Skip to content

fix(gateway): decouple outbound CA trust store from tls.enabled; add README examples#319

Merged
nic-6443 merged 4 commits into
mainfrom
docs/gateway-readme-examples
Jul 14, 2026
Merged

fix(gateway): decouple outbound CA trust store from tls.enabled; add README examples#319
nic-6443 merged 4 commits into
mainfrom
docs/gateway-readme-examples

Conversation

@jarvis9443

@jarvis9443 jarvis9443 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Fix: outbound CA trust store was gated on the inbound TLS listener

apisix.ssl.ssl_trusted_certificate is the gateway's outbound trust store — it verifies the TLS certificates of services the gateway dials (etcd/Control Plane, openid-connect IdPs, loggers, ...). It has nothing to do with the inbound HTTPS listener (gateway.tls.enabled).

But gateway.tls.existingCASecret and gateway.tls.additionalTrustedCAs (added in #317) were both gated on gateway.tls.enabled. So with the HTTPS listener disabled, the trust store and its Secret mounts silently disappeared — even though etcd.auth.tls.verify: true or an openid-connect ssl_verify: true still needs them.

This gates the ssl_trusted_certificate rendering and the CA Secret mounts on whether a CA is actually configured, not on gateway.tls.enabled:

  • No change for the default (gateway.tls.enabled: true) — CP-managed deployments render identically.
  • Only fixes the gateway.tls.enabled: false case, where a configured CA now takes effect.

Docs: configuration examples

Also adds a Configuration examples section to README.md.gotmpl (regenerated into README.md) — the README previously only had the values table. Covers additionalTrustedCAs, exposing via LoadBalancer, replicas/resources, and extra env vars.

Chart version bumped 3.10.83.10.9 (functional fix). The values table is unchanged.

The README only had the auto-generated values table, which does not show how
to actually use multi-field values like additionalTrustedCAs. Add a
Configuration examples section (rendered from README.md.gotmpl) covering:
trusting additional outbound CAs, exposing via LoadBalancer, setting
replicas/resources, and injecting extra env vars.
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The gateway chart README and template add a “Configuration examples” section covering additional TLS CAs, LoadBalancer exposure, replicas and resources, and extra environment variables.

Changes

Gateway configuration documentation

Layer / File(s) Summary
Configuration examples
charts/gateway/README.md.gotmpl, charts/gateway/README.md
Adds matching Helm examples for outbound TLS trust, LoadBalancer settings, replica and resource configuration, and secret-backed environment variables before the Parameters section.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

  • api7/api7-helm-chart#317: Adds related gateway chart implementation and documentation for additional trusted CA configuration.

Suggested reviewers: guoqqqi, nic-chen

🚥 Pre-merge checks | ✅ 6
✅ Passed checks (6 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
E2e Test Quality Review ✅ Passed Docs-only README updates; no E2E flow, test code, or runtime logic changed, so the E2E test review is not applicable.
Security Check ✅ Passed PR is docs-only: the full diff touches only charts/gateway/README.md(.gotmpl), with no security-sensitive code changes or insecure flag handling introduced.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the README examples change and mentions the outbound CA trust topic covered in the docs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/gateway-readme-examples

Comment @coderabbitai help to get the list of available commands.

ct lint runs with --charts (explicit list), which disables version-increment
checking, so a docs-only README change does not require a Chart.yaml bump.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/gateway/README.md.gotmpl`:
- Around line 56-61: Make gateway.tls.enabled explicit in every TLS-related
example: add it to the additionalTrustedCAs example in
charts/gateway/README.md.gotmpl lines 56-61, enable it in the port-443
LoadBalancer example at charts/gateway/README.md.gotmpl lines 76-83, and
regenerate both corresponding examples in charts/gateway/README.md lines 55-60
and 75-82 with the same settings.
- Around line 68-69: Update the restart command in
charts/gateway/README.md.gotmpl to target the rendered Deployment name from
apisix.fullname, or use a label-based lookup instead of deploy/[RELEASE_NAME];
regenerate charts/gateway/README.md so its corresponding command reflects the
same correction.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 492c0ebe-82de-4c61-8485-a22f9968582d

📥 Commits

Reviewing files that changed from the base of the PR and between 1c5a395 and 12ccf02.

📒 Files selected for processing (2)
  • charts/gateway/README.md
  • charts/gateway/README.md.gotmpl

Comment thread charts/gateway/README.md.gotmpl
Comment thread charts/gateway/README.md.gotmpl
ssl_trusted_certificate is the gateway's OUTBOUND trust store (used to verify
etcd/Control Plane, openid-connect, loggers and other services the gateway
dials). It has nothing to do with the inbound HTTPS listener, but existingCASecret
and additionalTrustedCAs were gated on gateway.tls.enabled, so with the listener
disabled the trust store (and its Secret mounts) silently disappeared even though
etcd.auth.tls.verify or an openid-connect ssl_verify still needs it.

Gate the config rendering and the Secret mounts on whether a CA is actually
configured, not on gateway.tls.enabled. No change for the default (tls.enabled
true); only fixes the tls.enabled=false case. Also revert the misleading
tls.enabled note added to the README examples.
@jarvis9443 jarvis9443 changed the title docs(gateway): add configuration examples to chart README fix(gateway): decouple outbound CA trust store from tls.enabled; add README examples Jul 14, 2026
@nic-6443 nic-6443 merged commit 19d2da2 into main Jul 14, 2026
3 checks passed
@nic-6443 nic-6443 deleted the docs/gateway-readme-examples branch July 14, 2026 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants