Skip to content

feat(connect): add Gateway API HTTPRoute support as alternative to Ingress#286

Open
BenjaminBanwart wants to merge 1 commit into
1Password:mainfrom
BenjaminBanwart:feat/httproute-support
Open

feat(connect): add Gateway API HTTPRoute support as alternative to Ingress#286
BenjaminBanwart wants to merge 1 commit into
1Password:mainfrom
BenjaminBanwart:feat/httproute-support

Conversation

@BenjaminBanwart

Copy link
Copy Markdown

✨ Summary

Add support for creating a Gateway API HTTPRoute resource as an alternative to the existing Ingress for exposing the Connect API server.

Gateway API is the successor to the Ingress API, GA since Kubernetes 1.26, and is increasingly the standard for traffic routing in modern clusters. This change introduces a new connect.httpRoute values section that generates a gateway.networking.k8s.io/v1 HTTPRoute resource when enabled.

What's included:

  • New template (templates/httproute.yaml) — renders an HTTPRoute with:
    • Shared chart labels via onepassword-connect.labels helper
    • Optional custom labels, annotations, and hostnames
    • Configurable routing rules with auto-injected backendRefs (service name and port derived from connect.applicationName and connect.api.httpPort/connect.api.httpsPort based on TLS config)
    • User-supplied backendRefs override per rule when needed
  • New values (values.yaml) — connect.httpRoute section with a sensible default rule (PathPrefix: /)
  • Validation guards:
    • fail if both connect.ingress.enabled and connect.httpRoute.enabled are true (mutually exclusive)
    • fail if connect.httpRoute.enabled is true but parentRefs is empty
  • CI test values (ci/with-httproute-values.yaml) for chart-testing
  • README regenerated via helm-docs

🔗 Resolves

Closes #285

✅ Checklist

  • 🖊️ Commits are signed
  • 🧪 Tests added/updated
  • 📚 Docs updated (if behavior changed)

🕵️ Review Notes & ⚠️ Risks

Design decisions:

  • Default routing rule (PathPrefix: /) is declared directly in values.yaml rather than generated inside the template, following the pattern used by argo-cd's Helm chart. This makes the default behavior transparent and overridable.
  • backendRefs are auto-injected per rule only when the user does not specify them, so the template is zero-config by default but fully customizable.
  • Mutual exclusivity with Ingress is enforced at render time via fail — users get a clear error message instead of silently creating both resources.

No breaking changes — all new values default to disabled/empty, so existing deployments are unaffected.

Validated scenarios:

Scenario Result
Default rule (auto backendRefs, port 8080)
TLS enabled (auto-selects port 8443)
Custom backendRefs override
Ingress + HTTPRoute both enabled ✅ Fails with clear message
HTTPRoute enabled without parentRefs ✅ Fails with clear message
CI values file (with-httproute-values.yaml)
connect.create: false suppresses HTTPRoute

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Feature request: Add Gateway API HTTPRoute support as alternative to Ingress

1 participant