Merge pull request #1935 from aclerici38/route

feat(chart): add HTTPRoute configuration
2026-03-27 01:45:02 +00:00 · 2026-03-06 09:28:21 -08:00
parent 0f92d0ef4f 3b76df1917
commit f3bb1acd3b
3 changed files with 149 additions and 1 deletions
--- a/chart/README.md
+++ b/chart/README.md
@@ -4,7 +4,7 @@ Versity is an S3-compatible storage gateway that proxies S3 API requests to a va

 ## Overview

-[versitygw](https://github.com/versity/versitygw) is an S3-compatible gateway that fronts POSIX filesystems, ScoutFS, S3, Azure Blob Storage, or custom plugin backends. This chart deploys versitygw on Kubernetes as a Deployment and Service, with optional support for TLS termination, Ingress, certificate provisioning (via `cert-manager` CRDs), IAM, an Admin API, a browser-based WebUI, persistent storage, and NetworkPolicy.
+[versitygw](https://github.com/versity/versitygw) is an S3-compatible gateway that fronts POSIX filesystems, ScoutFS, S3, Azure Blob Storage, or custom plugin backends. This chart deploys versitygw on Kubernetes as a Deployment and Service, with optional support for TLS termination, Ingress, HTTPRoutes, certificate provisioning (via `cert-manager` CRDs), IAM, an Admin API, a browser-based WebUI, persistent storage, and NetworkPolicy.

 ## Prerequisites

@@ -45,6 +45,7 @@ The `gateway.backend.type` value selects the storage backend. Use `gateway.backe
 | **TLS** | `tls.enabled=true` — serve HTTPS; supply a TLS Secret via `certificate.secretName` or let cert-manager provision one |
 | **cert-manager** | `certificate.create=true`, `certificate.issuerRef`, `certificate.dnsNames` |
 | **Ingress** | `ingress.enabled=true`, `ingress.className`, `ingress.hosts`, `ingress.tls` |
+| **HTTPRoute** | `httpRoute.enabled=true` — Gateway API successor to Ingress for S3 API; also `admin.httpRoute.enabled=true` and `webui.httpRoute.enabled=true` to expose the admin API and/or WebUI |
 | **Admin API** | `admin.enabled=true` — exposes a separate management API on `admin.port` (default `7071`) |
 | **WebUI** | `webui.enabled=true` — browser-based management UI on `webui.port` (default `8080`); set `webui.apiGateways` and `webui.adminGateways` to your externally reachable endpoints |
 | **IAM** | `iam.enabled=true` — flat-file identity and access management stored alongside backend data |
--- a/chart/templates/httproute.yaml
+++ b/chart/templates/httproute.yaml
@@ -0,0 +1,83 @@
+{{- if .Values.httpRoute.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "versitygw.fullname" . }}
+  labels:
+    {{- include "versitygw.labels" . | nindent 4 }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- toYaml .Values.httpRoute.parentRefs | nindent 4 }}
+  {{- if .Values.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml .Values.httpRoute.hostnames | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.httpRoute.rules }}
+    - matches:
+        {{- toYaml .matches | nindent 8 }}
+      backendRefs:
+        - name: {{ include "versitygw.fullname" $ }}
+          port: {{ .backendPort | default $.Values.gateway.port }}
+    {{- end }}
+{{- end }}
+---
+{{- if and .Values.admin.enabled .Values.admin.httpRoute.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "versitygw.fullname" . }}-admin
+  labels:
+    {{- include "versitygw.labels" . | nindent 4 }}
+  {{- with .Values.admin.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- toYaml .Values.admin.httpRoute.parentRefs | nindent 4 }}
+  {{- if .Values.admin.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml .Values.admin.httpRoute.hostnames | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.admin.httpRoute.rules }}
+    - matches:
+        {{- toYaml .matches | nindent 8 }}
+      backendRefs:
+        - name: {{ include "versitygw.fullname" $ }}
+          port: {{ $.Values.admin.port }}
+    {{- end }}
+{{- end }}
+---
+{{- if and .Values.webui.enabled .Values.webui.httpRoute.enabled -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "versitygw.fullname" . }}-webui
+  labels:
+    {{- include "versitygw.labels" . | nindent 4 }}
+  {{- with .Values.webui.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- toYaml .Values.webui.httpRoute.parentRefs | nindent 4 }}
+  {{- if .Values.webui.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml .Values.webui.httpRoute.hostnames | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.webui.httpRoute.rules }}
+    - matches:
+        {{- toYaml .matches | nindent 8 }}
+      backendRefs:
+        - name: {{ include "versitygw.fullname" $ }}
+          port: {{ $.Values.webui.port }}
+    {{- end }}
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -84,6 +84,28 @@ ingress:
  #         - s3.example.com
  tls: []

+# --- HTTPRoute ---
+# Expose the S3 API via a Gateway API HTTPRoute resource.
+# Requires Gateway API CRDs and a Gateway API implementation (Envoy Gateway, Istio, Kgateway, etc.) in the cluster.
+httpRoute:
+  enabled: false
+  annotations: {}
+  # The parent Gateway(s) this route attaches to.
+  parentRefs:
+    - name: my-gateway
+      # namespace: gateway-system
+      # sectionName: https
+  # Hostnames for the route.
+  hostnames:
+    - s3.example.com
+  # Rules that define how requests are matched and routed to the service.
+  # See https://gateway-api.sigs.k8s.io/api-types/httproute/#rules
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+
 # --- Root credentials ---
 # The root S3 access credentials. These are required for the gateway to start.
 # IMPORTANT: For production use, set auth.existingSecret instead of storing
@@ -141,6 +163,27 @@ admin:
  maxConnections: 250000
  # Maximum in-flight requests for the admin server.
  maxRequests: 100000
+  # --- HTTPRoute ---
+  # Expose the Admin API via a Gateway API HTTPRoute resource.
+  # Requires Gateway API CRDs and a Gateway API implementation (Envoy Gateway, Istio, Kgateway, etc.) in the cluster.
+  httpRoute:
+    enabled: false
+    annotations: {}
+    # The parent Gateway(s) this route attaches to.
+    parentRefs:
+      - name: my-gateway
+        # namespace: gateway-system
+        # sectionName: https
+    # Hostnames for the route.
+    hostnames:
+      - s3-admin.example.com
+  # Rules that define how requests are matched and routed to the service.
+  # See https://gateway-api.sigs.k8s.io/api-types/httproute/#rules
+    rules:
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /

 # --- WebUI ---
 webui:
@@ -160,6 +203,27 @@ webui:
  # Kubernetes because it uses the internal pod IP addresses.
  adminGateways: []
  # - s3-admin.example.com
+  # --- HTTPRoute ---
+  # Expose the WebUI via a Gateway API HTTPRoute resource.
+  # Requires Gateway API CRDs and a Gateway API implementation (Envoy Gateway, Istio, Kgateway, etc.) in the cluster.
+  httpRoute:
+    enabled: false
+    annotations: {}
+    # The parent Gateway(s) this route attaches to.
+    parentRefs:
+      - name: my-gateway
+        # namespace: gateway-system
+        # sectionName: https
+    # Hostnames for the route.
+    hostnames:
+      - versitygw.example.com
+  # Rules that define how requests are matched and routed to the service.
+  # See https://gateway-api.sigs.k8s.io/api-types/httproute/#rules
+    rules:
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /

 # --- IAM (Identity and Access Management) ---
 iam: