feat: add gateway handling to sefaria helm chart

[BrendanGalloway]

Description

A brief description of the PR

Code Changes

The following changes were made to the files below

Notes

Any additional notes go here

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for db25cd6.

🟢 All jobs passed!

But CI Insights is watching 👀

[Copilot]

Pull request overview

Adds optional Kubernetes Gateway API resources to the sefaria Helm chart while making the existing Ingress resource configurable via a new ingress.enabled flag.

Changes:

• Add ingress.enabled and a new gateway values block (enable flag, class name, annotations).
• Wrap the existing Ingress template in a conditional so it can be disabled.
• Introduce Gateway API templates (Gateway, HTTPRoute) plus an Envoy Gateway ClientTrafficPolicy when gateway.enabled is true.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
helm-chart/sefaria/values.yaml	Adds configuration flags for enabling/disabling Ingress and enabling/configuring Gateway resources.
helm-chart/sefaria/templates/ingress.yaml	Gates Ingress rendering behind .Values.ingress.enabled.
helm-chart/sefaria/templates/gateway/gateway.yaml	Adds a Gateway API Gateway with HTTP/HTTPS listeners and TLS secret references.
helm-chart/sefaria/templates/gateway/httproute.yaml	Adds a Gateway API HTTPRoute routing hostnames to the nginx service.
helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml	Adds Envoy Gateway ClientTrafficPolicy (ALPN protocols) targeting the Gateway.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The {{- $subdomain := printf "%s.%s" ... }} assignment is placed between YAML fields and uses {{- whitespace trimming, which can remove the newline after port: 443 and produce invalid YAML (e.g., port: 443hostname: ...). Compute the FQDN in a template block before emitting the list item fields, or remove left-trimming here so the newline is preserved (and consider using a different variable name like $fqdnSubdomain to avoid shadowing).

Suggested change

	- name: https-{{ $subdomain }}-{{ $code }}
	protocol: HTTPS
	port: 443
	{{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
	hostname: {{ $subdomain }}
	{{- $fqdnSubdomain := printf "%s.%s" $subdomain $rootDomain }}
	- name: https-{{ $subdomain }}-{{ $code }}
	protocol: HTTPS
	port: 443
	hostname: {{ $fqdnSubdomain }}

[Copilot]

metadata.annotations is rendered via toYaml without guarding for nil/empty values. If a user enables the gateway without setting gateway.annotations (e.g., helm upgrade --reuse-values --set gateway.enabled=true), this can render annotations: null, which is invalid for Kubernetes annotations (must be a map). Wrap this in a with/if block or default to an empty dict so the field is omitted or always a map.

Suggested change

	annotations: {{ .Values.gateway.annotations | toYaml | nindent 4 }}
	{{- with .Values.gateway.annotations }}
	annotations:
	{{- toYaml . | nindent 4 }}
	{{- end }}

[Copilot]

Gating the entire Ingress on .Values.ingress.enabled will disable Ingress when the key is absent. On upgrades that use helm upgrade --reuse-values, the new default from values.yaml won’t be applied, so existing releases could unexpectedly lose the Ingress. Consider defaulting this to true in the condition (e.g., | default true) to preserve legacy behavior unless explicitly disabled.