Use the gateway as the loadbalancer for all types of services

[RyaliNvidia]

Issue #None

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

Summary by CodeRabbit

• New Features

  • Gateway/Envoy-first deployment with internal gateway and optional external service (LoadBalancer); configurable grouping, ports, and external service options.

• Chores

  • Removed legacy ingress-nginx dependency and removed per-service Ingress resources; routing now flows through the gateway.
  • Default internal endpoints updated to target the gateway for service-to-service and SSR API calls; gateway service exposure options added.

• Documentation

  • Quick-start and charts notes simplified: local access now uses gateway port-forwarding and steps renumbered; deployment docs updated to reflect gateway-based setup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR removes ingress-nginx and ingress manifests, shifts exposure to an Envoy-based osmo-gateway, updates Helm values and runtime configs to reference osmo-gateway, and adjusts NOTES/docs to recommend port-forwarding to the gateway.

Changes

Cohort / File(s)	Summary
Quick-Start Chart deployments/charts/quick-start/Chart.yaml, deployments/charts/quick-start/values.yaml, deployments/charts/quick-start/templates/NOTES.txt	Removed ingress-nginx dependency; replaced top-level ingress config with service.gateway.envoy; removed per-service ingress entries; updated backend URLs to osmo-gateway.*; added port-forward NOTES.
Service Ingress Templates deployments/charts/service/templates/agent-service.yaml, deployments/charts/service/templates/api-service.yaml, deployments/charts/service/templates/logger-service.yaml	Deleted conditional networking.k8s.io/v1 Ingress resources for agent, api, and logger templates.
Web UI Chart deployments/charts/web-ui/templates/ui.yaml, deployments/charts/web-ui/values.yaml, deployments/charts/web-ui/templates/NOTES.txt	Removed UI Ingress and services.ui.ingress values; set services.ui.apiHostname to gateway address; simplified NOTES to service port-forward instructions.
Router Chart deployments/charts/router/templates/router-service.yaml, deployments/charts/router/values.yaml, deployments/charts/router/templates/NOTES.txt	Removed router Ingress and services.service.ingress values; simplified NOTES and removed TLS/URL construction logic.
Gateway / Envoy deployments/charts/service/templates/gateway.yaml, deployments/charts/service/templates/_gateway-envoy-config.tpl, deployments/charts/service/values.yaml	Gateway template now renders regardless of former gateway.enabled; internal Envoy Service is ClusterIP; conditional external -external Service added (configurable type/httpsPort/annotations); ALB group annotations made configurable; ConfigMap gate changed to if $envoy.enabled; new gateway.envoy.service/ingress settings introduced.
Service Values deployments/charts/service/values.yaml	Removed legacy services.service.ingress; removed gateway.enabled; added gateway.envoy.service and expanded gateway.envoy.ingress settings.
Quick-start & Minimal runtime values run/minimal/backend_operator_values.yaml, run/minimal/osmo_values.yaml, run/minimal/router_values.yaml, run/minimal/ui_values.yaml	Repointed serviceUrl/hostname entries from ingress-nginx-controller.ingress-nginx.svc.cluster.local → osmo-gateway.osmo.svc.cluster.local; removed ingress.sslEnabled flags; replaced sidecars with gateway/envoy scaling and disabled oauth2Proxy/authz where applicable.
KIND Startup Script run/start_service_kind.py	Removed ingress-nginx Helm add/install/wait helper functions and their call sites — no ingress-nginx install during KIND startup.
Docs (deployment & networking) docs/.../deploy_local.rst, docs/.../deploy_minimal.rst, docs/.../deploy_service.rst, docs/.../infrastructure_setup.rst, docs/.../requirements/networking.rst	Replaced ingress-focused docs with gateway-focused guidance: KIND configs, removed ingress install/setup steps, updated port-forward examples to target osmo-gateway, DNS and troubleshooting references updated to gateway.
Router NOTES deployments/charts/router/templates/NOTES.txt	Removed conditional URL/TLS construction and TLS-secret guidance; renumbered and simplified NOTES steps.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant K8s as Kubernetes
    participant Envoy as osmo-gateway (Envoy)
    participant App as Application Services

    User->>K8s: port-forward svc/osmo-gateway or access LoadBalancer
    K8s->>Envoy: request delivered to osmo-gateway service
    Envoy->>App: route request to API/UI/backend services
    App-->>Envoy: response
    Envoy-->>K8s: response returned via Service
    K8s-->>User: response delivered

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐇 I hopped through charts and nudged nginx away,
I planted Envoy where the traffic now plays,
No Ingress to tend, just a gateway to mind,
I port-forward a tunnel and watch routes unwind,
A carrot for reviewers — sleek, small, and spry!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main architectural change: replacing ingress-nginx with an internal gateway (Envoy) as the primary load balancer and traffic router for all service types.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ryali/loadbalancer

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.65%. Comparing base (f6535b9) to head (b5ae73d).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #817      +/-   ##
==========================================
- Coverage   42.82%   42.65%   -0.18%     
==========================================
  Files         203      203              
  Lines       27123    27123              
  Branches     7759     7759              
==========================================
- Hits        11616    11568      -48     
- Misses      15398    15443      +45     
- Partials      109      112       +3     

Flag	Coverage Δ
backend	44.70% <ø> (-0.20%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 16 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

deployments/charts/quick-start/templates/NOTES.txt (1)

24-25: Use release namespace in the port-forward command.

Hardcoding -n osmo makes NOTES inaccurate when installed into another namespace. Prefer -n {{ .Release.Namespace }}.

Proposed tweak

-   kubectl port-forward svc/osmo-gateway 80:80 -n osmo
+   kubectl port-forward svc/osmo-gateway 80:80 -n {{ .Release.Namespace }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/quick-start/templates/NOTES.txt` around lines 24 - 25,
Update the NOTES text that hardcodes the namespace in the port-forward command:
replace the literal "-n osmo" instance in the line containing "kubectl
port-forward svc/osmo-gateway 80:80 -n osmo" with the Helm release namespace
template "-n {{ .Release.Namespace }}" so the NOTES.txt uses the actual release
namespace at install time.

deployments/charts/quick-start/values.yaml (2)

621-634: Consider using FQDN for gateway hostname in init containers.

The init container uses the short hostname osmo-gateway (line 630). While this should work when pods are in the same namespace, using the FQDN osmo-gateway.osmo.svc.cluster.local would be more robust and consistent with other references in this file (e.g., line 590).

Proposed change for consistency

          until nc -z osmo-gateway 80; do
+         until nc -z osmo-gateway.osmo.svc.cluster.local 80; do
            echo "Waiting for osmo-gateway..."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/quick-start/values.yaml` around lines 621 - 634, The init
container "wait-for-gateway" under initContainers uses the short hostname
"osmo-gateway" in its command; update that hostname to the cluster FQDN
"osmo-gateway.osmo.svc.cluster.local" so the nc check is robust across
namespaces and consistent with other references — modify the command sequence in
the wait-for-gateway init container to use the FQDN instead of the short name.

---

672-685: Same consideration as backend listener: use FQDN for consistency.

See previous comment about using FQDN in init containers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/quick-start/values.yaml` around lines 672 - 685, The init
container wait-for-gateway uses a short service name ("osmo-gateway") in the nc
check which should be replaced with the cluster FQDN for consistency with the
backend listener; update the command in initContainers -> name: wait-for-gateway
(the lines invoking nc -z osmo-gateway 80) to use the service FQDN (e.g.,
osmo-gateway.<namespace>.svc.cluster.local) or the Helm-templated full service
name (.Release.Namespace or your chart's fullname helper) so DNS resolution is
reliable across namespaces and matches the other init containers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deployments/charts/service/values.yaml`:
- Line 1234: This change flips the defaults for oauth2Proxy.enabled and
authz.enabled to false which silently disables authentication/authorization for
existing deployments; either revert these default values back to true in
values.yaml or, if you intend the breaking change, update the PR/CHANGELOG and
upgrade docs to add a clear migration note instructing users to set
gateway.oauth2Proxy.enabled: true and gateway.authz.enabled: true, and mention
the conditional rendering points in templates/gateway.yaml (blocks around lines
referencing the gateway oauth2Proxy and authz conditionals) so operators know
where to re-enable these features during upgrade.

In `@deployments/charts/web-ui/templates/NOTES.txt`:
- Line 5: The NOTES.txt contains a hardcoded kubectl target "svc/osmo-gateway"
which can be wrong when the gateway/service name is overridden; update the
kubectl port-forward line to use the chart's templated UI service name (the same
template/metadata used on Line 2) instead of the literal "svc/osmo-gateway" so
the NOTES always matches deployed resources—replace the hardcoded
"svc/osmo-gateway" reference in NOTES.txt with the chart template helper or
value used to render the UI Service name (the same helper/template that
generates the service metadata).

In `@deployments/charts/web-ui/values.yaml`:
- Line 85: The default apiHostname value "osmo-gateway:80" in values.yaml forces
NEXT_PUBLIC_OSMO_API_HOSTNAME and makes getApiHostname() always use an internal
Kubernetes DNS name; change the chart default to an empty string or remove the
apiHostname default so NEXT_PUBLIC_OSMO_API_HOSTNAME is unset by default
(allowing getApiHostname() to fall back to window.location.host), and document
in values.yaml that operators should set apiHostname only for
internal/browser-resolvable hostnames; refer to the apiHostname key and the use
of NEXT_PUBLIC_OSMO_API_HOSTNAME / getApiHostname() when making this change.

---

Nitpick comments:
In `@deployments/charts/quick-start/templates/NOTES.txt`:
- Around line 24-25: Update the NOTES text that hardcodes the namespace in the
port-forward command: replace the literal "-n osmo" instance in the line
containing "kubectl port-forward svc/osmo-gateway 80:80 -n osmo" with the Helm
release namespace template "-n {{ .Release.Namespace }}" so the NOTES.txt uses
the actual release namespace at install time.

In `@deployments/charts/quick-start/values.yaml`:
- Around line 621-634: The init container "wait-for-gateway" under
initContainers uses the short hostname "osmo-gateway" in its command; update
that hostname to the cluster FQDN "osmo-gateway.osmo.svc.cluster.local" so the
nc check is robust across namespaces and consistent with other references —
modify the command sequence in the wait-for-gateway init container to use the
FQDN instead of the short name.
- Around line 672-685: The init container wait-for-gateway uses a short service
name ("osmo-gateway") in the nc check which should be replaced with the cluster
FQDN for consistency with the backend listener; update the command in
initContainers -> name: wait-for-gateway (the lines invoking nc -z osmo-gateway
80) to use the service FQDN (e.g., osmo-gateway.<namespace>.svc.cluster.local)
or the Helm-templated full service name (.Release.Namespace or your chart's
fullname helper) so DNS resolution is reliable across namespaces and matches the
other init containers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 192bc8a6-7d79-43a0-8952-fcc38be3d11f

📥 Commits

Reviewing files that changed from the base of the PR and between fd7f454 and 4296359.

📒 Files selected for processing (20)

• deployments/charts/quick-start/Chart.yaml
• deployments/charts/quick-start/templates/NOTES.txt
• deployments/charts/quick-start/values.yaml
• deployments/charts/router/templates/NOTES.txt
• deployments/charts/router/templates/router-service.yaml
• deployments/charts/router/values.yaml
• deployments/charts/service/templates/_gateway-envoy-config.tpl
• deployments/charts/service/templates/agent-service.yaml
• deployments/charts/service/templates/api-service.yaml
• deployments/charts/service/templates/gateway.yaml
• deployments/charts/service/templates/logger-service.yaml
• deployments/charts/service/values.yaml
• deployments/charts/web-ui/templates/NOTES.txt
• deployments/charts/web-ui/templates/ui.yaml
• deployments/charts/web-ui/values.yaml
• run/minimal/backend_operator_values.yaml
• run/minimal/osmo_values.yaml
• run/minimal/router_values.yaml
• run/minimal/ui_values.yaml
• run/start_service_kind.py

💤 Files with no reviewable changes (8)

• deployments/charts/quick-start/Chart.yaml
• run/start_service_kind.py
• deployments/charts/router/values.yaml
• deployments/charts/router/templates/router-service.yaml
• deployments/charts/service/templates/logger-service.yaml
• deployments/charts/service/templates/agent-service.yaml
• deployments/charts/service/templates/api-service.yaml
• deployments/charts/web-ui/templates/ui.yaml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deployments/charts/service/templates/gateway.yaml (1)

21-23: ⚠️ Potential issue | 🟡 Minor

Default values have inconsistent configuration: oauth2Proxy.enabled: true but envoy.hostname is empty.

The validation logic at lines 21-23 is correct—it enforces that gateway.envoy.hostname must be provided when gateway.oauth2Proxy.enabled is true (required for OAuth2 redirect URL). The helm-lint pipeline failure occurs because the default values.yaml enables oauth2Proxy but leaves the hostname empty.

Fix by either:

1. Setting a default gateway.envoy.hostname value in values.yaml, or
2. Setting gateway.oauth2Proxy.enabled: false by default, or
3. Creating a custom values file for the helm-lint CI test that provides a hostname when testing with oauth2Proxy enabled

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/charts/service/templates/gateway.yaml` around lines 21 - 23, The
default Helm values enable oauth2Proxy but leave gateway.envoy.hostname empty,
which triggers the validation in the template (check using
gateway.oauth2Proxy.enabled and gateway.envoy.hostname). Fix by updating the
defaults so they are consistent: either set a sensible default for
gateway.envoy.hostname in values.yaml, or change gateway.oauth2Proxy.enabled to
false in values.yaml, or add a CI/test values file that sets
gateway.envoy.hostname when running helm-lint; update the values.yaml or CI test
configuration accordingly and ensure the Helm template condition
(gateway.oauth2Proxy.enabled / gateway.envoy.hostname) no longer fails.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@deployments/charts/service/templates/gateway.yaml`:
- Around line 21-23: The default Helm values enable oauth2Proxy but leave
gateway.envoy.hostname empty, which triggers the validation in the template
(check using gateway.oauth2Proxy.enabled and gateway.envoy.hostname). Fix by
updating the defaults so they are consistent: either set a sensible default for
gateway.envoy.hostname in values.yaml, or change gateway.oauth2Proxy.enabled to
false in values.yaml, or add a CI/test values file that sets
gateway.envoy.hostname when running helm-lint; update the values.yaml or CI test
configuration accordingly and ensure the Helm template condition
(gateway.oauth2Proxy.enabled / gateway.envoy.hostname) no longer fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: fe163d35-f5ad-474a-b947-c6fbbf5494fd

📥 Commits

Reviewing files that changed from the base of the PR and between 4296359 and 0b1e06f.

📒 Files selected for processing (4)

• deployments/charts/service/templates/gateway.yaml
• deployments/charts/service/values.yaml
• deployments/charts/web-ui/templates/NOTES.txt
• deployments/charts/web-ui/values.yaml

✅ Files skipped from review due to trivial changes (1)

• deployments/charts/web-ui/templates/NOTES.txt

🚧 Files skipped from review as they are similar to previous changes (2)

• deployments/charts/web-ui/values.yaml
• deployments/charts/service/values.yaml

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/deployment_guide/getting_started/deploy_service.rst (1)

552-558: 🛠️ Refactor suggestion | 🟠 Major

Document TLS/HTTPS configuration requirements.

The post-deployment instructions reference accessing the UI at https://osmo.example.com (Line 558), and the service verification shows port 443/TCP. However, the deployment guide's osmo_values.yaml example does not include any TLS/SSL certificate configuration for the gateway.

Users will need guidance on:

1. How to configure TLS certificates for the gateway
2. Whether the gateway supports automatic HTTPS redirect
3. How to configure gateway.envoy.service.httpsPort and related TLS settings

Consider adding a subsection or note explaining TLS configuration, or updating the example to show HTTP access (port 80) if TLS is optional for initial deployment.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/deployment_guide/getting_started/deploy_service.rst` around lines 552 -
558, Add a TLS/HTTPS subsection to the deployment guide clarifying how to
configure certificates for the gateway: document where to add TLS certs/keys in
the example osmo_values.yaml (or reference secret creation), show how to set
gateway.envoy.service.httpsPort and related TLS settings (e.g., cert secret
name, key paths, tls mode), state whether the osmo-gateway-external supports
automatic HTTP→HTTPS redirect and how to enable it, and alternatively show the
example using HTTP (port 80) if TLS is optional for initial verification; update
the post-deployment note that verifies UI access to reference these
configuration options so readers know how to reach https://osmo.example.com
securely or via HTTP for testing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/deployment_guide/appendix/deploy_local.rst`:
- Around line 285-297: The docs currently instruct users to run "kubectl
port-forward svc/osmo-gateway 8080:80" and visit "http://quick-start.osmo:8080",
which conflicts with the quick-start chart NOTES.txt that recommends "kubectl
port-forward svc/osmo-gateway 80:80" and using "osmo login
http://quick-start.osmo"; update the text to either (A) align with the chart by
changing the port-forward command to "kubectl port-forward svc/osmo-gateway
80:80", update the /etc/hosts example and final URL to "http://quick-start.osmo"
(no :8080), and mention the recommended "osmo login http://quick-start.osmo", or
(B) if you intentionally prefer local port 8080, add a brief justification
sentence explaining why 8080 is used and keep the current command and URL;
ensure the commands referenced in the doc (kubectl port-forward svc/osmo-gateway
8080:80 / 80:80 and the URL examples) are updated consistently.

In `@docs/deployment_guide/getting_started/deploy_service.rst`:
- Around line 532-539: The documented service list shows osmo-gateway-external
as 443/TCP but the example osmo_values.yaml does not set
gateway.envoy.service.httpsPort, so update the docs to match the actual default:
either add gateway.envoy.service.httpsPort: 443 to the osmo_values.yaml example
(so the external service is 443/TCP) or change the osmo-gateway-external line in
the service list to 80/TCP to reflect the default when
gateway.envoy.service.httpsPort is unset; reference the gateway template
behavior (gateway.envoy.service.httpsPort) and the osmo-gateway-external entry
when applying the change.

---

Outside diff comments:
In `@docs/deployment_guide/getting_started/deploy_service.rst`:
- Around line 552-558: Add a TLS/HTTPS subsection to the deployment guide
clarifying how to configure certificates for the gateway: document where to add
TLS certs/keys in the example osmo_values.yaml (or reference secret creation),
show how to set gateway.envoy.service.httpsPort and related TLS settings (e.g.,
cert secret name, key paths, tls mode), state whether the osmo-gateway-external
supports automatic HTTP→HTTPS redirect and how to enable it, and alternatively
show the example using HTTP (port 80) if TLS is optional for initial
verification; update the post-deployment note that verifies UI access to
reference these configuration options so readers know how to reach
https://osmo.example.com securely or via HTTP for testing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 658d2804-12bb-4e43-958a-e5599c4bd7eb

📥 Commits

Reviewing files that changed from the base of the PR and between 71b29a1 and 3da595a.

📒 Files selected for processing (5)

• docs/deployment_guide/appendix/deploy_local.rst
• docs/deployment_guide/appendix/deploy_minimal.rst
• docs/deployment_guide/getting_started/deploy_service.rst
• docs/deployment_guide/getting_started/infrastructure_setup.rst
• docs/deployment_guide/requirements/networking.rst

✅ Files skipped from review due to trivial changes (3)

• docs/deployment_guide/getting_started/infrastructure_setup.rst
• docs/deployment_guide/requirements/networking.rst
• docs/deployment_guide/appendix/deploy_minimal.rst

[github-actions]

📖 Docs preview: https://d3in15bfzp49i0.cloudfront.net/817/index.html