EAI 5821 evaluate envoy gateway as unified gateway platform cluster forge

.github/workflows/README.md

@@ -0,0 +1,52 @@
+# GitHub Actions Workflows
+
+This directory contains CI/CD workflows for cluster-forge.
+
+## Workflow files
+
+| Workflow | Trigger | Purpose |
+|---|---|---|
+| `helm-chart-checks.yaml` | `pull_request` | Validates Helm charts and Kyverno policy test coverage. |
+| `pr-component-validation.yaml` | `pull_request` (path-filtered), `workflow_dispatch` | Validates SBOM/component sync when key files change. |
+| `release-pipeline.yaml` | `workflow_dispatch` | Calculates release version, creates prerelease artifact, and publishes SBOM. |
+
+## Workflow details
+
+### `helm-chart-checks.yaml`
+
+- Runs on PR events (`opened`, `synchronize`, `reopened`, `ready_for_review`, `converted_to_draft`).
+- Validates `root` chart with all sizing values files (`values`, `values_small`, `values_medium`, `values_large`).
+- Lints and templates Kyverno policy charts.
+- Enforces Kyverno test coverage (test folder, `kyverno-test.yaml`, resource files, and policy mapping).
+- Runs `kyverno test` against generated policy manifests.
+- Includes a comprehensive coverage job to ensure all charts under `sources/kyverno-policies` are included in CI.
+
+### `pr-component-validation.yaml`
+
+- Runs on manual dispatch and PRs to `main` when these files change:
+  - `sbom/components.yaml`
+  - `root/values.yaml`
+  - `sbom/*.sh`
+- Installs `yq` and executes `sbom/validate-sync.sh`.
+- Acts as a gate to keep SBOM/component definitions consistent.
+
+### `release-pipeline.yaml`
+
+- Manual workflow with optional input: `version_override`.
+- Job `release`:
+  - Checks out full history.
+  - Computes next semantic version (`ietf-tools/semver-action`) unless overridden.
+  - Warns when `scripts/bootstrap.sh` `LATEST_RELEASE` base version does not match release base version.
+  - Packages `root/`, `scripts/`, and `sources/` into `release-enterprise-ai-<version>.tar.gz`.
+  - Creates a GitHub prerelease with generated notes.
+- Job `sbom` (depends on `release`):
+  - Generates SBOM via `sbom/generate-sbom.sh`.
+  - Renames output to `sbom-<version>-<short-sha>.md`.
+  - Uploads SBOM asset to the GitHub release with `--clobber`.
+
+## Operating notes
+
+- PR workflows perform validation only and do not publish releases.
+- Use **Actions -> Release Pipeline -> Run workflow** to cut a release.
+- Set `version_override` when you need a specific tag.
+- Keep `LATEST_RELEASE` in `scripts/bootstrap.sh` aligned with the release stream to avoid warnings.

README.md

@@ -189,6 +189,7 @@ Comprehensive documentation is available in the `/docs` folder:
 | **Policy System** | [Kyverno Modular Design](docs/kyverno_modular_design.md) |
 | **Storage Policies** | [Kyverno Access Mode Policy](docs/kyverno_access_mode_policy.md) |
 | **Operations** | [Backup and Restore](docs/backup_and_restore.md) |
+| **CI/CD** | [Workflow Documentation](.github/workflows/README.md) |
 
 Additional documentation:
 - **SBOM**: See `/sbom` folder for software bill of materials generation and validation

root/templates/cluster-apps.yaml

@@ -24,14 +24,12 @@ spec:
   sources:
     # Primary source: OCI/external chart
     - repoURL: {{ $renderedRepoURL }}
-      {{- if hasPrefix "oci://" $renderedRepoURL }}
-      {{- if eq .path "." }}
-      chart: {{ trimPrefix "oci://" $renderedRepoURL | base }}
-      {{- else }}
-      chart: {{ .path }}
-      {{- end }}
-      {{- else }}
+      {{- if and .path (not (hasPrefix "oci://" $renderedRepoURL)) }}
       path: {{ .path }}
+      {{- else if .chart }}
+      chart: {{ .chart }}
+      {{- else if hasPrefix "oci://" $renderedRepoURL }}
+      path: {{ .path | default "." }}
       {{- end }}
       targetRevision: {{ .repoVersion | default $clusterForgeTargetRevision | quote }}
       helm:
@@ -72,16 +70,18 @@ spec:
   source:
     repoURL: {{ $renderedRepoURL | default $clusterForgeRepoUrl }}
     targetRevision: {{ .repoVersion | default $clusterForgeTargetRevision | quote }}
-    {{- if .chart }}
+    {{- if and .path (not (hasPrefix "oci://" $renderedRepoURL)) }}
+    {{- if .repoURL }}
+    path: {{ .path }}
+    {{- else }}
+    path: sources/{{ .path }}
+    {{- end }}
+    {{- else if .chart }}
     chart: {{ .chart }}
     {{- else if .repoURL }}
     {{- if hasPrefix "oci://" $renderedRepoURL }}
     path: {{ .path | default "." }}
-    {{- else }}
-    path: {{ .path }}
     {{- end }}
-    {{- else }}
-    path: sources/{{ .path }}
     {{- end }}
     {{- if or .valuesFile .valuesObject .helmParameters }}
     helm:

root/values.yaml

@@ -582,6 +582,53 @@ apps:
     syncWave: -30
     valuesObject:
       kubernetesClusterDomain: cluster.local
+      config:
+        envoyGateway:
+          extensionApis:
+            enableBackend: true
+          extensionManager:
+            # Tolerate the AI extension erroring on the tls-passthrough gateway's L4
+            # listener (it tries to splice an HTTP filter into a TCP chain with no
+            # HTTPConnectionManager). With mergeGateways:false each gateway is its own
+            # translation pass, so the https proxy still gets the EPP ext_proc filter
+            # while the passthrough proxy keeps its original (correct) xDS instead of
+            # failing translation and getting stuck in init.
+            failOpen: true
+            resources:
+              - group: aigateway.envoyproxy.io
+                version: v1beta1
+                kind: AIGatewayRoute
+              - group: aigateway.envoyproxy.io
+                version: v1beta1
+                kind: AIServiceBackend
+            backendResources:
+              - group: inference.networking.k8s.io
+                version: v1
+                kind: InferencePool
+            hooks:
+              xdsTranslator:
+                translation:
+                  listener:
+                    # Hand the AI extension every listener so the EPP ext_proc filter
+                    # gets injected into the shared https :443 listener (owned by the
+                    # Gateway, not by AIGatewayRoute) — required for InferencePool routes,
+                    # which otherwise 503 because nothing sets x-gateway-destination-endpoint.
+                    # The L4 tls-passthrough listener also reaches the extension and errors,
+                    # but failOpen:true (above) keeps that proxy's xDS intact.
+                    includeAll: true
+                  route:
+                    includeAll: true
+                  cluster:
+                    includeAll: true
+                  secret:
+                    includeAll: true
+                post:
+                  - Translation
+                  - Cluster
+                  - Route
+            service:
+              host: ai-gateway-controller.envoy-ai-gateway-system.svc.cluster.local
+              port: 1063
   envoy-gateway-config:
     helmParameters:
       - name: domain
@@ -590,6 +637,23 @@ apps:
     path: envoy-gateway-config
     syncWave: -15
     valuesFile: values.yaml
+  envoy-ai-gateway-crds:
+    namespace: envoy-ai-gateway-system
+    path: envoy-ai-gateway-crds/v0.6.0
+    syncWave: -10
+  envoy-ai-gateway:
+    namespace: envoy-ai-gateway-system
+    path: envoy-ai-gateway/v0.6.0
+    syncWave: -5
+    valuesObject:
+      controller:
+        mcp:
+          sessionEncryption:
+            seed: "cluster-forge-default-seed-override-in-production"
+  inference-extension-crds:
+    namespace: envoy-ai-gateway-system
+    path: inference-extension-crds/v1.5.0
+    syncWave: -10
   kserve:
     namespace: kserve-system
     path: kserve/v0.16.0

root/values_large.yaml

@@ -20,8 +20,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

root/values_medium.yaml

@@ -22,8 +22,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

root/values_small.yaml

@@ -27,8 +27,11 @@ enabledApps:
   - cnpg-operator
   - external-secrets
   - external-secrets-config
+  - inference-extension-crds
   - envoy-gateway
   - envoy-gateway-config
+  - envoy-ai-gateway-crds
+  - envoy-ai-gateway
   - gitea
   - gitea-config
   - kaiwo

sbom/components.yaml

@@ -119,6 +119,18 @@ components:
     projectUrl: https://github.com/cloudnative-pg/cloudnative-pg
     license: Apache License 2.0
     licenseUrl: https://github.com/cloudnative-pg/cloudnative-pg/blob/main/LICENSE
+  envoy-ai-gateway:
+    path: envoy-ai-gateway/v0.6.0
+    sourceUrl: oci://docker.io/envoyproxy/ai-gateway-helm
+    projectUrl: https://github.com/envoyproxy/ai-gateway
+    license: Apache License 2.0
+    licenseUrl: https://github.com/envoyproxy/ai-gateway/blob/main/LICENSE
+  envoy-ai-gateway-crds:
+    path: envoy-ai-gateway-crds/v0.6.0
+    sourceUrl: oci://docker.io/envoyproxy/ai-gateway-crds-helm
+    projectUrl: https://github.com/envoyproxy/ai-gateway
+    license: Apache License 2.0
+    licenseUrl: https://github.com/envoyproxy/ai-gateway/blob/main/LICENSE
   envoy-gateway:
     path: envoy-gateway/v1.7.1
     sourceUrl: oci://docker.io/envoyproxy/gateway-helm
@@ -138,6 +150,12 @@ components:
     projectUrl: https://github.com/go-gitea/gitea
     license: MIT License
     licenseUrl: https://github.com/go-gitea/gitea/blob/main/LICENSE
+  inference-extension-crds:
+    path: inference-extension-crds/v1.5.0
+    sourceUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension
+    projectUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension
+    license: Apache License 2.0
+    licenseUrl: https://github.com/kubernetes-sigs/gateway-api-inference-extension/blob/main/LICENSE
   kaiwo:
     path: null
     repoVersion: v0.2.1

sources/cluster-auth/0.5.9/values.yaml

@@ -3,7 +3,7 @@ replicaCount: 1
 image:
   repository: ghcr.io/silogen/cluster-auth
   pullPolicy: Always
-  tag: "0.5.9"
+  tag: "0.6.0-rc8"
 
 imagePullSecrets: []
 nameOverride: ""

sources/envoy-ai-gateway-crds/v0.6.0/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+appVersion: v0.6.0
+description: The Helm chart for Envoy AI Gateway CRD
+home: https://aigateway.envoyproxy.io/
+icon: https://raw.githubusercontent.com/envoyproxy/ai-gateway/refs/heads/main/site/static/img/logo.svg
+keywords:
+- gateway-api
+- envoyproxy
+- envoy-gateway
+- eg
+- ai-gateway
+- ai
+maintainers:
+- name: envoy-ai-gateway-maintainers
+  url: https://github.com/envoyproxy/ai-gateway/blob/main/CODEOWNERS
+name: ai-gateway-crds-helm
+sources:
+- https://github.com/envoyproxy/ai-gateway
+type: application
+version: v0.6.0