This document explains how to configure Kelos webhook servers using the Gateway API instead of traditional Ingress resources.
-
Gateway API CRDs installed in your cluster:
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
-
Gateway Controller deployed (choose one):
- Istio: Follow Istio Gateway API setup
- Envoy Gateway: Follow Envoy Gateway installation
- Kong: Follow Kong Gateway API setup
- Nginx Gateway Fabric: Follow Nginx Gateway setup
# values.yaml
webhookServer:
sources:
github:
enabled: true
secretName: github-webhook-secret
# Use Gateway API instead of Ingress
gateway:
enabled: true
gatewayClassName: "istio" # Or your gateway class
gatewayName: "kelos-webhook-gateway"
host: "webhooks.your-domain.com"
tls:
enabled: true
certificateRefs:
- name: "webhook-tls-cert"
kind: "Secret"| Provider | Gateway Class | Notes |
|---|---|---|
| Istio | istio |
Built-in with Istio installation |
| Envoy Gateway | eg |
Default class name |
| Kong | kong |
Configured during Kong installation |
| Nginx Gateway Fabric | nginx |
Default class name |
gateway:
tls:
enabled: true
certificateRefs:
- name: "my-tls-secret"
kind: "Secret"gateway:
enabled: true
host: "webhooks.example.com"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
tls:
enabled: true
certificateRefs:
- name: "webhook-tls-cert" # cert-manager will create this
kind: "Secret"Then create a Certificate resource:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: webhook-tls-cert
namespace: kelos-system
spec:
secretName: webhook-tls-cert
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- webhooks.example.comWhen Gateway API is enabled, webhooks are available at:
- GitHub:
https://webhooks.your-domain.com/webhook/github
# Deploy with Gateway API enabled
helm upgrade --install kelos ./internal/manifests/charts/kelos \
--namespace kelos-system \
--create-namespace \
--values webhook-gateway-values.yaml-
Check Gateway status:
kubectl get gateway kelos-webhook-gateway -n kelos-system kubectl describe gateway kelos-webhook-gateway -n kelos-system
-
Check HTTPRoute status:
kubectl get httproute kelos-webhook-routes -n kelos-system kubectl describe httproute kelos-webhook-routes -n kelos-system
-
Test webhook endpoint:
curl -I https://webhooks.your-domain.com/webhook/github
| Feature | Ingress | Gateway API |
|---|---|---|
| Maturity | Stable, widely supported | Newer, growing adoption |
| Flexibility | Basic HTTP routing | Advanced routing, protocol support |
| Multi-tenancy | Limited | Built-in namespace isolation |
| Traffic splitting | Extension-specific | Native support |
| Protocol support | HTTP/HTTPS mainly | HTTP, HTTPS, TCP, UDP, gRPC |
| Vendor lock-in | Controller-specific annotations | Standardized API |
# Check gateway controller logs
kubectl logs -n istio-system deployment/istio-gateway
# Check gateway events
kubectl get events --field-selector involvedObject.name=kelos-webhook-gateway -n kelos-system# Check HTTPRoute status
kubectl describe httproute kelos-webhook-routes -n kelos-system
# Verify backend services exist
kubectl get svc -l app.kubernetes.io/component=webhook-github -n kelos-system# Check certificate status (if using cert-manager)
kubectl get certificate webhook-tls-cert -n kelos-system
kubectl describe certificate webhook-tls-cert -n kelos-system
# Check secret exists
kubectl get secret webhook-tls-cert -n kelos-system