Skip to content

fix(ingress): legacy NGF HTTP-01/ListenerSet + wildcard TLS, Gateway API v1.5.1, drop ACK ACM#554

Open
sanmesh-kakade wants to merge 1 commit into
developfrom
fix/ngf-gw-api-1.5.1-legacy
Open

fix(ingress): legacy NGF HTTP-01/ListenerSet + wildcard TLS, Gateway API v1.5.1, drop ACK ACM#554
sanmesh-kakade wants to merge 1 commit into
developfrom
fix/ngf-gw-api-1.5.1-legacy

Conversation

@sanmesh-kakade

@sanmesh-kakade sanmesh-kakade commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

What

Legacy NGF flavors: HTTP-01 + ListenerSet cert flow, wildcard TLS for private LBs, Gateway API v1.5.1, and removal of the ACK ACM controller path.

Changes

  • Gateway API — CRDs default to v1.5.1; raised legacy control-plane resource defaults + min_replicas.
  • Drop ACK ACM — removed the ACK ACM controller + DNS-01 from the legacy NGF flavors (module + output deleted).
  • legacy aws/azure/gcp flavors — DNS-01 (gts-production) cert issuance + wildcard TLS for private LBs (mirrors k8s-native); dropped the unsupported cluster_issuer_override fallback.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)
  • facets-saas

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5fef44e1-001a-4984-a236-d1fd6433df79

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ngf-gw-api-1.5.1-legacy

Comment @coderabbitai help to get the list of available commands.

@sanmesh-kakade sanmesh-kakade force-pushed the fix/ngf-gw-api-1.5.1-legacy branch from 49500bc to 6da8d89 Compare June 16, 2026 13:36
@sanmesh-kakade

Copy link
Copy Markdown
Contributor Author

📋 Gateway API CRD changelog v1.4.1 → v1.5.1 — verified against the real manifests, with impact

v1.5.1 is a conformance/docs patch over v1.5.0 (zero CRD schema change) — all API deltas are from v1.5.0.

Legend: ✅ affects us · ⚠️ pre-check · — no impact

  • ReferenceGrant: v1 added; v1beta1 still served + storage safe/additive. Existing v1beta1 ReferenceGrants stay valid, no migration.
  • Gateway / GatewayClass / HTTPRoute / GRPCRoute — schemas grew (CORS GEP-1767, client-cert validation GEP-91/3567, cert selection GEP-3155) — all additive optional fields on the existing v1 storage; existing CRs not rejected.
  • TLSRoute promoted to standard as v1; experimental storage v1alpha3→v1⚠️ only matters if TLSRoutes exist. Pre-check kubectl get tlsroutes -A (expect empty).
  • XListenerSetListenerSet (v1); xlistenersets removed⚠️ breaking rename, only matters if XListenerSet CRs exist. Pre-check kubectl get xlistenersets -A (expect empty).
  • New safe-upgrades ValidatingAdmissionPolicy (failurePolicy: Fail, action Deny) — ✅ affects rollback: blocks applying CRDs below v1.5.0 and standard↔experimental mixing. Forward upgrade is fine; to roll back to ≤1.4.x first kubectl delete validatingadmissionpolicy safe-upgrades.gateway.networking.k8s.io + its binding.
  • --server-side apply is mandatory — the httproutes CRD alone is ~533 KB (> the 262 KB client-side annotation limit) — ✅ module already uses --server-side; keep it.
  • Min Kubernetes ≥ 1.31 (TLSRoute CEL) — ✅ satisfied (CP v1.33, nodes ≥ v1.31.3).

Pre-flight before apply

kubectl get tlsroutes,xlistenersets -A     # expect empty
kubectl get crd httproutes.gateway.networking.k8s.io \
  -o jsonpath='{range .metadata.managedFields[*]}{.manager}{"\n"}{end}'

If managedFields show kubectl-client-side-apply (or another conflicting manager), the install Job's server-side apply will conflict → needs --force-conflicts (module sets backoff_limit=3, no --force-conflicts today).

Apply these CRDs before the NGF 2.6.3 controller (facets-utility-modules#39).

Net: additive + safe for our Gateway/HTTPRoute/ReferenceGrant usage. Only real watch-items: the rollback VAP and a possible server-side-apply field-manager conflict — both operational, neither a schema break.

sanmesh-kakade added a commit to Facets-cloud/facets-modules-redesign that referenced this pull request Jun 19, 2026
….5.1

Mirrors Facets-cloud/facets-modules#554 into the redesigned NGF modules:
- common/gateway_api_crd: default Gateway API version v1.4.1 -> v1.5.1
  (enum adds v1.5.1/v1.5.0; sample + main.tf lookup updated).
- nginx_gateway_fabric_{aws,azure,gcp,ovh}: control-plane resource defaults
  bumped — requests 200m/256Mi -> 250m/512Mi, limits 500m/512Mi -> 1/1Gi
  (schema defaults + x-ui-placeholders + sample).

Chart/image change is inherited from the base utility module these modules
delegate to (facets-utility-modules#39 -> facetscloud/nginx-gateway-fabric:2.6.5),
so no image refs change here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…API v1.5.1, drop ACK ACM

- Gateway API CRDs default to v1.5.1; raise legacy control-plane resource defaults + min_replicas.
- Remove the ACK ACM controller + DNS-01 from the legacy NGF flavors (drop the module + output).
- legacy aws/azure/gcp flavors: DNS-01 (gts-production) cert issuance + wildcard TLS for private
  LBs (mirror k8s-native); drop the unsupported cluster_issuer_override fallback.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@sanmesh-kakade sanmesh-kakade force-pushed the fix/ngf-gw-api-1.5.1-legacy branch from d281f17 to ea29bd8 Compare July 2, 2026 07:45
@sanmesh-kakade sanmesh-kakade changed the title fix(ingress): NGF stale-config follow-ups — Gateway API v1.5.1 + legacy CP min_replicas=1 fix(ingress): legacy NGF HTTP-01/ListenerSet + wildcard TLS, Gateway API v1.5.1, drop ACK ACM Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant