fix(gateway): decouple outbound CA trust store from tls.enabled; add README examples#319
Merged
Conversation
The README only had the auto-generated values table, which does not show how to actually use multi-field values like additionalTrustedCAs. Add a Configuration examples section (rendered from README.md.gotmpl) covering: trusting additional outbound CAs, exposing via LoadBalancer, setting replicas/resources, and injecting extra env vars.
📝 WalkthroughWalkthroughThe gateway chart README and template add a “Configuration examples” section covering additional TLS CAs, LoadBalancer exposure, replicas and resources, and extra environment variables. ChangesGateway configuration documentation
Estimated code review effort: 1 (Trivial) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 6✅ Passed checks (6 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
ct lint runs with --charts (explicit list), which disables version-increment checking, so a docs-only README change does not require a Chart.yaml bump.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@charts/gateway/README.md.gotmpl`:
- Around line 56-61: Make gateway.tls.enabled explicit in every TLS-related
example: add it to the additionalTrustedCAs example in
charts/gateway/README.md.gotmpl lines 56-61, enable it in the port-443
LoadBalancer example at charts/gateway/README.md.gotmpl lines 76-83, and
regenerate both corresponding examples in charts/gateway/README.md lines 55-60
and 75-82 with the same settings.
- Around line 68-69: Update the restart command in
charts/gateway/README.md.gotmpl to target the rendered Deployment name from
apisix.fullname, or use a label-based lookup instead of deploy/[RELEASE_NAME];
regenerate charts/gateway/README.md so its corresponding command reflects the
same correction.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 492c0ebe-82de-4c61-8485-a22f9968582d
📒 Files selected for processing (2)
charts/gateway/README.mdcharts/gateway/README.md.gotmpl
ssl_trusted_certificate is the gateway's OUTBOUND trust store (used to verify etcd/Control Plane, openid-connect, loggers and other services the gateway dials). It has nothing to do with the inbound HTTPS listener, but existingCASecret and additionalTrustedCAs were gated on gateway.tls.enabled, so with the listener disabled the trust store (and its Secret mounts) silently disappeared even though etcd.auth.tls.verify or an openid-connect ssl_verify still needs it. Gate the config rendering and the Secret mounts on whether a CA is actually configured, not on gateway.tls.enabled. No change for the default (tls.enabled true); only fixes the tls.enabled=false case. Also revert the misleading tls.enabled note added to the README examples.
nic-6443
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: outbound CA trust store was gated on the inbound TLS listener
apisix.ssl.ssl_trusted_certificateis the gateway's outbound trust store — it verifies the TLS certificates of services the gateway dials (etcd/Control Plane,openid-connectIdPs, loggers, ...). It has nothing to do with the inbound HTTPS listener (gateway.tls.enabled).But
gateway.tls.existingCASecretandgateway.tls.additionalTrustedCAs(added in #317) were both gated ongateway.tls.enabled. So with the HTTPS listener disabled, the trust store and its Secret mounts silently disappeared — even thoughetcd.auth.tls.verify: trueor anopenid-connectssl_verify: truestill needs them.This gates the
ssl_trusted_certificaterendering and the CA Secret mounts on whether a CA is actually configured, not ongateway.tls.enabled:gateway.tls.enabled: true) — CP-managed deployments render identically.gateway.tls.enabled: falsecase, where a configured CA now takes effect.Docs: configuration examples
Also adds a Configuration examples section to
README.md.gotmpl(regenerated intoREADME.md) — the README previously only had the values table. CoversadditionalTrustedCAs, exposing via LoadBalancer, replicas/resources, and extra env vars.Chart version bumped
3.10.8→3.10.9(functional fix). The values table is unchanged.