feat(nginx_gateway_fabric): NGF 2.6.5 + HTTP-01/ListenerSet cert flow, wildcard TLS, alias-A base record#44
feat(nginx_gateway_fabric): NGF 2.6.5 + HTTP-01/ListenerSet cert flow, wildcard TLS, alias-A base record#44sanmesh-kakade wants to merge 1 commit into
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughNGINX Gateway Fabric is upgraded to v2.6.5. The module now generates ListenerSet resources for HTTPS, routes HTTPS traffic through ListenerSet parentRefs, updates Gateway listener settings, and adjusts bootstrap TLS and Helm values. ChangesNGF v2.6.5 Upgrade and ListenerSet HTTPS Wiring
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@nginx_gateway_fabric/main.tf`:
- Around line 312-319: The HTTPRoute/GRPCRoute parentRef lookup still falls back
to synthesizing Gateway references for missing HTTPS listener names, which can
produce unattached routes after the inline HTTPS listeners are removed. Update
the routing logic in the listener parentRef generation path (the branches using
local.listener_parentref, local.gateway_parentref_base, and the https-* naming)
to use the ListenerSet map as the source of truth, and make the Gateway fallback
only apply when the listener name is actually present on the Gateway. Apply the
same fix consistently in both the HTTPRoute and GRPCRoute branches so naming
drift fails fast instead of silently deploying broken routes.
- Line 1028: The ListenerSet manifests in the any-k8s-resources flow can be
applied before the experimental Gateway API CRDs are present, causing failures
on a fresh cluster. Update the dependency chain around
`local.listenerset_resources` so the release that applies these resources
explicitly waits on the CRD installation path used by the nginx gateway fabric
setup, not just `helm_release.nginx_gateway_fabric` and the TLS secrets. Use the
existing symbols `local.listenerset_resources` and the related
`any-k8s-resources` release wiring to add the missing dependency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ab846950-3ee5-4e3a-a633-56112026074d
📒 Files selected for processing (4)
nginx_gateway_fabric/README.mdnginx_gateway_fabric/charts/nginx-gateway-fabric-2.4.1.tgznginx_gateway_fabric/charts/nginx-gateway-fabric-2.6.5.tgznginx_gateway_fabric/main.tf
ea6be5e to
d4df6ae
Compare
5225c0c to
8e45a8d
Compare
e1e6bbc to
dd16602
Compare
…, wildcard TLS, alias-A base record - Bump vendored chart 2.4.1 -> 2.6.5 (org image with #5330 fix); raise control-plane resource/replica defaults; imagePullPolicy Always. - HTTP-01 default via ListenerSet listeners; drop the ACK/dns01 wildcard path. Annotate the ListenerSet for the cert-manager listenerset-shim, which creates each listener's TLS secret itself — no self-signed bootstrap placeholder secrets (the old workaround for the cert-manager HTTP-01 + Gateway API bug, cert-manager/cert-manager#7337, fixed in 1.18.1). - Wildcard TLS mode for private/DNS-01 LBs (apex + *.domain, one shim-issued cert). - Base-domain Route53 record: alias-A on AWS (NLB canonical zone id from a static per-region map in nlb_zone_ids.tf) so cnameStrategy:Follow does not chase into amazonaws.com and break DNS-01; plain A/CNAME otherwise; honor the lb_service_record_type override. - README refresh. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dd16602 to
cfce7ca
Compare
What
Base
nginx_gateway_fabricmodule: upgrade to NGF 2.6.5, switch the cert flow to HTTP-01 + Gateway API ListenerSet, add wildcard TLS for private/DNS-01 LBs, and fix the base-domain Route53 record on AWS.Changes
imagePullPolicy: Always.tls_*/secret TF resources) are removed. Verified: Gateway/LB program without the secret, the shim issues per-listener certs.*.domainlisteners sharing one shim-issued cert (single DNS-01 challenge).cnameStrategy: Followchase intoamazonaws.comand break DNS-01. The NLB canonical hosted-zone-id comes from a static per-region map (nlb_zone_ids.tf) — an AWS-published constant, so no ELB API call / cross-account lookup (the LB lives in the tenant cloud account, unreachable from the release pod). Non-AWS → plain A;lb_service_record_typeoverride wins.Testing
Private-LB DNS-01 wildcard certs + public HTTP-01 per-subdomain certs verified issuing (real Google Trust Services certs) on AWS + OVH test envs, with no bootstrap placeholders.