echo "ERROR: envoy-gateway-system namespace not found"
+            echo "This job should be applied after namespace creation"
+            exit 1
+          fi
+
+          # Check if target secret already exists
+          if kubectl get secret cluster-tls -n envoy-gateway-system >/dev/null 2>&1; then
+            echo "Target secret cluster-tls already exists in envoy-gateway-system"
+            echo "Copy completed previously"
+            exit 0
+          fi
+
+          echo "Copying cluster-tls secret with identical key-value pairs"
+
+          # Copy the secret directly using kubectl
+          kubectl get secret cluster-tls -n kgateway-system -o yaml | \
+          sed 's/namespace: kgateway-system/namespace: envoy-gateway-system/' | \
+          sed '/resourceVersion:/d' | \
+          sed '/uid:/d' | \
+          sed '/creationTimestamp:/d' | \
+          kubectl apply -f -
+
+          if [ $? -eq 0 ]; then
+            echo "Successfully copied cluster-tls secret to envoy-gateway-system"
+            echo "Secret contains the same key-value pairs as the original"
+          else
+            echo "Failed to copy cluster-tls secret"
+            exit 1
+          fi
@@ -0,0 +1,158 @@
+---
+# Namespace for envoy-gateway-system (created first)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: envoy-gateway-system
+  labels:
+    app.kubernetes.io/name: envoy-gateway
+    app.kubernetes.io/part-of: cluster-forge
+---
+# ServiceAccount for TLS secret migration
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tls-migration-sa
+  namespace: envoy-gateway-system
+---
+# ClusterRole with permissions to manage secrets across namespaces
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tls-migration-role
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "update", "patch"]
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "list", "create"]
+---
+# ClusterRoleBinding to grant permissions to ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tls-migration-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tls-migration-role
+subjects:
+- kind: ServiceAccount
+  name: tls-migration-sa
+  namespace: envoy-gateway-system
+---
+# Job to migrate and split TLS secret from kgateway-system to envoy-gateway-system
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tls-secret-migration
+  namespace: envoy-gateway-system
+spec:
+  template:
+    spec:
+      serviceAccountName: tls-migration-sa
+      restartPolicy: OnFailure
+      containers:
+      - name: migrate-tls
+        image: alpine/k8s:1.28.13
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Starting TLS secret migration from kgateway-system to envoy-gateway-system"
+
+          # Check if source secret exists
+          if ! kubectl get secret cluster-tls -n kgateway-system >/dev/null 2>&1; then
+            echo "Source secret cluster-tls not found in kgateway-system namespace"
+            echo "This is expected during initial deployment - no migration needed"
+            exit 0
+          fi
+
+          # Verify target namespace exists
+          if ! kubectl get namespace envoy-gateway-system >/dev/null 2>&1; then
+            echo "ERROR: envoy-gateway-system namespace not found"
+            echo "This job should be applied after namespace creation"
+            exit 1
+          fi
+
+          # Check if target secret already exists
+          if kubectl get secret cluster-tls -n envoy-gateway-system >/dev/null 2>&1; then
+            echo "Target secret cluster-tls already exists in envoy-gateway-system"
+            echo "Migration completed previously"
+            exit 0
+          fi
+
+          echo "Migrating cluster-tls secret with certificate chain splitting"
+
+          # Extract certificate data from source secret
+          TLS_CRT_DATA=$(kubectl get secret cluster-tls -n kgateway-system -o jsonpath='{.data.tls\.crt}')
+          TLS_KEY_DATA=$(kubectl get secret cluster-tls -n kgateway-system -o jsonpath='{.data.tls\.key}')
+
+          # Decode the certificate chain
+          echo "$TLS_CRT_DATA" | base64 -d > /tmp/full_chain.crt
+
+          # Split certificate chain: first cert is server cert, second cert is CA cert
+          # Count certificates in the chain
+          CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" /tmp/full_chain.crt)
+          echo "Found $CERT_COUNT certificates in chain"
+
+          if [ "$CERT_COUNT" -eq 1 ]; then
+            # Only one certificate (server cert), no CA to split
+            echo "Single certificate found, no CA cert to extract"
+            SERVER_CERT_B64="$TLS_CRT_DATA"
+            CA_CERT_B64=""
+          elif [ "$CERT_COUNT" -ge 2 ]; then
+            # Multiple certificates: split them
+            echo "Splitting certificate chain: server cert + CA cert"
+
+            # Extract first certificate (server certificate)
+            awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print; if(/END CERTIFICATE/) exit}' /tmp/full_chain.crt > /tmp/server.crt
+
+            # Extract remaining certificates (CA certificate chain)
+            awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {if(first_cert_done) print} /END CERTIFICATE/ {first_cert_done=1}' /tmp/full_chain.crt > /tmp/ca.crt
+
+            # Base64 encode the split certificates
+            SERVER_CERT_B64=$(cat /tmp/server.crt | base64 -w 0)
+            CA_CERT_B64=$(cat /tmp/ca.crt | base64 -w 0)
+          else
+            echo "No certificates found in tls.crt data"
+            exit 1
+          fi
+
+          # Create the new secret with split certificates
+          cat > /tmp/new_secret.yaml << 'EOF'
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: cluster-tls
+            namespace: envoy-gateway-system
+          type: kubernetes.io/tls
+          data:
+          EOF
+
+          echo "  tls.crt: $SERVER_CERT_B64" >> /tmp/new_secret.yaml
+          echo "  tls.key: $TLS_KEY_DATA" >> /tmp/new_secret.yaml
+
+          # Add CA certificate if it exists
+          if [ -n "$CA_CERT_B64" ]; then
+            echo "  ca.crt: $CA_CERT_B64" >> /tmp/new_secret.yaml
+          fi
+
+          # Apply the new secret
+          kubectl apply -f /tmp/new_secret.yaml
+
+          if [ $? -eq 0 ]; then
+            echo "Successfully migrated and split cluster-tls secret to envoy-gateway-system"
+            if [ -n "$CA_CERT_B64" ]; then
+              echo "Certificate chain split: tls.crt (server) + ca.crt (CA)"
+            else
+              echo "Single certificate migrated: tls.crt only"
+            fi
+          else
+            echo "Failed to migrate cluster-tls secret"
+            exit 1
+          fi
+
+          # Clean up temporary files
+          rm -f /tmp/full_chain.crt /tmp/server.crt /tmp/ca.crt /tmp/new_secret.yaml
@@ -28,6 +28,8 @@ apps:
     helmParameters:
       - name: airm-api.airm.appDomain
         value: "{{ .Values.global.domain }}"
+      - name: airm-api.kgateway.namespace
+        value: envoy-gateway-system
       - group: kyverno.io
         jqPathExpressions:
           - ".spec.rules"
@@ -43,6 +45,8 @@ apps:
     helmParameters:
       - name: appDomain
         value: "{{ .Values.global.domain }}"
+      - name: kgateway.namespace
+        value: envoy-gateway-system
     syncWave: 0
   airm-infra-cnpg:
     path: eai-infra/airm-cnpg/0.1.0
@@ -267,10 +271,7 @@ apps:
     namespace: external-secrets
     path: external-secrets-config
     syncWave: -10
-  gateway-api:
-    namespace: default
-    path: gateway-api/v1.3.0
-    syncWave: -50
+
   gitea:
     helmParameters:
       - name: clusterDomain
@@ -525,29 +526,20 @@ apps:
         requests:
           cpu: "250m"
           memory: "512Mi"
-  kgateway:
-    namespace: kgateway-system
-    path: kgateway/v2.1.0-main
-    syncWave: -20
+  envoy-gateway:
+    namespace: envoy-gateway-system
+    path: envoy-gateway/v1.7.1
+    syncWave: -30
     valuesObject:
-      controller:
-        image:
-          registry: "ghcr.io"
-          repository: silogen/kgateway-v2.1.0-main-websocket
-          tag: "0.0.1"
-  kgateway-config:
+      kubernetesClusterDomain: cluster.local
+  envoy-gateway-config:
     helmParameters:
       - name: domain
         value: "{{ .Values.global.domain }}"
-    namespace: kgateway-system
-    path: kgateway-config
+    namespace: envoy-gateway-system
+    path: envoy-gateway-config
     syncWave: -15
     valuesFile: values.yaml
-  kgateway-crds:
-    namespace: kgateway-system
-    path: kgateway-crds/v2.1.0-main
-    syncWave: -30
-    valuesFile: values.yaml
   kserve:
     namespace: kserve-system
     path: kserve/v0.16.0

@@ -20,7 +20,8 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
-  - gateway-api
+  - envoy-gateway
+  - envoy-gateway-config
   - gitea
   - gitea-config
   - kaiwo
@@ -29,9 +30,6 @@ enabledApps:
   - keda
   - kedify-otel
   - keycloak
-  - kgateway
-  - kgateway-config
-  - kgateway-crds
   - kserve
   - kserve-crds
   - kueue