From 68e46e4639af728e4c35e5695b23b80f6b52d75a Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Fri, 26 Dec 2025 22:07:32 +0200 Subject: [PATCH 1/5] feat(charts): support gateway api in janssen-aio Signed-off-by: Amro Misbah --- charts/janssen-all-in-one/gateway-api.yaml | 351 +++++++++++++++++++++ charts/janssen-all-in-one/values.yaml | 16 + 2 files changed, 367 insertions(+) create mode 100644 charts/janssen-all-in-one/gateway-api.yaml diff --git a/charts/janssen-all-in-one/gateway-api.yaml b/charts/janssen-all-in-one/gateway-api.yaml new file mode 100644 index 00000000000..35172846f86 --- /dev/null +++ b/charts/janssen-all-in-one/gateway-api.yaml @@ -0,0 +1,351 @@ +{{- if .Values.gatewayApi.enabled -}} +{{- $fullName := include "janssen-all-in-one.fullname" . -}} +{{- $svcName := .Values.service.name -}} +{{- $svcPort := .Values.service.port -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ .Values.gatewayApi.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ $fullName }}-gateway +{{- if .Values.gatewayApi.gatewayLabels }} +{{- toYaml .Values.gatewayApi.gatewayLabels | nindent 4 }} +{{- end }} +{{- if .Values.gatewayApi.gatewayAnnotations }} + annotations: +{{- toYaml .Values.gatewayApi.gatewayAnnotations | nindent 4 }} +{{- end }} +spec: + gatewayClassName: {{ .Values.gatewayApi.gatewayClassName }} + listeners: + - name: http + port: 80 + protocol: HTTP + - name: https + port: 443 + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + - name: {{ .Values.gatewayApi.tlsSecretName }} + +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }}-routes + namespace: {{ .Release.Namespace }} + labels: + app: {{ $fullName }}-routes +{{- if .Values.gatewayApi.routeLabels }} +{{- toYaml .Values.gatewayApi.routeLabels | nindent 4 }} +{{- end }} +{{- if .Values.gatewayApi.routeAnnotations }} + annotations: +{{- toYaml .Values.gatewayApi.routeAnnotations | nindent 4 }} +{{- end }} +spec: + parentRefs: + - name: {{ .Values.gatewayApi.name }} + hostnames: + - {{ .Values.fqdn | quote }} + rules: + + {{- /* ======================================================== */}} + {{- /* SECTION 1: URL REWRITES */}} + {{- /* ======================================================== */}} + + {{- /* 1. OpenID Configuration */}} + {{- if index .Values "auth-server" "ingress" "openidConfigEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/openid-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/.well-known/openid-configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 2. Device Code */}} + {{- if index .Values "auth-server" "ingress" "deviceCodeEnabled" }} + - matches: + - path: + type: Exact + value: /device-code + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/device_authorization.htm + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 3. Firebase Messaging */}} + {{- if index .Values "auth-server" "ingress" "firebaseMessagingEnabled" }} + - matches: + - path: + type: Exact + value: /firebase-messaging-sw.js + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/firebase-messaging-sw.js + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 4. UMA2 Config */}} + {{- if index .Values "auth-server" "ingress" "uma2ConfigEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/uma2-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/restv1/uma2-configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 5. Webfinger */}} + {{- if index .Values "auth-server" "ingress" "webfingerEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/webfinger + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/.well-known/webfinger + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 6. Simple Web Discovery */}} + {{- if index .Values "auth-server" "ingress" "webdiscoveryEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/simple-web-discovery + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/.well-known/simple-web-discovery + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 7. FIDO Configuration (U2F) */}} + {{- if index .Values "auth-server" "ingress" "u2fConfigEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/fido-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/restv1/fido-configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 8. FIDO2 Configuration */}} + {{- if .Values.fido2.ingress.fido2ConfigEnabled }} + - matches: + - path: + type: Exact + value: /.well-known/fido2-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-fido2/restv1/configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 9. WebAuthn */}} + {{- if .Values.fido2.ingress.fido2WebauthnEnabled }} + - matches: + - path: + type: Exact + value: /.well-known/webauthn + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-fido2/restv1/webauthn/configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 10. SCIM Configuration */}} + {{- if .Values.scim.ingress.scimConfigEnabled }} + - matches: + - path: + type: Exact + value: /.well-known/scim-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-scim/restv1/scim-configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 11. Lock Config */}} + {{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockConfigEnabled") }} + - matches: + - path: + type: Exact + value: /.well-known/lock-server-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/api/v1/configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 12. Authzen Config */}} + {{- if index .Values "auth-server" "ingress" "authzenConfigEnabled" }} + - matches: + - path: + type: Exact + value: /.well-known/authzen-configuration + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth/restv1/authzen-configuration + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 13. Jans Lock */}} + {{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockEnabled") }} + - matches: + - path: + type: Exact + value: /jans-lock + filters: + - type: URLRewrite + urlRewrite: + path: + type: ReplaceFullPath + replaceFullPath: /jans-auth + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + + {{- /* ======================================================== */}} + {{- /* SECTION 2: STANDARD PREFIXES (No Rewrites) */}} + {{- /* ======================================================== */}} + + {{- /* 14. Auth Server (/jans-auth) */}} + {{- if index .Values "auth-server" "ingress" "authServerEnabled" }} + - matches: + - path: + type: PathPrefix + value: /jans-auth + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 15. Casa (/jans-casa) */}} + {{- if .Values.casa.ingress.casaEnabled }} + - matches: + - path: + type: PathPrefix + value: /jans-casa + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 16. Config API (/jans-config-api) */}} + {{- if index .Values "config-api" "ingress" "configApiEnabled" }} + - matches: + - path: + type: PathPrefix + value: /jans-config-api + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 17. FIDO2 (/jans-fido2) */}} + {{- if .Values.fido2.ingress.fido2Enabled }} + - matches: + - path: + type: PathPrefix + value: /jans-fido2 + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 18. SCIM (/jans-scim) */}} + {{- if .Values.scim.ingress.scimEnabled }} + - matches: + - path: + type: PathPrefix + value: /jans-scim + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + + {{- /* 19. SAML (/kc) */}} + {{- if .Values.saml.ingress.samlEnabled }} + - matches: + - path: + type: PathPrefix + value: /kc + backendRefs: + - name: {{ $svcName }} + port: {{ $svcPort }} + {{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/janssen-all-in-one/values.yaml b/charts/janssen-all-in-one/values.yaml index fc881de71f5..b4417e0b902 100644 --- a/charts/janssen-all-in-one/values.yaml +++ b/charts/janssen-all-in-one/values.yaml @@ -591,6 +591,22 @@ certManager: issuerName: "" issuerGroup: cert-manager.io tlsSecretName: tls-certificate +gatewayApi: + # -- Boolean flag to enable/disable the Gateway and HTTPRoute resources. + enabled: false + gatewayClassName: nginx + # The name of the Gateway resource to create + name: jans-gateway + # Secret containing the TLS certificate for the Gateway + tlsSecretName: tls-certificate + # Specific labels for the Gateway resource + gatewayLabels: {} + # Specific annotations for the Gateway resource + gatewayAnnotations: {} + # Specific labels for the HTTPRoute resource + routeLabels: {} + # Specific annotations for the HTTPRoute resource + routeAnnotations: {} nginx-ingress: # -- Boolean flag to enable/disable the nginx-ingress definitions chart. enabled: true From 48a616f094ad5cbc48e24a5dfb494542885a1ff5 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Fri, 26 Dec 2025 22:50:33 +0200 Subject: [PATCH 2/5] fix: move gateway-api under templates directory Signed-off-by: Amro Misbah --- charts/janssen-all-in-one/{ => templates}/gateway-api.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename charts/janssen-all-in-one/{ => templates}/gateway-api.yaml (100%) diff --git a/charts/janssen-all-in-one/gateway-api.yaml b/charts/janssen-all-in-one/templates/gateway-api.yaml similarity index 100% rename from charts/janssen-all-in-one/gateway-api.yaml rename to charts/janssen-all-in-one/templates/gateway-api.yaml From 7a1c0696bb23f0a08ad5196ecd98f72e810cd1a3 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Sat, 27 Dec 2025 09:30:46 +0200 Subject: [PATCH 3/5] docs: fix misleading comments Signed-off-by: Amro Misbah --- charts/janssen-all-in-one/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/janssen-all-in-one/values.yaml b/charts/janssen-all-in-one/values.yaml index b4417e0b902..89340cddb0c 100644 --- a/charts/janssen-all-in-one/values.yaml +++ b/charts/janssen-all-in-one/values.yaml @@ -630,9 +630,9 @@ nginx-ingress: tlsSecretName: tls-certificate # Service manifest properties service: - # -- The name of the aio port within the aio service. Please keep it as default. + # -- The name of the Kubernetes Service resource. name: http-aio - # -- Port of the fido2 service. Please keep it as default. + # -- The port number exposed by the All-in-One service. port: 8080 # -- Default set to None If you want to make sure that connections from a particular client are passed to the same Pod each time, you can select the session affinity based on the client's IP addresses by setting this to ClientIP sessionAffinity: None From 8f74592d7ae91ebdcf36fb981d35820a23facc82 Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Sat, 27 Dec 2025 20:58:07 +0200 Subject: [PATCH 4/5] feat: add support for https redirection for 6 endpints Signed-off-by: Amro Misbah --- .../templates/gateway-api.yaml | 170 ++++++++++++++++-- 1 file changed, 153 insertions(+), 17 deletions(-) diff --git a/charts/janssen-all-in-one/templates/gateway-api.yaml b/charts/janssen-all-in-one/templates/gateway-api.yaml index 35172846f86..e572ddbac62 100644 --- a/charts/janssen-all-in-one/templates/gateway-api.yaml +++ b/charts/janssen-all-in-one/templates/gateway-api.yaml @@ -31,10 +31,14 @@ spec: - name: {{ .Values.gatewayApi.tlsSecretName }} --- +{{- /* ======================================================== */}} +{{- /* ROUTE 1: PUBLIC CONFIGURATION (HTTP & HTTPS) */}} +{{- /* These endpoints can be accessible via HTTP (No Redirect) */}} +{{- /* ======================================================== */}} apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: {{ $fullName }}-routes + name: {{ $fullName }}-routes-public namespace: {{ .Release.Namespace }} labels: app: {{ $fullName }}-routes @@ -48,14 +52,11 @@ metadata: spec: parentRefs: - name: {{ .Values.gatewayApi.name }} + # No sectionName: Attaches to ALL listeners (HTTP and HTTPS) hostnames: - {{ .Values.fqdn | quote }} rules: - - {{- /* ======================================================== */}} - {{- /* SECTION 1: URL REWRITES */}} - {{- /* ======================================================== */}} - + {{- /* 1. OpenID Configuration */}} {{- if index .Values "auth-server" "ingress" "openidConfigEnabled" }} - matches: @@ -259,7 +260,7 @@ spec: - name: {{ $svcName }} port: {{ $svcPort }} {{- end }} - + {{- /* 13. Jans Lock */}} {{- if and (index .Values "auth-server" "lockEnabled") (index .Values "auth-server" "ingress" "lockEnabled") }} - matches: @@ -277,12 +278,34 @@ spec: port: {{ $svcPort }} {{- end }} +--- +{{- /* ======================================================== */}} +{{- /* ROUTE 2: SECURE APPS (HTTPS TRAFFIC) */}} +{{- /* These endpoints serve the app when reached on HTTPS */}} +{{- /* ======================================================== */}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }}-routes-secure + namespace: {{ .Release.Namespace }} + labels: + app: {{ $fullName }}-routes +{{- if .Values.gatewayApi.routeLabels }} +{{- toYaml .Values.gatewayApi.routeLabels | nindent 4 }} +{{- end }} +{{- if .Values.gatewayApi.routeAnnotations }} + annotations: +{{- toYaml .Values.gatewayApi.routeAnnotations | nindent 4 }} +{{- end }} +spec: + parentRefs: + - name: {{ .Values.gatewayApi.name }} + sectionName: https # ONLY LISTEN ON HTTPS + hostnames: + - {{ .Values.fqdn | quote }} + rules: - {{- /* ======================================================== */}} - {{- /* SECTION 2: STANDARD PREFIXES (No Rewrites) */}} - {{- /* ======================================================== */}} - - {{- /* 14. Auth Server (/jans-auth) */}} + {{- /* 1. Auth Server (/jans-auth) */}} {{- if index .Values "auth-server" "ingress" "authServerEnabled" }} - matches: - path: @@ -293,7 +316,7 @@ spec: port: {{ $svcPort }} {{- end }} - {{- /* 15. Casa (/jans-casa) */}} + {{- /* 2. Casa (/jans-casa) */}} {{- if .Values.casa.ingress.casaEnabled }} - matches: - path: @@ -304,7 +327,7 @@ spec: port: {{ $svcPort }} {{- end }} - {{- /* 16. Config API (/jans-config-api) */}} + {{- /* 3. Config API (/jans-config-api) */}} {{- if index .Values "config-api" "ingress" "configApiEnabled" }} - matches: - path: @@ -315,7 +338,7 @@ spec: port: {{ $svcPort }} {{- end }} - {{- /* 17. FIDO2 (/jans-fido2) */}} + {{- /* 4. FIDO2 (/jans-fido2) */}} {{- if .Values.fido2.ingress.fido2Enabled }} - matches: - path: @@ -326,7 +349,7 @@ spec: port: {{ $svcPort }} {{- end }} - {{- /* 18. SCIM (/jans-scim) */}} + {{- /* 5. SCIM (/jans-scim) */}} {{- if .Values.scim.ingress.scimEnabled }} - matches: - path: @@ -337,7 +360,7 @@ spec: port: {{ $svcPort }} {{- end }} - {{- /* 19. SAML (/kc) */}} + {{- /* 6. SAML (/kc) */}} {{- if .Values.saml.ingress.samlEnabled }} - matches: - path: @@ -348,4 +371,117 @@ spec: port: {{ $svcPort }} {{- end }} +--- +{{- /* ======================================================== */}} +{{- /* ROUTE 3: SECURE APPS (HTTP REDIRECT) */}} +{{- /* These endpoints REDIRECT to HTTPS when reached on HTTP */}} +{{- /* ======================================================== */}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }}-routes-redirect + namespace: {{ .Release.Namespace }} + labels: + app: {{ $fullName }}-routes +{{- if .Values.gatewayApi.routeLabels }} +{{- toYaml .Values.gatewayApi.routeLabels | nindent 4 }} +{{- end }} +{{- if .Values.gatewayApi.routeAnnotations }} + annotations: +{{- toYaml .Values.gatewayApi.routeAnnotations | nindent 4 }} +{{- end }} +spec: + parentRefs: + - name: {{ .Values.gatewayApi.name }} + sectionName: http # ONLY LISTEN ON HTTP + hostnames: + - {{ .Values.fqdn | quote }} + rules: + + {{- /* Same 6 Rules, but with Redirect Filter instead of BackendRef */}} + + {{- /* 1. Auth Server Redirect */}} + {{- if index .Values "auth-server" "ingress" "authServerEnabled" }} + - matches: + - path: + type: PathPrefix + value: /jans-auth + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + + {{- /* 2. Casa Redirect */}} + {{- if .Values.casa.ingress.casaEnabled }} + - matches: + - path: + type: PathPrefix + value: /jans-casa + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + + {{- /* 3. Config API Redirect */}} + {{- if index .Values "config-api" "ingress" "configApiEnabled" }} + - matches: + - path: + type: PathPrefix + value: /jans-config-api + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + + {{- /* 4. FIDO2 Redirect */}} + {{- if .Values.fido2.ingress.fido2Enabled }} + - matches: + - path: + type: PathPrefix + value: /jans-fido2 + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + + {{- /* 5. SCIM Redirect */}} + {{- if .Values.scim.ingress.scimEnabled }} + - matches: + - path: + type: PathPrefix + value: /jans-scim + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + + {{- /* 6. SAML Redirect */}} + {{- if .Values.saml.ingress.samlEnabled }} + - matches: + - path: + type: PathPrefix + value: /kc + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + port: 443 + statusCode: 301 + {{- end }} + {{- end }} \ No newline at end of file From c79089eb44de5546979d27fa736981a2334c35dd Mon Sep 17 00:00:00 2001 From: Amro Misbah Date: Mon, 29 Dec 2025 20:05:18 +0200 Subject: [PATCH 5/5] feat: allow passing static ip to gateway Signed-off-by: Amro Misbah --- charts/janssen-all-in-one/templates/gateway-api.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/charts/janssen-all-in-one/templates/gateway-api.yaml b/charts/janssen-all-in-one/templates/gateway-api.yaml index e572ddbac62..d8faff62fba 100644 --- a/charts/janssen-all-in-one/templates/gateway-api.yaml +++ b/charts/janssen-all-in-one/templates/gateway-api.yaml @@ -18,6 +18,11 @@ metadata: {{- end }} spec: gatewayClassName: {{ .Values.gatewayApi.gatewayClassName }} + {{- if .Values.lbIp }} + addresses: + - type: IPAddress + value: {{ .Values.lbIp }} + {{- end }} listeners: - name: http port: 80