Envoy Gateway
API Gateway and ingress using Envoy Gateway with GKE Gateway API
The Infra Management Cluster runs multiple Envoy Gateway instances to handle ingress traffic for different domains. Each instance operates in namespace mode, watching specific namespaces for Gateway API resources.
ArgoCD Resources
Gateway System (Helm Charts)
These Applications deploy the Envoy Gateway controller and CRDs:
| Application | Namespace | Controller Name |
|---|---|---|
envoy-infra-titanbay-com | envoy-infra-titanbay-com | gateway.envoyproxy.io/infra-titanbay-com-controller |
envoy-infra-titanbayapis-com | envoy-infra-titanbayapis-com | gateway.envoyproxy.io/infra-titanbayapis-com-controller |
envoy-infra-titanbay-internal | envoy-infra-titanbay-internal | gateway.envoyproxy.io/infra-titanbay-internal-controller |
File Path: apps/envoy-gateway-system.yaml
Gateway Routes (Kustomize)
These Applications deploy Gateway, HTTPRoute, and related resources:
| Application | Namespace | Source Path |
|---|---|---|
envoy-gateway-infra-titanbay-com | envoy-infra-titanbayapis-com | k8s/infra-services/envoy-gateway/overlays/infra-titanbay-com |
envoy-gateway-infra-titanbayapis-com | envoy-infra-titanbayapis-com | k8s/infra-services/envoy-gateway/overlays/infra-titanbayapis-com |
envoy-gateway-infra-titanbay-internal | envoy-infra-titanbay-internal | k8s/infra-services/envoy-gateway/overlays/infra-titanbay-internal |
File Path: apps/envoy-gateway.yaml
Architecture
graph TD
subgraph "External Traffic"
A[HTTP Client]
end
subgraph "GKE Gateway API L7 LB"
B[External Load Balancer]
end
subgraph "Envoy Gateway"
C[envoy-infra-titanbay-com]
D[envoy-infra-titanbayapis-com]
E[envoy-infra-titanbay-internal]
end
subgraph "Workloads"
F[ArgoCD]
G[Atlantis]
H[Grafana]
I[Other Services]
end
A --> B
B --> C
B --> D
B --> E
C --> F
C --> G
D --> H
E --> ISource Structure
k8s/infra-services/envoy-gateway/
├── base/ # Shared resources
└── overlays/
├── infra-titanbay-com/ # *.infra.titanbay.com routes
│ ├── gateway.yaml
│ ├── httproutes/
│ └── kustomization.yaml
├── infra-titanbayapis-com/ # *.infra.titanbayapis.com routes
│ ├── gateway.yaml
│ ├── httproutes/
│ └── kustomization.yaml
└── infra-titanbay-internal/ # Internal routes
├── gateway.yaml
├── httproutes/
└── kustomization.yaml
Gateway System Configuration
Each Envoy Gateway instance is deployed via Helm with namespace-scoped watching:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: envoy-infra-titanbay-com
spec:
syncPolicy:
syncOptions:
- ServerSideApply=true
destination:
namespace: envoy-infra-titanbay-com
server: https://kubernetes.default.svc
project: infra-services
source:
chart: gateway-helm
repoURL: 'registry-1.docker.io/envoyproxy'
targetRevision: 1.4.2
helm:
valuesObject:
deployment:
replicas: 2
config:
envoyGateway:
gateway:
controllerName: gateway.envoyproxy.io/infra-titanbay-com-controller
provider:
type: Kubernetes
kubernetes:
watch:
type: Namespaces
namespaces:
- argocd
- atlantis
- envoy-infra-titanbay-com
- infra-docs-portal
- monitoring
- netbox
- tb-ops
- grafana-alloy
- pam-system
- onepassword
Watched Namespaces
Each controller watches specific namespaces:
| Controller | Watched Namespaces |
|---|---|
infra-titanbay-com | argocd, atlantis, infra-docs-portal, monitoring, netbox, tb-ops, grafana-alloy, pam-system, onepassword |
infra-titanbayapis-com | argo, argo-events, argocd, atlantis, dex, monitoring, netbox, grafana-alloy, pam-system, grafana-loki |
infra-titanbay-internal | monitoring, grafana-alloy |
Note
If you deploy Gateway API resources (HTTPRoute, ReferenceGrant) in a namespace not listed above, the controller will ignore them. Add the namespace to the appropriate controller’s watch list.Gateway Routes Configuration
The route Applications deploy Gateway API resources:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: envoy-gateway-infra-titanbay-com
spec:
syncPolicy:
syncOptions:
- ServerSideApply=true
destination:
namespace: envoy-infra-titanbayapis-com
server: https://kubernetes.default.svc
project: infra-services
source:
repoURL: https://github.com/Titanbay/infra-services
path: k8s/infra-services/envoy-gateway/overlays/infra-titanbay-com
targetRevision: 'main'
How to Update
Adding a New Route
- Create an HTTPRoute in the appropriate overlay:
k8s/infra-services/envoy-gateway/overlays/<domain>/httproutes/<service>.yaml - Add the file to the overlay’s
kustomization.yaml - Ensure the service’s namespace is in the controller’s watch list
- Commit and push to
main
Adding a Namespace to Watch List
- Edit
apps/envoy-gateway-system.yaml - Find the appropriate controller’s
namespaceslist - Add the new namespace
- Commit and push to
main
Upgrading Envoy Gateway
- Update
targetRevisioninapps/envoy-gateway-system.yaml - Review the Envoy Gateway changelog
- Commit and push to
main
Related Resources
| Resource | Purpose |
|---|---|
apps/envoy-gateway-oci-secret.yaml | OCI registry credentials for Helm chart |
| Gateway API CRDs | Installed by the Helm chart |
| GKE Gateway Controller | Native GKE integration for L7 LB |
Ignored Differences
The Applications ignore certain CRD differences to prevent sync loops:
ignoreDifferences:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
name: gatewayclasses.gateway.networking.k8s.io
jsonPointers:
- /metadata/annotations
- /spec/versions
This is necessary because GKE’s Gateway controller may modify CRD annotations.