Skip to content

Commit b315cfb

Browse files
AlanShermanAlanSherman
authored
Merge pull request #33 from linuxfoundation/asherman/gateway
feat: Gateway resource template for cluster-level Traefik
2 parents dfd48a8 + 82915c7 commit b315cfb

File tree

8 files changed

+110
-31
lines changed

8 files changed

+110
-31
lines changed

charts/lfx-platform/Chart.lock

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ dependencies:
44
version: 36.2.0
55
- name: openfga
66
repository: https://openfga.github.io/helm-charts
7-
version: 0.2.39
7+
version: 0.2.41
88
- name: heimdall
99
repository: oci://ghcr.io/dadrus/heimdall/chart
1010
version: 0.15.8
@@ -19,7 +19,7 @@ dependencies:
1919
version: 0.25.2
2020
- name: authelia
2121
repository: https://charts.authelia.com
22-
version: 0.10.41
22+
version: 0.10.42
2323
- name: nack
2424
repository: https://nats-io.github.io/k8s/helm/charts/
2525
version: 0.29.1
@@ -32,5 +32,5 @@ dependencies:
3232
- name: trust-manager
3333
repository: https://charts.jetstack.io
3434
version: v0.18.0
35-
digest: sha256:62f9779ba2521042d18193fcaa7010ed905045c61579997d6551b2e9c23437fc
36-
generated: "2025-08-06T13:14:49.133573-07:00"
35+
digest: sha256:749e5824417f2149f41a3a67874c6134bd105d2fc384fb85dd2e9cb45f52d8e8
36+
generated: "2025-08-13T15:54:36.945865-07:00"

charts/lfx-platform/templates/_traefik.tpl

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ Determine if HTTPS is enabled and get the HTTPS listener name in a single loop
88
*/}}
99
{{- define "lfx-platform.https-enabled" -}}
1010
{{- $httpsEnabled := false -}}
11-
{{- if .Values.traefik.gateway.listeners -}}
12-
{{- range $name, $listener := .Values.traefik.gateway.listeners -}}
11+
{{- if .Values.gateway.listeners -}}
12+
{{- range $name, $listener := .Values.gateway.listeners -}}
1313
{{- if eq $listener.protocol "HTTPS" -}}
1414
{{- $httpsEnabled = true -}}
1515
{{- break -}}
@@ -24,8 +24,8 @@ Get the HTTPS listener name (sectionName) from gateway listeners
2424
*/}}
2525
{{- define "lfx-platform.https-listener" -}}
2626
{{- $httpsListener := "websecure" -}}
27-
{{- if .Values.traefik.gateway.listeners -}}
28-
{{- range $name, $listener := .Values.traefik.gateway.listeners -}}
27+
{{- if .Values.gateway.listeners -}}
28+
{{- range $name, $listener := .Values.gateway.listeners -}}
2929
{{- if eq $listener.protocol "HTTPS" -}}
3030
{{- $httpsListener = $name -}}
3131
{{- break -}}
@@ -41,11 +41,11 @@ Prioritize "web" listener if it exists, otherwise use the first HTTP listener fo
4141
*/}}
4242
{{- define "lfx-platform.http-listener" -}}
4343
{{- $httpListener := "web" -}}
44-
{{- if .Values.traefik.gateway.listeners -}}
45-
{{- if index .Values.traefik.gateway.listeners "web" -}}
44+
{{- if .Values.gateway.listeners -}}
45+
{{- if index .Values.gateway.listeners "web" -}}
4646
{{- $httpListener = "web" -}}
4747
{{- else -}}
48-
{{- range $name, $listener := .Values.traefik.gateway.listeners -}}
48+
{{- range $name, $listener := .Values.gateway.listeners -}}
4949
{{- if eq $listener.protocol "HTTP" -}}
5050
{{- $httpListener = $name -}}
5151
{{- break -}}

charts/lfx-platform/templates/gateway.yaml

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
{{/*
2+
Copyright The Linux Foundation and each contributor to LFX.
3+
SPDX-License-Identifier: MIT
4+
*/}}
5+
{{- if .Values.gateway.enabled }}
6+
apiVersion: gateway.networking.k8s.io/v1
7+
kind: Gateway
8+
metadata:
9+
name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
10+
namespace: {{ .Values.gateway.namespace | default .Release.Namespace }}
11+
{{- with .Values.gateway.annotations }}
12+
annotations:
13+
{{- toYaml . | nindent 4 }}
14+
{{- end }}
15+
labels:
16+
{{- include "lfx-platform.labels" . | nindent 4 }}
17+
{{- with .Values.gateway.labels }}
18+
{{- toYaml . | nindent 4 }}
19+
{{- end }}
20+
spec:
21+
gatewayClassName: {{ .Values.gateway.gatewayClassName | default "traefik" }}
22+
listeners:
23+
{{- range $name, $listener := .Values.gateway.listeners }}
24+
- name: {{ $name }}
25+
port: {{ $listener.port }}
26+
protocol: {{ $listener.protocol }}
27+
{{- if $listener.hostname }}
28+
hostname: {{ $listener.hostname }}
29+
{{- end }}
30+
{{- if $listener.allowedRoutes }}
31+
allowedRoutes:
32+
{{- if $listener.allowedRoutes.namespaces }}
33+
namespaces:
34+
{{- if $listener.allowedRoutes.namespaces.from }}
35+
from: {{ $listener.allowedRoutes.namespaces.from }}
36+
{{- end }}
37+
{{- if $listener.allowedRoutes.namespaces.selector }}
38+
selector:
39+
{{- toYaml $listener.allowedRoutes.namespaces.selector | nindent 12 }}
40+
{{- end }}
41+
{{- end }}
42+
{{- if $listener.allowedRoutes.kinds }}
43+
kinds:
44+
{{- toYaml $listener.allowedRoutes.kinds | nindent 10 }}
45+
{{- end }}
46+
{{- end }}
47+
{{- if and (eq $listener.protocol "HTTPS") $listener.tls }}
48+
tls:
49+
mode: {{ $listener.tls.mode | default "Terminate" }}
50+
{{- if $listener.tls.certificateRefs }}
51+
certificateRefs:
52+
{{- range $listener.tls.certificateRefs }}
53+
- group: {{ .group | default "" | quote }}
54+
kind: {{ .kind | default "Secret" }}
55+
name: {{ .name }}
56+
{{- if .namespace }}
57+
namespace: {{ .namespace }}
58+
{{- end }}
59+
{{- end }}
60+
{{- end }}
61+
{{- if $listener.tls.options }}
62+
options:
63+
{{- toYaml $listener.tls.options | nindent 10 }}
64+
{{- end }}
65+
{{- end }}
66+
{{- end }}
67+
{{- end }}

charts/lfx-platform/templates/heimdall/middleware.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# SPDX-License-Identifier: MIT
33
---
44
{{ if and .Values.heimdall.enabled (or
5-
.Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
5+
.Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
66
apiVersion: traefik.io/v1alpha1
77
kind: Middleware
88
metadata:

charts/lfx-platform/templates/mailpit/httproute.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,16 @@
22
# SPDX-License-Identifier: MIT
33
---
44
{{ if and .Values.mailpit.enabled (or
5-
.Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
5+
.Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
66
apiVersion: gateway.networking.k8s.io/v1
77
kind: HTTPRoute
88
metadata:
99
name: {{ include "common.names.fullname" .Subcharts.mailpit }}
1010
namespace: {{ .Release.Namespace }}
1111
spec:
1212
parentRefs:
13-
{{- if .Values.traefik.enabled }}
14-
- name: {{ .Values.traefik.gateway.name }}
13+
{{- if .Values.gateway.enabled }}
14+
- name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
1515
sectionName: {{ include "lfx-platform.default-listener" . }}
1616
namespace: {{ .Release.Namespace }}
1717
{{- else }}

charts/lfx-platform/templates/mailpit/https-redirect-httproute.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,16 @@
22
# SPDX-License-Identifier: MIT
33
---
44
{{ if and .Values.mailpit.enabled (include "lfx-platform.https-enabled" .) (or
5-
.Values.traefik.enabled .Values.lfx.parentGateway.enabled) -}}
5+
.Values.gateway.enabled .Values.lfx.parentGateway.enabled) -}}
66
apiVersion: gateway.networking.k8s.io/v1
77
kind: HTTPRoute
88
metadata:
99
name: mailpit-https-redirect
1010
namespace: {{ .Release.Namespace }}
1111
spec:
1212
parentRefs:
13-
{{- if .Values.traefik.enabled }}
14-
- name: {{ .Values.traefik.gateway.name }}
13+
{{- if .Values.gateway.enabled }}
14+
- name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
1515
sectionName: {{ include "lfx-platform.http-listener" . }}
1616
namespace: {{ .Release.Namespace }}
1717
{{- else }}

charts/lfx-platform/templates/whoami/httproute.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,16 @@
22
# SPDX-License-Identifier: MIT
33
---
44
{{- if and .Values.lfx.whoami.enabled (or
5-
.Values.traefik.enabled .Values.lfx.parentGateway.enabled) }}
5+
.Values.gateway.enabled .Values.lfx.parentGateway.enabled) }}
66
apiVersion: gateway.networking.k8s.io/v1
77
kind: HTTPRoute
88
metadata:
99
name: whoami
1010
namespace: {{ .Release.Namespace }}
1111
spec:
1212
parentRefs:
13-
{{- if .Values.traefik.enabled }}
14-
- name: {{ .Values.traefik.gateway.name }}
13+
{{- if .Values.gateway.enabled }}
14+
- name: {{ .Values.gateway.name | default "lfx-platform-gateway" }}
1515
sectionName: {{ include "lfx-platform.default-listener" . }}
1616
namespace: {{ .Release.Namespace }}
1717
{{- else }}

charts/lfx-platform/values.yaml

Lines changed: 22 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -55,21 +55,33 @@ traefik:
5555
kubernetesCRD:
5656
enabled: true
5757
gateway:
58-
# Create a default gateway
59-
enabled: true
60-
name: "lfx-platform-gateway"
61-
listeners:
62-
web:
63-
port: 8000
64-
protocol: HTTP
65-
traefik:
66-
port: 8080
67-
protocol: HTTP
58+
# Disable Traefik's default gateway since we manage it explicitly
59+
enabled: false
6860
logs:
6961
# Enable access logs
7062
access:
7163
enabled: true
7264

65+
# Gateway configuration
66+
gateway:
67+
enabled: true
68+
69+
# Gateway listeners
70+
listeners:
71+
traefik:
72+
port: 8080
73+
protocol: HTTP
74+
allowedRoutes:
75+
namespaces:
76+
from: Same
77+
web:
78+
port: 8000
79+
protocol: HTTP
80+
allowedRoutes:
81+
namespaces:
82+
from: Same
83+
84+
7385
# OpenFGA configuration
7486
openfga:
7587
enabled: true

0 commit comments

Comments
 (0)