feat: add separate httproute for each service

[misba7]

closes #13582

Summary by CodeRabbit

• Refactor
  • Reorganized gateway API routing from generic public/secure routes to service-specific dedicated routes (Auth Server, CASA, Config API, FIDO2, SCIM) for improved modularity and configuration clarity.
  • Introduced explicit HTTPS redirect routes for enhanced security enforcement across service endpoints.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR refactors the Kubernetes gateway-api HTTPRoute template by splitting monolithic auth-server routes into separate service-specific resources. Each service (Auth Server, CASA, Config API, FIDO2, SCIM) now has dedicated public/secure/redirect routes with explicit section references instead of consolidated bundles.

Changes

Cohort / File(s)	Summary
HTTPRoute Restructuring charts/janssen/charts/gateway-api/templates/route.yaml	Replaced consolidated public/secure HTTPRoute resources with service-specific routes for Auth Server, CASA, Config API, FIDO2, and SCIM. Each service now has distinct public, secure, and redirect routes with explicit parentRefs.sectionName configuration and Helm-provided metadata labels/annotations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: conditional gateway resource creation and customized section names #13551: Modifies the same charts/janssen/charts/gateway-api/templates/route.yaml file to update HTTPRoute parentRefs with namespace and configurable sectionName values.

Suggested labels

kind-feature, comp-charts-jans

Suggested reviewers

• iromli
• moabu

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description references the linked issue but lacks implementation details, test results, and documentation confirmation as specified in the template.	Expand description with implementation details explaining the HTTPRoute refactoring approach, confirm testing/documentation status, and provide more context about the changes.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding separate HTTPRoute resources for each service instead of consolidated routes.
Linked Issues check	✅ Passed	The code changes implement the objective of creating separate HTTPRoute resources for each service (Auth Server, CASA, Config API, FIDO2, SCIM) to enable per-service routing customization.
Out of Scope Changes check	✅ Passed	All changes are focused on the HTTPRoute refactoring in the gateway-api template file, directly addressing the objective of separating routes by service without introducing unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-routes-customized

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/janssen/charts/gateway-api/templates/route.yaml (1)

17-150: ⚠️ Potential issue | 🟠 Major

Auth Server public route may render with empty rules: array.

This HTTPRoute is always created (no outer conditional), but every rule inside rules: is wrapped in a separate conditional. If all ingress config flags (openidConfigEnabled, deviceCodeEnabled, firebaseMessagingEnabled, uma2ConfigEnabled, webfingerEnabled, webdiscoveryEnabled, u2fConfigEnabled, lockConfigEnabled, authzenConfigEnabled) are disabled, the resulting resource will have an empty rules: section, which is invalid per the Gateway API spec.

Consider wrapping the entire route in a conditional that checks if at least one public endpoint is enabled, similar to how the FIDO2 public route (line 377) uses an or condition.

🔧 Suggested approach

Add an outer conditional guard before line 17:

+{{- $authPublicEnabled := or (index .Values.global "auth-server" "ingress" "openidConfigEnabled") (index .Values.global "auth-server" "ingress" "deviceCodeEnabled") (index .Values.global "auth-server" "ingress" "firebaseMessagingEnabled") (index .Values.global "auth-server" "ingress" "uma2ConfigEnabled") (index .Values.global "auth-server" "ingress" "webfingerEnabled") (index .Values.global "auth-server" "ingress" "webdiscoveryEnabled") (index .Values.global "auth-server" "ingress" "u2fConfigEnabled") (index .Values.global "auth-server" "ingress" "authzenConfigEnabled") (and (index .Values.global "auth-server" "lockEnabled") (index .Values.global "auth-server" "ingress" "lockConfigEnabled")) -}}
+{{- if $authPublicEnabled }}
 {{- /* Auth Server: Public (HTTP/HTTPS No Redirect) */}}
 ---
 apiVersion: gateway.networking.k8s.io/v1
 ...
+{{- end }}

Alternatively, define a helper variable at the top of the file for cleaner conditionals.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/janssen/charts/gateway-api/templates/route.yaml` around lines 17 -
150, The HTTPRoute resource named {{ $fullName }}-auth-server-public can render
with an empty spec.rules when none of the auth-server ingress flags are true;
wrap the entire HTTPRoute block (the resource that defines kind: HTTPRoute and
spec: rules) in an outer conditional that checks if at least one of the flags
(openidConfigEnabled, deviceCodeEnabled, firebaseMessagingEnabled,
uma2ConfigEnabled, webfingerEnabled, webdiscoveryEnabled, u2fConfigEnabled,
lockConfigEnabled, authzenConfigEnabled) under .Values.global "auth-server"
"ingress" (or compute a helper variable at the top) is true before emitting the
resource so spec.rules is never empty.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@charts/janssen/charts/gateway-api/templates/route.yaml`:
- Around line 17-150: The HTTPRoute resource named {{ $fullName
}}-auth-server-public can render with an empty spec.rules when none of the
auth-server ingress flags are true; wrap the entire HTTPRoute block (the
resource that defines kind: HTTPRoute and spec: rules) in an outer conditional
that checks if at least one of the flags (openidConfigEnabled,
deviceCodeEnabled, firebaseMessagingEnabled, uma2ConfigEnabled,
webfingerEnabled, webdiscoveryEnabled, u2fConfigEnabled, lockConfigEnabled,
authzenConfigEnabled) under .Values.global "auth-server" "ingress" (or compute a
helper variable at the top) is true before emitting the resource so spec.rules
is never empty.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 557a1bb3-7ba9-4e54-8cb3-c76a9b62e40e

📥 Commits

Reviewing files that changed from the base of the PR and between dbfb3b9 and d6d1072.

📒 Files selected for processing (1)

• charts/janssen/charts/gateway-api/templates/route.yaml