feat: add Gateway resource template for cluster-level Traefik

- Add templates/gateway.yaml to create a dedicated Gateway resource
- Add gateway configuration section to values.yaml with HTTP listeners
- Disable Traefik subchart's gateway creation (traefik.gateway.enabled: false)

Background:
With Traefik being deployed at the cluster level for dev/staging/production
environments, the LFX platform applications can no longer rely on the
Traefik Helm subchart to create the Gateway resource. This change ensures
the chart creates its own Gateway resource that applications can reference,
maintaining independence from cluster-level infrastructure components.

The new Gateway template provides:
- Configurable listeners (HTTP on ports 8000 and 8080 by default)
- Support for annotations and labels
- Flexible namespace targeting with allowedRoutes configuration
- Foundation for future HTTPS/TLS certificate integration

This architectural change supports better separation of concerns between
infrastructure (cluster-level Traefik) and application-level routing
configurations.

Signed-off-by: Alan Sherman <[email protected]>

Author: AlanSherman

charts/lfx-platform/Chart.lock

@@ -4,7 +4,7 @@ dependencies:
   version: 36.2.0
 - name: openfga
   repository: https://openfga.github.io/helm-charts
-  version: 0.2.39
+  version: 0.2.41
 - name: heimdall
   repository: oci://ghcr.io/dadrus/heimdall/chart
   version: 0.15.8
@@ -19,7 +19,7 @@ dependencies:
   version: 0.25.2
 - name: authelia
   repository: https://charts.authelia.com
-  version: 0.10.41
+  version: 0.10.42
 - name: nack
   repository: https://nats-io.github.io/k8s/helm/charts/
   version: 0.29.1
@@ -32,5 +32,5 @@ dependencies:
 - name: trust-manager
   repository: https://charts.jetstack.io
   version: v0.18.0
-digest: sha256:62f9779ba2521042d18193fcaa7010ed905045c61579997d6551b2e9c23437fc
-generated: "2025-08-06T13:14:49.133573-07:00"
+digest: sha256:749e5824417f2149f41a3a67874c6134bd105d2fc384fb85dd2e9cb45f52d8e8
+generated: "2025-08-13T15:54:36.945865-07:00"

charts/lfx-platform/templates/_traefik.tpl

@@ -8,8 +8,8 @@ Determine if HTTPS is enabled and get the HTTPS listener name in a single loop
 */}}
 {{- define "lfx-platform.https-enabled" -}}
 {{- $httpsEnabled := false -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+{{- if .Values.gateway.listeners -}}
+  {{- range $name, $listener := .Values.gateway.listeners -}}
     {{- if eq $listener.protocol "HTTPS" -}}
       {{- $httpsEnabled = true -}}
       {{- break -}}
@@ -24,8 +24,8 @@ Get the HTTPS listener name (sectionName) from gateway listeners
 */}}
 {{- define "lfx-platform.https-listener" -}}
 {{- $httpsListener := "websecure" -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+{{- if .Values.gateway.listeners -}}
+  {{- range $name, $listener := .Values.gateway.listeners -}}
     {{- if eq $listener.protocol "HTTPS" -}}
       {{- $httpsListener = $name -}}
       {{- break -}}
@@ -41,11 +41,11 @@ Prioritize "web" listener if it exists, otherwise use the first HTTP listener fo
 */}}
 {{- define "lfx-platform.http-listener" -}}
 {{- $httpListener := "web" -}}
-{{- if .Values.traefik.gateway.listeners -}}
-  {{- if index .Values.traefik.gateway.listeners "web" -}}
+{{- if .Values.gateway.listeners -}}
+  {{- if index .Values.gateway.listeners "web" -}}
     {{- $httpListener = "web" -}}
   {{- else -}}
-    {{- range $name, $listener := .Values.traefik.gateway.listeners -}}
+    {{- range $name, $listener := .Values.gateway.listeners -}}
       {{- if eq $listener.protocol "HTTP" -}}
         {{- $httpListener = $name -}}
         {{- break -}}

charts/lfx-platform/templates/gateway.yaml

@@ -0,0 +1,67 @@
+{{/*
+Copyright The Linux Foundation and each contributor to LFX.
+SPDX-License-Identifier: MIT
+*/}}
+{{- if .Values.gateway.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
+  namespace: {{ .Values.gateway.namespace | default .Release.Namespace }}
+  {{- with .Values.gateway.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "lfx-platform.labels" . | nindent 4 }}
+    {{- with .Values.gateway.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  gatewayClassName: {{ .Values.gateway.gatewayClassName | default "traefik" }}
+  listeners:
+    {{- range $name, $listener := .Values.gateway.listeners }}
+    - name: {{ $name }}
+      port: {{ $listener.port }}
+      protocol: {{ $listener.protocol }}
+      {{- if $listener.hostname }}
+      hostname: {{ $listener.hostname }}
+      {{- end }}
+      {{- if $listener.allowedRoutes }}
+      allowedRoutes:
+        {{- if $listener.allowedRoutes.namespaces }}
+        namespaces:
+          {{- if $listener.allowedRoutes.namespaces.from }}
+          from: {{ $listener.allowedRoutes.namespaces.from }}
+          {{- end }}
+          {{- if $listener.allowedRoutes.namespaces.selector }}
+          selector:
+            {{- toYaml $listener.allowedRoutes.namespaces.selector | nindent 12 }}
+          {{- end }}
+        {{- end }}
+        {{- if $listener.allowedRoutes.kinds }}
+        kinds:
+          {{- toYaml $listener.allowedRoutes.kinds | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      {{- if and (eq $listener.protocol "HTTPS") $listener.tls }}
+      tls:
+        mode: {{ $listener.tls.mode | default "Terminate" }}
+        {{- if $listener.tls.certificateRefs }}
+        certificateRefs:
+          {{- range $listener.tls.certificateRefs }}
+          - group: {{ .group | default "" | quote }}
+            kind: {{ .kind | default "Secret" }}
+            name: {{ .name }}
+            {{- if .namespace }}
+            namespace: {{ .namespace }}
+            {{- end }}
+          {{- end }}
+        {{- end }}
+        {{- if $listener.tls.options }}
+        options:
+          {{- toYaml $listener.tls.options | nindent 10 }}
+        {{- end }}
+      {{- end }}
+    {{- end }}
+{{- end }}

charts/lfx-platform/templates/heimdall/middleware.yaml

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: MIT
 ---
 {{ if and .Values.heimdall.enabled (or
-  .Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
+  .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:

charts/lfx-platform/templates/mailpit/httproute.yaml

@@ -2,16 +2,16 @@
 # SPDX-License-Identifier: MIT
 ---
 {{ if and .Values.mailpit.enabled (or
-  .Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
+  .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: {{ include "common.names.fullname" .Subcharts.mailpit }}
   namespace: {{ .Release.Namespace }}
 spec:
   parentRefs:
-{{- if .Values.traefik.enabled }}
-    - name: {{ .Values.traefik.gateway.name }}
+{{- if .Values.gateway.enabled }}
+    - name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
       sectionName: {{ include "lfx-platform.default-listener" . }}
       namespace: {{ .Release.Namespace }}
 {{- else }}

charts/lfx-platform/templates/mailpit/https-redirect-httproute.yaml

@@ -2,16 +2,16 @@
 # SPDX-License-Identifier: MIT
 ---
 {{ if and .Values.mailpit.enabled (include "lfx-platform.https-enabled" .) (or
-  .Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
+  .Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: mailpit-https-redirect
   namespace: {{ .Release.Namespace }}
 spec:
   parentRefs:
-{{- if .Values.traefik.enabled }}
-    - name: {{ .Values.traefik.gateway.name }}
+{{- if .Values.gateway.enabled }}
+    - name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
       sectionName: {{ include "lfx-platform.http-listener" . }}
       namespace: {{ .Release.Namespace }}
 {{- else }}

charts/lfx-platform/templates/whoami/httproute.yaml

@@ -2,16 +2,16 @@
 # SPDX-License-Identifier: MIT
 ---
 {{- if and .Values.lfx.whoami.enabled (or
-  .Values.traefik.enabled .Values.lfx.parentGateway.enabled) }}
+  .Values.gateway.enabled .Values.lfx.parentGateway.enabled) }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
   name: whoami
   namespace: {{ .Release.Namespace }}
 spec:
   parentRefs:
-{{- if .Values.traefik.enabled }}
-    - name: {{ .Values.traefik.gateway.name }}
+{{- if .Values.gateway.enabled }}
+    - name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
       sectionName: {{ include "lfx-platform.default-listener" . }}
       namespace: {{ .Release.Namespace }}
 {{- else }}

charts/lfx-platform/values.yaml

@@ -55,21 +55,33 @@ traefik:
     kubernetesCRD:
       enabled: true
   gateway:
-    # Create a default gateway
-    enabled: true
-    name: "lfx-platform-gateway"
-    listeners:
-      web:
-        port: 8000
-        protocol: HTTP
-      traefik:
-        port: 8080
-        protocol: HTTP
+    # Disable Traefik's default gateway since we manage it explicitly
+    enabled: false
   logs:
     # Enable access logs
     access:
       enabled: true
 
+# Gateway configuration
+gateway:
+  enabled: true
+
+  # Gateway listeners
+  listeners:
+    traefik:
+      port: 8080
+      protocol: HTTP
+      allowedRoutes:
+        namespaces:
+          from: Same
+    web:
+      port: 8000
+      protocol: HTTP
+      allowedRoutes:
+        namespaces:
+          from: Same
+
+
 # OpenFGA configuration
 openfga:
   enabled: true