Envoy Gateway
Kubernetes Gateway API implementation backed by Envoy Proxy.
Envoy Gateway is an open-source project that implements the Kubernetes Gateway API using Envoy Proxy as the data plane. It translates Gateway, HTTPRoute, GRPCRoute, and other Gateway API resources into Envoy xDS configuration. It is used in this cluster as the primary ingress/egress gateway, replacing traditional Ingress controllers with the standardized Gateway API.
Alternatives considered
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| ingress-nginx | Yes | Yes | Mature; uses Nginx; Ingress API only |
| Traefik | Yes | Yes | Supports both Ingress and Gateway API |
| Contour | Yes | Yes | Envoy-based; predates Gateway API |
| Istio | Yes | Yes | Full service mesh + Gateway API; more complex |
Installation
Architecture
HelmRelease envoy-gateway in namespace envoy-gateway-system, chart version 1.7.1 (chart name gateway-helm) from OCI oci://docker.io/envoyproxy. CRDs are skipped on install and upgrade (managed separately). extensionApis.enableBackend: true enables the Backend extension API for direct Envoy backend configuration.
Security
No explicit securityContext configured at the HelmRelease level; chart defaults apply. RBAC is cluster-wide (Gateway API requires watching Gateways and Routes across all namespaces). The Envoy proxy data plane pods are created dynamically per Gateway object.
Updates
Managed by Renovate. Chart version is semver-pinned (1.7.1).
Administration
Usage
Operators define GatewayClass and Gateway resources to provision Envoy proxy instances, then attach HTTPRoute or GRPCRoute resources to route traffic to backend services. EnvoyPatchPolicy and BackendTLSPolicy resources allow fine-grained Envoy configuration. All public-facing and cluster-internal HTTP/HTTPS routing goes through Envoy Gateway.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/infrastructure/talos/controllers/envoy-gateway/README.md.
Cluster Deployment
- Talos
- Edge
- audiobookshelf
- baserow
- bichon
- defectdojo
- filebrowser
- fileflows
- gatus
- gitea
- homepage
- immich
- it-tools
- jellyfin
- keycloak
- kiwix
- komga
- lldap
- memos
- miniflux
- monitoring
- n8n
- navidrome
- nextcloud
- ntfy
- outline
- paperless
- pocketid
- policy-reporter
- privatebin
- romm
- selenium
- spotify
- tachiyomi
- tandoor
- tube-archivist
- vaultwarden
- vikunja
Envoy Gateway — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/platform/envoy-gateway.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/platform/envoy-gateway.mdx — document anything this cluster does differently here, with a one-line reason.
- HelmRelease:
gateway-helm@1.8.1 - HelmRepo:
envoy-gateway(oci://docker.io/envoyproxy)
Rendered manifests (kustomize build)
apiVersion: v1
data:
values.yaml: |
kubernetesClusterDomain: cluster.local
config:
envoyGateway:
extensionApis:
enableBackend: true
kind: ConfigMap
metadata:
name: envoy-gateway-values-m226g8bb5t
namespace: envoy-gateway-system
- HelmRelease:
gateway-helm@1.8.1 - HelmRepo:
envoy-gateway(oci://docker.io/envoyproxy)
Rendered manifests (kustomize build)
apiVersion: v1
data:
values.yaml: 'kubernetesClusterDomain: cluster.local'
kind: ConfigMap
metadata:
name: envoy-gateway-values-h2ht5gck87
namespace: envoy-gateway-system