feat(charts): support gateway api in janssen-aio

[misba7]

closes #12834

Summary by CodeRabbit

• New Features

  • Gateway API support with configurable HTTP/HTTPS listeners, TLS secret, and enable toggle
  • Conditional HTTPRoute support for path‑prefix routing, URL rewrites and HTTPS redirects across multiple auth-related endpoints driven by chart feature flags
  • Options to set gateway and route labels and annotations

• Chores

  • Minor, non‑functional comment updates in ingress service docs

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Gateway API support to the janssen-all-in-one Helm chart: a new certManager.gatewayApi values block and a Helm template that renders a Gateway and multiple HTTPRoute resources with conditional listeners, TLS, redirects, rewrites, and backend refs driven by chart values (hosts, feature flags).

Changes

Cohort / File(s)	Summary
Values: Gateway API configuration charts/janssen-all-in-one/values.yaml	Added certManager.gatewayApi block with fields: enabled, gatewayClassName, name, tlsSecretName, gatewayLabels, gatewayAnnotations, routeLabels, routeAnnotations. Small non-functional comment edits in nginx-ingress service section.
Templates: Gateway + HTTPRoute charts/janssen-all-in-one/templates/gateway-api.yaml	New Helm template creating a Gateway (HTTP/HTTPS listeners, TLS) and multiple HTTPRoute resources. Routes are assembled via many conditional blocks to emit path-prefix matches, rewrites, backendRefs, and HTTP->HTTPS redirects based on chart feature flags and values.fqdn.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. It only contains 'closes #12834' but lacks required sections like Implementation Details, testing confirmation, and documentation checklist from the template.	Fill in all required template sections including Implementation Details, testing/analysis confirmation, and complete the documentation checklist before merging.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat(charts): support gateway api in janssen-aio' clearly and concisely describes the main change: adding Gateway API support to the janssen-aio Helm charts.
Linked Issues check	✅ Passed	The linked issue #12834 requests adding Kubernetes Gateway support to the charts, and the PR adds a gateway-api.yaml template with Gateway and HTTPRoute resources that implement this functionality.
Out of Scope Changes check	✅ Passed	The PR introduces gateway API configuration and templates that align with the stated objective. Minor comment updates in values.yaml are related cleanup work within scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ec72a0f and 68e46e4.

📒 Files selected for processing (2)

• charts/janssen-all-in-one/gateway-api.yaml
• charts/janssen-all-in-one/values.yaml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: misba7
Repo: JanssenProject/jans PR: 12737
File: automation/mysql.yaml:22-59
Timestamp: 2025-11-26T12:38:52.165Z
Learning: In the Janssen project, Kubernetes manifests in the automation/ directory (such as mysql.yaml and pgsql.yaml) are for demo and testing purposes only. These manifests do not require production-level hardening (security contexts, resource limits, health checks, etc.) as they are intended for local development and demonstration scenarios, not production deployments.

🪛 YAMLlint (1.37.1)

charts/janssen-all-in-one/gateway-api.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 8-8: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Deploy docs
• GitHub Check: microk8s (true, PGSQL)
• GitHub Check: microk8s (true, MYSQL)
• GitHub Check: microk8s (false, PGSQL)
• GitHub Check: microk8s (false, MYSQL)

🔇 Additional comments (2)

charts/janssen-all-in-one/gateway-api.yaml (2)

55-278: URL rewrite logic is well-structured.

The conditional checks using index for hyphenated keys and direct value access for simple keys are correctly implemented. The dual condition for lock-related endpoints (lockEnabled AND ingress.*Enabled) provides proper feature gating.

---

281-350: Standard prefix routes are correctly implemented.

The PathPrefix matching and conditional feature flag checks are properly structured for the application endpoints.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48a616f and 7a1c069.

📒 Files selected for processing (1)

• charts/janssen-all-in-one/values.yaml

🧰 Additional context used

🧠 Learnings (2)

📚 Learning: 2025-12-17T13:07:08.750Z

Learnt from: pujavs
Repo: JanssenProject/jans PR: 12847
File: jans-config-api/docs/jans-config-api-swagger.yaml:15497-15498
Timestamp: 2025-12-17T13:07:08.750Z
Learning: When reviewing components like `jans-auth`, `jans-fido2`, `jans-lock` in the JanssenProject/jans repository, raise issues about missing property descriptions in API model classes, as these descriptions will be reflected in the auto-generated Swagger specifications.

Applied to files:

• charts/janssen-all-in-one/values.yaml

📚 Learning: 2025-12-01T00:02:51.580Z

Learnt from: olehbozhok
Repo: JanssenProject/jans PR: 12768
File: jans-cedarling/cedarling/src/common/default_entities_limits.rs:52-119
Timestamp: 2025-12-01T00:02:51.580Z
Learning: In the jans-cedarling Rust codebase, avoid Python/Java-style doc comments with explicit `# Arguments` and `# Errors` sections. The project relies on Rust's type signatures and cargo doc's automatic documentation generation.

Applied to files:

• charts/janssen-all-in-one/values.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Deploy docs
• GitHub Check: microk8s (true, PGSQL)
• GitHub Check: microk8s (true, MYSQL)
• GitHub Check: microk8s (false, MYSQL)
• GitHub Check: microk8s (false, PGSQL)

🔇 Additional comments (1)

charts/janssen-all-in-one/values.yaml (1)

633-636: LGTM: Improved service documentation.

The updated comments for service.name and service.port improve clarity by explicitly describing these fields. The documentation format is correct with the # -- prefix.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a1c069 and 8f74592.

📒 Files selected for processing (1)

• charts/janssen-all-in-one/templates/gateway-api.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

charts/janssen-all-in-one/templates/gateway-api.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 8-8: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: microk8s (true, PGSQL)
• GitHub Check: Deploy docs
• GitHub Check: microk8s (false, MYSQL)
• GitHub Check: microk8s (false, PGSQL)
• GitHub Check: microk8s (true, MYSQL)

🔇 Additional comments (4)

charts/janssen-all-in-one/templates/gateway-api.yaml (4)

1-31: Gateway definition looks good.

The Gateway resource is well-structured with:

• Configurable gateway class, name, and TLS secret
• Conditional labels and annotations
• Both HTTP and HTTPS listeners properly defined

The static analysis errors are false positives since this is a Helm template file using Go template syntax ({{- ... -}}), not pure YAML.

---

52-58: Public route design is intentional and well-documented.

The comment on line 55 clearly explains that this route attaches to all listeners (HTTP and HTTPS) intentionally, since these are public discovery endpoints (like .well-known/openid-configuration) that should be accessible without requiring HTTPS redirection.

---

300-306: HTTPS-only route correctly configured.

The sectionName: https ensures this route only handles traffic from the HTTPS listener, properly securing application endpoints like /jans-auth, /jans-casa, etc.

---

393-399: HTTP redirect route correctly configured.

The sectionName: http ensures this route only handles HTTP traffic and redirects it to HTTPS with a 301 status code.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8f74592 and db155e9.

📒 Files selected for processing (1)

• charts/janssen-all-in-one/templates/gateway-api.yaml

🧰 Additional context used

🪛 YAMLlint (1.37.1)

charts/janssen-all-in-one/templates/gateway-api.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

[error] 8-8: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: microk8s (true, PGSQL)
• GitHub Check: microk8s (false, MYSQL)
• GitHub Check: microk8s (false, PGSQL)
• GitHub Check: microk8s (true, MYSQL)

🔇 Additional comments (3)

charts/janssen-all-in-one/templates/gateway-api.yaml (3)

1-4: LGTM!

The variable declarations are correct and efficiently capture reusable values for the template. The past review clarified that .Values.service.name correctly references the Kubernetes Service name.

---

286-378: LGTM!

The secure routes correctly restrict to the HTTPS listener via sectionName: https and properly route application paths to the backend service. The conditional feature flags ensure routes are only created when the corresponding services are enabled.

---

379-491: LGTM! Well-structured redirect implementation.

The HTTP-to-HTTPS redirect route correctly:

• Restricts to HTTP traffic via sectionName: http
• Uses 301 permanent redirects
• Mirrors the secure route paths to ensure comprehensive redirect coverage

The three-route architecture (public + secure + redirect) effectively balances OAuth/OIDC standard compliance with security requirements.