Skip to content

feat: add gateway handling to sefaria helm chart #3078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yodem merged 4 commits into from
Feb 10, 2026
+126 −1
Merged

feat: add gateway handling to sefaria helm chart #3078

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
269993a
feat: add gateway handling to sefaria helm chart
BrendanGalloway Feb 5, 2026
f7173fa
fix: duplicate key in gateway spec
BrendanGalloway Feb 9, 2026
625ac78
fix: explicitly allow connection coalescing
BrendanGalloway Feb 9, 2026
db25cd6
fix: labelling and cert name typo
BrendanGalloway Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions helm-chart/sefaria/templates/gateway/clienttrafficpolicy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{{- if .Values.gateway.enabled }}
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
name: {{ .Values.deployEnv }}
labels:
{{- include "sefaria.labels" . | nindent 4 }}
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: {{ .Values.deployEnv }}
alpn:
protocols:
- h2
- http/1.1
{{- end }}
60 changes: 60 additions & 0 deletions helm-chart/sefaria/templates/gateway/gateway.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{{- if .Values.gateway.enabled }}
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: {{ .Values.deployEnv }}
labels:
{{- include "sefaria.labels" . | nindent 4 }}
annotations: {{ .Values.gateway.annotations | toYaml | nindent 4 }}
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

metadata.annotations is rendered via toYaml without guarding for nil/empty values. If a user enables the gateway without setting gateway.annotations (e.g., helm upgrade --reuse-values --set gateway.enabled=true), this can render annotations: null, which is invalid for Kubernetes annotations (must be a map). Wrap this in a with/if block or default to an empty dict so the field is omitted or always a map.

Suggested change
annotations: {{ .Values.gateway.annotations | toYaml | nindent 4 }}
{{- with .Values.gateway.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}

Copilot uses AI. Check for mistakes.
spec:
gatewayClassName: {{ .Values.gateway.className }}
listeners:
- name: http
protocol: HTTP
port: 80
{{- range .Values.domains.root }}
{{- $code := .code }}
{{- if kindIs "slice" $code }}
{{- $code = index $code 0 }}
{{- end }}
{{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
{{- $wwwDomain := printf "www.%s" $rootDomain }}
{{- $secretName := tpl .cert $ | default ( printf "origin-%s-%s-tls" $.Values.deployEnv $code ) }}
- name: https-{{ $code }}
protocol: HTTPS
port: 443
hostname: {{ $rootDomain }}
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: {{ $secretName }}
- name: https-www-{{ $code }}
protocol: HTTPS
port: 443
hostname: {{ $wwwDomain }}
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: {{ $secretName }}
{{- range $.Values.domains.modules }}
{{- $subdomain := index .subdomains $code }}
{{- if $subdomain }}
- name: https-{{ $subdomain }}-{{ $code }}
protocol: HTTPS
port: 443
{{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
hostname: {{ $subdomain }}
Comment on lines +46 to +50
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The {{- $subdomain := printf "%s.%s" ... }} assignment is placed between YAML fields and uses {{- whitespace trimming, which can remove the newline after port: 443 and produce invalid YAML (e.g., port: 443hostname: ...). Compute the FQDN in a template block before emitting the list item fields, or remove left-trimming here so the newline is preserved (and consider using a different variable name like $fqdnSubdomain to avoid shadowing).

Suggested change
- name: https-{{ $subdomain }}-{{ $code }}
protocol: HTTPS
port: 443
{{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
hostname: {{ $subdomain }}
{{- $fqdnSubdomain := printf "%s.%s" $subdomain $rootDomain }}
- name: https-{{ $subdomain }}-{{ $code }}
protocol: HTTPS
port: 443
hostname: {{ $fqdnSubdomain }}

Copilot uses AI. Check for mistakes.
tls:
mode: Terminate
certificateRefs:
- kind: Secret
group: ""
name: {{ $secretName }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
37 changes: 37 additions & 0 deletions helm-chart/sefaria/templates/gateway/httproute.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{{- if .Values.gateway.enabled }}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ .Values.deployEnv }}
labels:
{{- include "sefaria.labels" . | nindent 4 }}
spec:
parentRefs:
- name: {{ .Values.deployEnv }}
hostnames:
{{- range .Values.domains.root }}
{{- $code := .code }}
{{- if kindIs "slice" $code }}
{{- $code = index $code 0 }}
{{- end }}
{{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
{{- $wwwDomain := printf "www.%s" $rootDomain }}
- {{ $rootDomain }}
- {{ $wwwDomain }}
{{- range $.Values.domains.modules }}
{{- $subdomain := index .subdomains $code }}
{{- if $subdomain }}
{{- $subdomain := printf "%s.%s" $subdomain $rootDomain }}
- {{ $subdomain }}
{{- end }}
{{- end }}
{{- end }}
rules:
- backendRefs:
- name: nginx-{{ $.Values.deployEnv }}
port: 80
matches:
- path:
type: PathPrefix
value: /
{{- end }}
4 changes: 3 additions & 1 deletion helm-chart/sefaria/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.ingress.enabled }}
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gating the entire Ingress on .Values.ingress.enabled will disable Ingress when the key is absent. On upgrades that use helm upgrade --reuse-values, the new default from values.yaml won’t be applied, so existing releases could unexpectedly lose the Ingress. Consider defaulting this to true in the condition (e.g., | default true) to preserve legacy behavior unless explicitly disabled.

Copilot uses AI. Check for mistakes.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
Expand All @@ -21,7 +22,7 @@ spec:
{{- end }}
{{- $rootDomain := tpl .url $ | quote | trimAll "\"" }}
{{- $wwwDomain := printf "www.%s" $rootDomain }}
- secretName: {{ tpl .cert $ | default ( printf "origin-%s-$s-tls" $.Values.deployEnv $code ) }}
- secretName: {{ tpl .cert $ | default ( printf "origin-%s-%s-tls" $.Values.deployEnv $code ) }}
hosts:
- {{ $rootDomain }}
- {{ $wwwDomain }}
Expand Down Expand Up @@ -75,3 +76,4 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
9 changes: 9 additions & 0 deletions helm-chart/sefaria/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,15 @@ domains:
- collections
- profile

ingress:
enabled: true

gateway:
enabled: false
className: envoy
annotations:
cert-manager.io/cluster-issuer: ingress-ca

nginx:
containerImage:
# Full path of the image registry inclusive of the image name
Expand Down
Loading