Conversation
anish-mudaraddi
force-pushed
the
use-envoy
branch
from
bda02f3 to
cdac874
Compare
jacob-ward
previously approved these changes
Mar 25, 2026
Contributor
jacob-ward
left a comment
jacob-ward
left a comment
There was a problem hiding this comment.
Approved but definitely requires a second reviewer
General comment that this should definitely have been split into multiple commits, a lot of the changes are quite simple but still.
If each item in your changelog in your commit message had been it's own commit this would have worked a bit better in my view
azahmd
reviewed
Mar 25, 2026
azahmd
reviewed
Mar 25, 2026
azahmd
reviewed
Mar 25, 2026
anish-mudaraddi
force-pushed
the
use-envoy
branch
from
cdac874 to
7d07ce4
Compare
contingent on this PR being merged: stfc/cloud-helm-charts#188 This deploys envoy gateway onto our staging clusters. Using the charts that will be released from the above PR. changelog: setup envoy gateways service - which will deploy envoyproxy and setup 2 gateways for internal and user-facing services on clusters. Deprecate ingress nginx argocd to use envoy gateway and backendtlspolicy for full encryption for external traffic. ArgoCD to use an internal TLS certificate generated by cert-manager for encrpyting east-west traffic use cert-manager chart to setup clusterissuers on staging clusters. For worker, this will setup a letsencrypt issuer that can make http01 requests using gateway api. This cert-manager will also setup an internal TLS CA to sign internal certs for encrypting east-west traffic setup a separate monitoring stack and setup httproute with basicauth securitypolicy to match ingress annotations, deprecate addon method of installation setup httproute for longhorn Setup httproute for Harbor, setup internal TLS certs and backendTLSPolicy for encrypting east-west traffic gateway->pod and pod->pod Setup httproute for docker registry, use internal TLS and backendTLSPolicy for encrypting east-west traffic gateway->pod Setup httproute, securitypolicies and internalTLS for opensearch - managed via cert-manager and signed with internal CA Deprecate materials-galaxy and victoria metrics and remove those services from staging as we don't use them
anish-mudaraddi
force-pushed
the
use-envoy
branch
from
7d07ce4 to
b0fc534
Compare
azahmd
approved these changes
Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
contingent on this PR being merged: stfc/cloud-helm-charts#188
This deploys envoy gateway onto our staging clusters. Using the charts that will be released from the above PR.
changelog:
setup envoy gateways service - which will deploy envoyproxy and setup 2 gateways for internal and user-facing services on clusters. Deprecate ingress nginx
argocd to use envoy gateway and backendtlspolicy for full encryption for external traffic. ArgoCD to use an internal TLS certificate generated by cert-manager for encrpyting east-west traffic
use cert-manager chart to setup clusterissuers on staging clusters. For worker, this will setup a letsencrypt issuer that can make http01 requests using gateway api. This cert-manager will also setup an internal TLS CA to sign internal certs for encrypting east-west traffic
setup a separate monitoring stack and setup httproute with basicauth securitypolicy to match ingress annotations, deprecate addon method of installation
setup httproute for longhorn
Setup httproute for Harbor, setup internal TLS certs and backendTLSPolicy for encrypting east-west traffic gateway->pod and pod->pod
Setup httproute for docker registry, use internal TLS and backendTLSPolicy for encrypting east-west traffic gateway->pod
Setup httproute, securitypolicies and internalTLS for opensearch - managed via cert-manager and signed with internal CA
Deprecate materials-galaxy and victoria metrics and remove those services from staging as we don't use them