feat(netbird): add Gateway API support and reject ingressGrpc without TLS (#74) (#80)

* feat(netbird): add Gateway API support and reject ingressGrpc without TLS

Adds HTTPRoute/GRPCRoute/TCPRoute as mutually-exclusive alternatives to
each existing Ingress block (server.httpRoute, server.grpcRoute,
server.relayHttpRoute, server.relayTcpRoute, dashboard.httpRoute). The
chart renders routes only and attaches them via parentRefs to a
user-managed Gateway. Omitted backendRefs auto-fill to the netbird
Service on port 80.

Fail-fast helm-template validation covers:
  * Ingress + Gateway route both enabled for the same traffic class
  * relayHttpRoute and relayTcpRoute both enabled
  * Route enabled with empty parentRefs
  * ingressGrpc enabled with empty tls — gRPC over nginx-ingress cannot
    negotiate h2c, and the default ssl-redirect annotation redirects
    plaintext gRPC to HTTPS, so this silently failed before

Fixes #74 by giving users a plaintext-h2c path (grpcRoute) for gRPC and
rejecting the silent-failure Ingress configuration.

Includes 36 new helm-unittest cases and an Envoy-Gateway-based e2e test
harness (ci/scripts/netbird/e2e-gateway.sh + CI job) that verifies routes
reach Accepted=True on the gateway and that backendRefs auto-fill.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* style(netbird): dprint-format README and values.yaml

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(netbird): let Envoy Gateway install Gateway API CRDs

Installing standard-install.yaml with kubectl then running the
envoy-gateway Helm chart caused server-side-apply conflicts: EG owns
the same CRDs via its packaged manifests but our prior kubectl-apply
set "kubectl-client-side-apply" as the field manager. The EG chart
bundles both standard and experimental channel CRDs (including
TCPRoute), so a single install is enough.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(netbird): wait for Gateway Accepted, preserve state for debug on fail

Gateway Programmed condition requires Envoy's data-plane pod to be
Ready, which is too slow on kind within the 3m timeout. Route
attachment only needs the Gateway to be Accepted (admission by the
controller), so wait on that instead — routes progress independently
of proxy readiness.

Also skip the cleanup trap on non-zero exit so CI's "Show debug info
on failure" step can actually see pod status / events / logs —
previously the namespace was deleted before debug ran.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mikkeldamsgaard

.github/workflows/ci.yaml

@@ -210,6 +210,44 @@ jobs:
           echo "=== Events ==="
           kubectl -n netbird-e2e get events --sort-by='.lastTimestamp' || true
 
+  e2e-gateway:
+    name: "E2E — NetBird: Gateway API (Envoy Gateway)"
+    runs-on: ubuntu-latest
+    needs: [detect-changes, lint-and-unit-test]
+    if: needs.detect-changes.outputs.netbird == 'true' || needs.detect-changes.outputs.ci == 'true'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1
+        with:
+          cluster_name: helms-e2e
+
+      - name: Run e2e test (gateway)
+        run: ci/scripts/netbird/e2e-gateway.sh
+
+      - name: Show debug info on failure
+        if: failure()
+        run: |
+          echo "=== Pod status ==="
+          kubectl -n netbird-gateway-e2e get pods -o wide || true
+          echo "=== Gateway status ==="
+          kubectl -n netbird-gateway-e2e get gateway netbird-gateway -o yaml || true
+          echo "=== Route statuses ==="
+          kubectl -n netbird-gateway-e2e get httproute,grpcroute -o yaml || true
+          echo "=== Envoy Gateway logs ==="
+          kubectl -n envoy-gateway-system logs deployment/envoy-gateway --tail=100 || true
+          echo "=== Server logs ==="
+          kubectl -n netbird-gateway-e2e logs deployment/netbird-gateway-e2e-server --all-containers --tail=100 || true
+          echo "=== Events ==="
+          kubectl -n netbird-gateway-e2e get events --sort-by='.lastTimestamp' || true
+
   e2e-oidc-embedded:
     name: "E2E — NetBird: OIDC (Embedded IdP)"
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -16,6 +16,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
   `https://netbird.example.com`). NetBird clients require the port — without
   it the daemon fails with `missing port in address`. Use
   `https://netbird.example.com:443` instead. Fixes #75.
+- **netbird**: Gateway API support as a mutually-exclusive alternative to
+  Kubernetes Ingress for every traffic class. New values:
+  `server.httpRoute` (`HTTPRoute`), `server.grpcRoute` (`GRPCRoute`),
+  `server.relayHttpRoute` (`HTTPRoute`), `server.relayTcpRoute`
+  (`TCPRoute`, v1alpha2), and `dashboard.httpRoute` (`HTTPRoute`). The
+  chart renders routes only; users provide `parentRefs` to a Gateway they
+  already manage. Omitted `backendRefs` auto-fill to the netbird
+  server / dashboard Service on port 80. Fixes #74 — controllers that
+  support plaintext h2c (Envoy Gateway, Traefik Gateway, …) can now expose
+  gRPC without TLS via `GRPCRoute`, sidestepping the nginx-ingress h2c
+  limitation that made `server.ingressGrpc` fail silently without a cert.
+- **netbird**: Fail-fast validation that rejects enabling both an Ingress
+  and its Gateway-API counterpart for the same traffic class (and between
+  `server.relayHttpRoute` / `server.relayTcpRoute`), or enabling a route
+  with an empty `parentRefs` list.
+- **netbird**: Fail-fast validation that rejects
+  `server.ingressGrpc.enabled=true` with an empty `server.ingressGrpc.tls`
+  list. gRPC over Kubernetes Ingress requires TLS (nginx-ingress cannot
+  negotiate plaintext h2c, and the default `ssl-redirect: "true"`
+  annotation redirects plaintext gRPC to HTTPS) — previously this
+  misconfiguration failed silently. Fixes #74. Users who want plaintext
+  gRPC should use `server.grpcRoute` with a Gateway API controller that
+  supports h2c.
 
 ### Changed
 
@@ -24,6 +47,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 - **netbird**: README and `values.yaml` examples now show
   `exposedAddress` with an explicit `:443` port and document that the
   port is required even when it matches the scheme default.
+- **netbird**: README gains a "Gateway API as an alternative to Ingress"
+  section with copy-pasteable examples, parameter tables for the new
+  route blocks, and an updated architecture diagram.
 
 ## [0.4.1] — 2026-04-14
 

Makefile

@@ -1,4 +1,4 @@
-.PHONY: lint unittest e2e e2e-netbird e2e-sqlite e2e-postgres e2e-mysql e2e-oidc-keycloak e2e-oidc-zitadel e2e-keycloak e2e-keycloak-dev e2e-keycloak-postgres e2e-keycloak-replicas e2e-setup e2e-teardown test compat-matrix
+.PHONY: lint unittest e2e e2e-netbird e2e-sqlite e2e-postgres e2e-mysql e2e-gateway e2e-oidc-keycloak e2e-oidc-zitadel e2e-keycloak e2e-keycloak-dev e2e-keycloak-postgres e2e-keycloak-replicas e2e-setup e2e-teardown test compat-matrix
 
 CHARTS := $(wildcard charts/*)
 
@@ -36,6 +36,9 @@ e2e-postgres: e2e-setup
 e2e-mysql: e2e-setup
 	ci/scripts/netbird/e2e.sh mysql
 
+e2e-gateway: e2e-setup
+	ci/scripts/netbird/e2e-gateway.sh
+
 e2e-oidc-keycloak: e2e-setup
 	ci/scripts/netbird/e2e-oidc.sh keycloak
 
@@ -46,6 +49,7 @@ e2e-netbird: e2e-setup
 	ci/scripts/netbird/e2e.sh sqlite
 	ci/scripts/netbird/e2e.sh postgres
 	ci/scripts/netbird/e2e.sh mysql
+	ci/scripts/netbird/e2e-gateway.sh
 	ci/scripts/netbird/e2e-oidc.sh keycloak
 	ci/scripts/netbird/e2e-oidc.sh zitadel