Use the gateway as the loadbalancer for all types of services

deployments/charts/quick-start/Chart.yaml

@@ -22,9 +22,6 @@ type: application
 version: 1.2.1
 
 dependencies:
-- name: ingress-nginx
-  version: 4.13.2
-  repository: https://kubernetes.github.io/ingress-nginx
 - name: service
   version: 1.2.1
   repository: file://../service

deployments/charts/quick-start/templates/NOTES.txt

@@ -21,11 +21,14 @@
 1. Add an entry to /etc/hosts:
    echo "127.0.0.1 quick-start.osmo" | sudo tee -a /etc/hosts
 
-2. Download and install the OSMO CLI:
+2. Access OSMO locally:
+   kubectl port-forward svc/osmo-gateway 80:80 -n osmo
+
+3. Download and install the OSMO CLI:
    curl -fsSL https://raw.githubusercontent.com/NVIDIA/OSMO/refs/heads/main/install.sh | bash
 
-3. Log in to OSMO:
+4. Log in to OSMO:
    osmo login http://quick-start.osmo --method=dev --username=testuser
 
-4. Explore next steps:
+5. Explore next steps:
    https://nvidia.github.io/OSMO/main/user_guide/getting_started/next_steps.html

deployments/charts/quick-start/values.yaml

@@ -70,56 +70,25 @@ global:
     ##
     region: "us-east-1"
 
-## Ingress NGINX Controller configuration
+## OSMO main service configuration
 ##
-ingress-nginx:
-  ## Override the full name of the ingress-nginx resources
-  ##
-  fullnameOverride: quick-start
-  ## Controller configuration for traffic routing
+service:
+  ## Gateway configuration — routes all external traffic through Envoy
   ##
-  controller:
-    ## Set controller name to empty string to remove the -controller suffix
-    ##
-    name: ""
-    ## Node selector constraints for ingress controller pod scheduling
-    ##
-    nodeSelector:
-      ## Schedule ingress controller on service nodes
+  gateway:
+    envoy:
+      ## Scale to 1 replica for local development
       ##
-      node_group: ingress
-    ## Service configuration for ingress controller
+      scaling:
+        minReplicas: 1
+        maxReplicas: 1
+    ## Disable auth components for local development
     ##
-    service:
-      ## Service type for ingress controller (NodePort for local access)
-      ##
-      type: NodePort
-      ## NodePort configuration for external access
-      ##
-      nodePorts:
-        ## HTTP port for external access to ingress controller
-        ##
-        http: 30080
-    ## Init containers for ingress controller
-    ##
-    ## Wait for the web UI to be up before starting ingress controller
-    ##
-    extraInitContainers:
-    - name: wait-for-web-ui
-      image: busybox:1.37.0
-      command:
-      - sh
-      - -c
-      - |
-        until nc -z osmo-ui 80; do
-          echo "Waiting for web-ui..."
-          sleep 2
-        done
-        echo "Web UI is ready"
+    oauth2Proxy:
+      enabled: false
+    authz:
+      enabled: false
 
-## OSMO main service configuration
-##
-service:
   ## Configuration for individual OSMO services
   ##
   services:
@@ -204,7 +173,7 @@ service:
     ## Main API service configuration
     ##
     service:
-      ## Hostname for the OSMO service ingress
+      ## Hostname for the OSMO service
       ##
       hostname: quick-start.osmo
       ## Kubernetes image pull policy for the API service
@@ -219,12 +188,6 @@ service:
         ## Maximum number of API service replicas
         ##
         maxReplicas: 1
-      ## Ingress configuration for external access to the API service
-      ##
-      ingress:
-        ## Enable SSL/TLS encryption for the ingress
-        ##
-        sslEnabled: false
       ## Init containers for API service
       ##
       ## Wait for data infra to be up before starting service
@@ -540,15 +503,12 @@ web-ui:
       ## Skip authentication for UI service
       ##
       skipAuth: true
-      ## Hostname for the UI service ingress
+      ## Hostname for the UI service
       ##
       hostname: quick-start.osmo
-      ## Ingress configuration for external access to the UI service
+      ## API hostname — point at the gateway for server-side rendering
       ##
-      ingress:
-        ## Enable SSL/TLS encryption for the ingress
-        ##
-        sslEnabled: false
+      apiHostname: osmo-gateway.osmo.svc.cluster.local:80
 
 ## Router service configuration
 ##
@@ -569,7 +529,7 @@ router:
     ## Main router service configuration
     ##
     service:
-      ## Hostname for the router service ingress
+      ## Hostname for the router service
       ##
       hostname: quick-start.osmo
       ## Kubernetes image pull policy for the router service
@@ -584,12 +544,6 @@ router:
         ## Maximum number of router service replicas
         ##
         maxReplicas: 1
-      ## Ingress configuration for external access to the router service
-      ##
-      ingress:
-        ## Enable SSL/TLS encryption for the ingress
-        ##
-        sslEnabled: false
       ## Init containers for router service
       ##
       ## Wait for data infra to be up before starting service
@@ -633,7 +587,7 @@ backend-operator:
   global:
     ## OSMO service URL for backend operator communication
     ##
-    serviceUrl: http://quick-start.osmo
+    serviceUrl: http://osmo-gateway.osmo.svc.cluster.local
     ## Kubernetes namespace for backend operator
     ##
     agentNamespace: osmo
@@ -664,20 +618,20 @@ backend-operator:
       imagePullPolicy: IfNotPresent
       ## Init containers for backend listener service
       ##
-      ## Wait for the agent service to be up before starting backend listener
+      ## Wait for the gateway to be up before starting backend listener
       ##
       initContainers:
-      - name: wait-for-ingress
+      - name: wait-for-gateway
         image: busybox:1.37.0
         command:
         - sh
         - -c
         - |
-          until nc -z quick-start 80; do
-            echo "Waiting for quick-start..."
+          until nc -z osmo-gateway 80; do
+            echo "Waiting for osmo-gateway..."
             sleep 2
           done
-          echo "OSMO quick start ingress is ready"
+          echo "OSMO gateway is ready"
       - name: wait-for-token
         image: alpine:3.18
         command:
@@ -689,7 +643,7 @@ backend-operator:
           set -e
           apk add --no-cache curl jq
           echo "Waiting for backend-operator-token to be created..."
-          until curl -s http://quick-start.osmo/api/auth/user/backend-operator/access_token | jq -e '.[] | select(.token_name == "backend-operator-token")' >/dev/null 2>&1; do
+          until curl -s http://osmo-gateway/api/auth/user/backend-operator/access_token | jq -e '.[] | select(.token_name == "backend-operator-token")' >/dev/null 2>&1; do
             echo "Token backend-operator-token not found, waiting..."
             sleep 2
           done
@@ -715,20 +669,20 @@ backend-operator:
       imagePullPolicy: IfNotPresent
       ## Init containers for backend worker service
       ##
-      ## Wait for the agent service to be up before starting backend worker
+      ## Wait for the gateway to be up before starting backend worker
       ##
       initContainers:
-      - name: wait-for-ingress
+      - name: wait-for-gateway
         image: busybox:1.37.0
         command:
         - sh
         - -c
         - |
-          until nc -z quick-start 80; do
-            echo "Waiting for quick-start..."
+          until nc -z osmo-gateway 80; do
+            echo "Waiting for osmo-gateway..."
             sleep 2
           done
-          echo "OSMO quick start ingress is ready"
+          echo "OSMO gateway is ready"
       - name: wait-for-token
         image: alpine:3.18
         command:
@@ -740,7 +694,7 @@ backend-operator:
           set -e
           apk add --no-cache curl jq
           echo "Waiting for backend-operator-token to be created..."
-          until curl -s http://quick-start.osmo/api/auth/user/backend-operator/access_token | jq -e '.[] | select(.token_name == "backend-operator-token")' >/dev/null 2>&1; do
+          until curl -s http://osmo-gateway/api/auth/user/backend-operator/access_token | jq -e '.[] | select(.token_name == "backend-operator-token")' >/dev/null 2>&1; do
             echo "Token backend-operator-token not found, waiting..."
             sleep 2
           done
@@ -770,4 +724,3 @@ backend-operator:
     ## Enable backend test runner
     ##
     enabled: false
-

deployments/charts/router/templates/NOTES.txt

@@ -1,19 +1,5 @@
-1. Get the application URL by running these commands:
-{{- if .Values.services.service.ingress.sslEnabled }}
-  https://{{ .Values.services.service.hostname }}{{ .Values.services.service.ingress.prefix }}api/router
-{{- else }}
-  http://{{ .Values.services.service.hostname }}{{ .Values.services.service.ingress.prefix }}api/router
-{{- end }}
-
-2. The router service is available at:
+1. The router service is available at:
   kubectl get service {{ .Values.services.service.serviceName }}
 
-3. Check the deployment status:
+2. Check the deployment status:
   kubectl get deployment {{ .Values.services.service.serviceName }}
-
-{{- if .Values.services.service.ingress.sslEnabled }}
-
-4. Create a TLS secret for OSMO if not using ALB annotations:
-  kubectl create secret tls {{ .Values.services.service.ingress.sslSecret }} --key ${KEY_FILE} --cert ${CERT_FILE}
-
-{{- end }}

deployments/charts/router/templates/router-service.yaml

@@ -255,61 +255,6 @@ spec:
   selector:
     app: {{ .Values.services.service.serviceName }}
 
-{{- if .Values.services.service.ingress.enabled }}
----
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ .Values.services.service.serviceName }}
-  annotations:
-    {{- if .Values.services.service.ingress.albAnnotations.enabled}}
-    alb.ingress.kubernetes.io/group.name: osmo
-    alb.ingress.kubernetes.io/group.order: "50"
-    alb.ingress.kubernetes.io/target-type: ip
-    alb.ingress.kubernetes.io/certificate-arn: {{ .Values.services.service.ingress.albAnnotations.sslCertArn }}
-    {{- if .Values.services.service.webserverEnabled }}
-    alb.ingress.kubernetes.io/hostnames: '["*.{{ .Values.services.service.hostname }}", "{{ .Values.services.service.hostname }}"]'
-    {{- end }}
-    {{- end }}
-    {{- range $k, $v := .Values.services.service.ingress.annotations }}
-    {{$k}}: {{ $v | quote }}
-    {{- end }}
-spec:
-  ingressClassName: {{ .Values.services.service.ingress.ingressClass }}
-  rules:
-  {{- if .Values.services.service.webserverEnabled }}
-  - host: "*.{{ .Values.services.service.hostname }}"
-    http:
-      paths:
-      - path: {{ .Values.services.service.ingress.prefix }}
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.services.service.serviceName }}
-            port:
-              number: 80
-  {{- end }}
-  - host: {{ .Values.services.service.hostname }}
-    http:
-      paths:
-      - path: {{ .Values.services.service.ingress.prefix }}api/router
-        pathType: Prefix
-        backend:
-          service:
-            name: {{ .Values.services.service.serviceName }}
-            port:
-              number: 80
-  {{- if .Values.services.service.ingress.sslEnabled }}
-  tls:
-  - hosts:
-    - {{ .Values.services.service.hostname }}
-    {{- if .Values.services.service.webserverEnabled }}
-    - "*.{{ .Values.services.service.hostname }}"
-    {{- end }}
-    secretName: {{.Values.services.service.ingress.sslSecret }}
-  {{- end }}
-{{- end }}
 ---
 
 apiVersion: autoscaling/v2

deployments/charts/router/values.yaml

@@ -154,46 +154,6 @@ services:
     #   - "example.local"
 
 
-    ## Ingress configuration for external access to the router service
-    ##
-    ingress:
-      ## Enable ingress for external access
-      ##
-      enabled: true
-
-      ## URL path prefix for all ingress rules
-      ##
-      prefix: /
-
-      ## Ingress controller class to use for routing traffic
-      ##
-      ingressClass: nginx
-
-      ## AWS Application Load Balancer (ALB) specific annotations
-      ##
-      albAnnotations:
-        ## Enable ALB-specific annotations in the ingress
-        ##
-        enabled: false
-
-        ## ARN of the SSL certificate for HTTPS traffic
-        ##
-        sslCertArn: arn:aws:acm:us-west-2:XXXXXXXXX:certificate/YYYYYYYY
-
-      ## Enable SSL/TLS encryption for the ingress
-      ##
-      sslEnabled: true
-
-      ## Name of the Kubernetes secret containing SSL/TLS certificates
-      ##
-      sslSecret: osmo-tls
-
-      ## Additional custom annotations for the ingress resource
-      ##
-      annotations: {}
-      # nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-      # alb.ingress.kubernetes.io/target-type: ip
-
     ## Node selector constraints for router pod scheduling
     ## Leave empty to allow scheduling on any node
     ##

deployments/charts/service/templates/_gateway-envoy-config.tpl

@@ -29,7 +29,7 @@ setting detects this rotation and triggers Envoy to reload.
 {{- $gw := .Values.gateway }}
 {{- $envoy := $gw.envoy }}
 {{- $gwName := include "osmo.gateway-name" . }}
-{{- if and $gw.enabled $envoy.enabled }}
+{{- if $envoy.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata: