From 300090c7d7d5695cc94e747494d5ade441ab0d20 Mon Sep 17 00:00:00 2001 From: "christian.huth" Date: Tue, 16 Jun 2026 16:06:51 +0200 Subject: [PATCH] adjust values.yaml to include documentation for cilium setup --- charts/netbird/values.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/charts/netbird/values.yaml b/charts/netbird/values.yaml index c0b61f6..994e1b9 100644 --- a/charts/netbird/values.yaml +++ b/charts/netbird/values.yaml @@ -508,6 +508,37 @@ server: # gRPC over HTTP/2 — including plaintext h2c — so this works without TLS # when the Gateway listener is HTTP. rules pass through to # GRPCRoute.spec.rules; backendRefs are auto-filled when omitted. + # + # CILIUM GATEWAY API — DEDICATED LISTENER REQUIRED: + # When a GRPCRoute and an HTTPRoute share the same Gateway listener section + # (sectionName), Cilium's translator generates a filter chain without the + # grpc_web/grpc_stats HTTP filters and sets the codec to HTTP1, causing all + # external gRPC connections to fail. Attach the GRPCRoute to a dedicated + # listener section that has no HTTPRoutes: + # + # parentRefs: + # - name: my-gateway + # namespace: gateway-system + # sectionName: netbird-grpc-https # gRPC-only listener + # + # Set dashboard.config.mgmtGrpcApiEndpoint to the hostname served by this + # dedicated listener. Also enable gatewayAPI.enableAlpn=true in Cilium so + # that h2 is advertised in TLS ALPN and gRPC clients negotiate HTTP/2. + # + # If in-cluster components (e.g. Netbird operator, NetworkRouter) connect to + # the original hostname for both REST and gRPC, add a second parentRef for + # the shared listener so in-cluster gRPC routing continues to work: + # + # hostnames: + # - netbird.example.com # original, for in-cluster components + # - netbird-grpc.example.com # dedicated gRPC listener, for external clients + # parentRefs: + # - name: my-gateway + # namespace: gateway-system + # sectionName: netbird-https # shared with HTTPRoutes (in-cluster) + # - name: my-gateway + # namespace: gateway-system + # sectionName: netbird-grpc-https # gRPC-only (external clients) grpcRoute: enabled: false parentRefs: []