feat(charts): gateway api support in helm charts

[misba7]

closes #2587

Summary by CodeRabbit

• New Features

  • Added Gateway API support with configurable gateway and route options and templates to expose public, secure and redirect routes.

• Documentation

  • Changed Casa endpoint references from /casa to /jans-casa across docs, values, and example templates.
  • Added Gateway API and certificate configuration documentation.
  • Removed autogenerated footer metadata from multiple chart READMEs and updated the system requirements table.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Kubernetes Gateway API support with new Gateway and HTTPRoute Helm templates, introduces gatewayApi configuration in chart values, updates Casa ingress path references to /jans-casa, and removes autogenerated footer lines from many subchart README files.

Changes

Cohort / File(s)	Summary
Gateway API Templates charts/gluu/templates/gateway-api.yaml, charts/gluu-all-in-one/templates/gateway-api.yaml	New Helm templates that render a Gateway and three HTTPRoute sets (public, secure, redirect). Routes, listeners, TLS, rewrites and redirects are conditionally generated from many feature flags and values.
Gateway API Configuration charts/gluu/values.yaml, charts/gluu-all-in-one/values.yaml	Added gatewayApi blocks (enabled, gatewayClassName, name, httpPort, httpsPort, tlsSecretName, gatewayLabels, gatewayAnnotations, routeLabels, routeAnnotations). Casa ingress comment updated to reference /jans-casa.
Chart Documentation Updates charts/gluu/README.md, charts/gluu-all-in-one/README.md	Documented new gatewayApi parameters; added cert-manager certificate fields in one README; updated Casa endpoint description from /casa to /jans-casa.
Subchart README Cleanups charts/gluu/charts/*/README.md (e.g., admin-ui, auth-server*, casa, cleanup, cn-istio-ingress, config*, fido2, kc-scheduler, nginx-ingress, persistence, saml, scim)	Removed autogenerated footer/separator lines from many subchart README files (documentation-only cleanup).
Automation & Examples automation/rancher-partner-charts/questions.yaml, charts/gluu/openbanking-values.yaml, charts/example-third-party-templates/alb/ingress.yaml	Updated Casa ingress descriptive text and ingress path matching from /casa to /jans-casa.
System Requirements docs/includes/cn-system-requirements.md	Reordered rows (cleanup, fido2, scim, nginx) and changed nginx Required value from "Yes if ALB/Istio not used" to "No".

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client
    participant Gateway as Gateway (Gateway API)
    participant Route as HTTPRoute
    participant Backend as Service Backend

    Client->>Gateway: Send HTTP/HTTPS request
    Gateway->>Route: Evaluate host/path rules
    Route->>Route: Apply matches, rewrites, filters
    alt Request requires redirect
        Route-->>Client: 301 Redirect to HTTPS
    else Forward to backend
        Route->>Backend: Proxy to service:port
        Backend-->>Client: Response (via Gateway)
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Suggested reviewers

• iromli
• moabu

Poem

🐰 A gateway sprouts where paths entwine,
Routes hop and shuffle, patterns align,
Casa beams at /jans-casa's door,
Services hum, the traffic soars,
Hop, I nibble a log—celebrate more!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(charts): gateway api support in helm charts' directly and clearly summarizes the main change of adding Kubernetes Gateway API support to helm charts.
Linked Issues check	✅ Passed	The PR successfully implements Gateway API support by adding gateway-api.yaml templates [#2587], new gatewayApi configuration values [#2587], and updated documentation for the new feature [#2587].
Out of Scope Changes check	✅ Passed	All changes are directly related to adding Gateway API support. Documentation updates (path references from /casa to /jans-casa) and autogenerated footer removals are minor supporting changes aligned with the feature scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In `@automation/rancher-partner-charts/questions.yaml`:
- Around line 642-643: The description and label for the question are
inconsistent: the description value ("Enable endpoint /jans-casa. Enable this!")
includes a period before "Enable this!" while the label ("Enable endpoint
/jans-casa Enable this!") does not; update the label or description so they
match punctuation (e.g., add the missing period in the label or remove the
period in the description) by editing the "description" and "label" entries for
this question to use the same phrasing and punctuation.

In `@charts/gluu-all-in-one/README.md`:
- Line 315: The table row for gatewayApi.gatewayClassName contains an unescaped
pipe and a bare URL which breaks Markdown; update the values/comment for
gatewayApi.gatewayClassName to make the description table-safe by either
escaping the internal pipe (e.g., '\|') or listing implementations in inline
code/backticks (e.g., '`nginx`, `istio`, `cilium`, `traefik`') and replace the
bare URL with a markdown link (e.g., '[Gateway API
implementations](https://gateway-api.sigs.k8s.io/implementations/#conformant)');
then re-run your docs generation so the README table is regenerated with the
fixed description.

In `@charts/gluu-all-in-one/templates/gateway-api.yaml`:
- Around line 287-295: Update the ingress template to use consistent
left-trimming by changing the opening tag for the Admin UI conditional from "{{
if index .Values \"admin-ui\" \"ingress\" \"adminUiEnabled\" }}" to the
left-trimmed form ("{{- if ... }}"), remove the Admin UI block from the public
routes block (the block referencing $svcName and $svcPort under the PathPrefix
/admin), and add a new redirect-only route for Admin UI in the redirect routes
section (wrap in the same conditional index .Values "admin-ui" "ingress"
"adminUiEnabled") that matches path /admin and applies a RequestRedirect to
scheme https with statusCode 301 so admin traffic is always redirected to HTTPS.
- Around line 269-284: The URLRewrite filter in the gateway-api template is
incorrectly replacing /jans-lock with /jans-auth and must be removed so Lock
endpoints remain under /jans-lock; inside the conditional block that checks
(index .Values "auth-server" "lockEnabled") and (index .Values "auth-server"
"ingress" "lockEnabled"), delete the URLRewrite filter block (the filter with
type: URLRewrite and urlRewrite.path.ReplaceFullPath) and leave the backendRefs
pointing to {{ $svcName }}:{{ $svcPort }} so requests are routed to the
auth-server without changing the incoming path.

In `@charts/gluu/README.md`:
- Line 347: The table cell for gatewayApi.gatewayClassName in the generated
README is broken by an unescaped pipe and a bare URL; open the corresponding
comment in values.yaml where gatewayApi.gatewayClassName is documented and
replace the pipe-containing text with a table-safe phrase (e.g., "supports
GA-conformant implementations such as nginx, istio, cilium, traefik") and
convert the bare URL into an inline markdown link (e.g., "see gateway
implementations") or remove the raw '|' characters/escape them; after updating
the comment regenerate the charts docs so the README table no longer triggers
MD034/MD056.

In `@charts/gluu/templates/gateway-api.yaml`:
- Around line 5-7: The Gateway routes currently hard-code port 8080 for
FIDO2/SCIM (and CASA) backends; update the route definitions that reference
$fido2Svc, $scimSvc and $casaSvc to use the chart's configurable service port
values instead of 8080 (for example use the corresponding values under
.Values.global.fido2, .Values.global.scim and .Values.global.casa such as
.Values.global.fido2.servicePort and .Values.global.scim.servicePort /
.Values.global.casa.servicePort), and apply the same replacement for all
occurrences noted (the current block and the ranges called out: 191-239 and
365-384) so the Gateway will route to overridden ports.

In `@docs/includes/cn-system-requirements.md`:
- Around line 15-18: Update the nginx row in the system requirements table to
reflect that nginx is the default ingress: change the "Required" value for
"nginx" (row with symbol 'nginx') to clarify that nginx is used by default
(because nginx-ingress.enabled: true) and only optional when an alternative
ingress is explicitly enabled (gatewayApi.enabled, istio.ingress, or
alb.ingress). Use wording like "No (if ALB, Istio, or Gateway API is
configured)" or "Yes by default; No if ALB/ Istio/ Gateway API enabled" to make
the default configuration semantics clear.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/gluu/templates/gateway-api.yaml`:
- Around line 84-85: gateway-api.yaml currently hard-codes service ports (e.g.,
"port: 8080" next to "name: {{ $authSvc }}") which must be parameterized; add
servicePort entries for each subchart under the parent values.yaml global
section (e.g., global.auth-server.servicePort, global.config-api.servicePort,
global.admin-ui.servicePort, global.saml.servicePort) and then replace the
hard-coded literals in gateway-api.yaml with references to those values (use
.Values.global.<service>.servicePort where the template currently emits
8080/8074/8083). Ensure you update every occurrence of the hard-coded ports in
gateway-api.yaml to use the new .Values.global keys so the parent chart can
control the subchart service ports.

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@charts/gluu/README.md`:
- Line 439: The ALB example ingress template still references the old Casa path
'/casa*'—update the ingress paths in the example ALB template to '/jans-casa*'
so they match the main templates and README; specifically replace any
occurrences of the path pattern '/casa*' with '/jans-casa*' and verify that any
related config tied to global.casa.ingress.casaEnabled (or similar Casa ingress
path entries) are consistent with the new '/jans-casa' route.

In `@charts/gluu/templates/gateway-api.yaml`:
- Around line 292-301: The /admin ingress entry is currently only in the public
routes and allows HTTP; update the template so the admin UI route (guarded by
.Values.global "admin-ui" "ingress" "adminUiEnabled" and referencing service
name {{ $adminSvc }} port 8080) is placed in the secure/HTTPS-only routes
section and removed from the public HTTP backend list, and add a corresponding
HTTP→HTTPS redirect entry in the public/redirect block that matches path /admin
(PathPrefix) to redirect clients to the HTTPS host/path; ensure the same path
value (/admin) and service reference ($adminSvc port 8080) are used for the
secure entry and that the public entry is only a redirect rule.

In `@charts/gluu/values.yaml`:
- Around line 1303-1306: The gatewayApi config is split between
global.gatewayApi.enabled and root-level gatewayApi.* causing template
mismatches; choose one consistent location—prefer moving enabled into the root
gatewayApi block and update the template check accordingly: add enabled under
the existing gatewayApi: block in values.yaml (mirror other fields) and change
the conditional in charts/gluu/templates/gateway-api.yaml from checking
global.gatewayApi.enabled to .Values.gatewayApi.enabled so all gatewayApi
settings are consumed from .Values.gatewayApi.* (alternatively, move all other
gatewayApi keys under global.gatewayApi and update template references to
.Values.global.gatewayApi.* if you prefer global scoping).

♻️ Duplicate comments (3)

charts/gluu-all-in-one/templates/gateway-api.yaml (1)

286-295: Force Admin UI to HTTPS-only (currently reachable over HTTP).

Admin UI is only in the public routes (HTTP+HTTPS) and is missing from the redirect/secure route blocks, so it remains available via plain HTTP. Move it to secure routes and add an HTTP→HTTPS redirect.

🔧 Suggested fix

@@
-  {{- /* 14. Admin UI */}}
-  {{- if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
-  - matches:
-    - path:
-        type: PathPrefix
-        value: /admin
-    backendRefs:
-    - name: {{ $svcName }}
-      port: {{ $svcPort }}
-  {{- end }}
+  {{- /* (moved to secure + redirect routes) */}}

@@
   {{- /* ROUTE 2: SECURE APPS (HTTPS TRAFFIC) */}}
+  {{- /* Admin UI (/admin) */}}
+  {{- if index .Values "admin-ui" "ingress" "adminUiEnabled" }}
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /admin
+    backendRefs:
+    - name: {{ $svcName }}
+      port: {{ $svcPort }}
+  {{- end }}

@@
   {{- /* ROUTE 3: SECURE APPS (HTTP REDIRECT) */}}
+  {{- /* Admin UI Redirect */}}
+  {{- if index .Values "admin-ui" "ingress" "adminUiEnabled" }}
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /admin
+    filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        statusCode: 301
+  {{- end }}

charts/gluu/templates/gateway-api.yaml (1)

84-86: Avoid hard‑coding backend ports; use configurable service ports.

Ports are fixed to 8080/8074/8083 across auth/config/admin/fido2/scim/saml routes, which will break if users override subchart service ports. Expose ports in values (e.g., global.<svc>.servicePort) and use them here.

🔧 Suggested pattern (apply to all occurrences)

 {{- $authSvc := index .Values.global "auth-server" "authServerServiceName" -}}
 {{- $configSvc := index .Values.global "config-api" "configApiServerServiceName" -}}
 {{- $fido2Svc := .Values.global.fido2.fido2ServiceName -}}
 {{- $scimSvc := .Values.global.scim.scimServiceName -}}
 {{- $casaSvc := .Values.global.casa.casaServiceName -}}
 {{- $samlSvc := .Values.global.saml.samlServiceName -}}
 {{- $adminSvc := index .Values.global "admin-ui" "adminUiServiceName" -}}
+{{- $authPort := .Values.global.auth-server.servicePort | default 8080 -}}
+{{- $configPort := .Values.global.config-api.servicePort | default 8074 -}}
+{{- $fido2Port := .Values.global.fido2.servicePort | default 8080 -}}
+{{- $scimPort := .Values.global.scim.servicePort | default 8080 -}}
+{{- $casaPort := .Values.global.casa.servicePort | default 8080 -}}
+{{- $samlPort := .Values.global.saml.servicePort | default 8083 -}}
+{{- $adminPort := .Values.global.admin-ui.servicePort | default 8080 -}}

-    - name: {{ $authSvc }}
-      port: 8080
+    - name: {{ $authSvc }}
+      port: {{ $authPort }}

Also applies to: 203-205, 237-239, 299-300, 360-362, 393-395

charts/gluu-all-in-one/README.md (1)

313-322: Fix markdown table formatting issue in gatewayClassName description.

Line 315 contains a bare URL and unescaped pipe that breaks the markdown table rendering. This is the same issue that was already addressed in charts/gluu/README.md.

Since this README is auto-generated from Helm chart values, update the comment for gatewayApi.gatewayClassName in charts/gluu-all-in-one/values.yaml to use a markdown link instead of a bare URL, then regenerate the documentation.

✍️ Suggested fix for values.yaml comment

-# Set the gatewayClassName corresponding to your installed controller. We support all GA-conformant implementations(e.g., 'nginx', 'istio', 'cilium', 'traefik') | https://gateway-api.sigs.k8s.io/implementations/#conformant
+# Set the gatewayClassName corresponding to your installed controller (e.g., "nginx", "istio", "cilium", "traefik"). See [Gateway API conformant implementations](https://gateway-api.sigs.k8s.io/implementations/#conformant).

Then regenerate the README using helm-docs or your documentation generation tool.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

charts/example-third-party-templates/alb/ingress.yaml (1)

1-1: Consider updating deprecated Ingress API version.

This file uses networking.k8s.io/v1beta1, which was deprecated in Kubernetes 1.19 and removed in 1.22. While this is a pre-existing issue not introduced by this PR, consider updating to networking.k8s.io/v1 in a future change to ensure compatibility with newer Kubernetes versions. Note that v1 uses a different spec structure (pathType field and nested service block).

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@charts/gluu-all-in-one/templates/gateway-api.yaml`:
- Around line 269-283: The Jans Lock route currently uses Exact match and
ReplaceFullPath which drops subpaths; update the HTTPRoute block for the Jans
Lock section (the stanza guarded by the checks on (index .Values "auth-server"
"lockEnabled") and (index .Values "auth-server" "ingress" "lockEnabled")) to use
a PathPrefix match with value "/jans-lock" and change the URL rewrite in the
filter from ReplaceFullPath to ReplacePrefixMatch so subpaths like
"/jans-lock/login" are preserved while rewriting the prefix to "/jans-auth";
keep the same backendRefs using {{ $svcName }} and {{ $svcPort }}.

In `@charts/gluu/templates/gateway-api.yaml`:
- Around line 275-289: The Jans Lock route currently uses an Exact path match
with a ReplaceFullPath rewrite so subpaths like /jans-lock/* are dropped; update
the Gateway API stanza for the Jans Lock block (the matches/path/type and
filters/urlRewrite settings) to use a PathPrefix match and change the URLRewrite
from ReplaceFullPath to ReplacePrefixMatch so requests under /jans-lock preserve
their subpaths and are forwarded to the backendRef (name: {{ $authSvc }}, port:
8080) with the prefix rewritten to /jans-auth.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the gateway-api.yaml file
find . -name "gateway-api.yaml" -type f | head -20

Repository: GluuFederation/flex

Length of output: 155

---

🏁 Script executed:

# Examine the full file structure and surrounding context
cat -n ./charts/gluu-all-in-one/templates/gateway-api.yaml | sed -n '250,310p'

Repository: GluuFederation/flex

Length of output: 2205

---

🏁 Script executed:

# Get more context about other routes in the file
cat -n ./charts/gluu-all-in-one/templates/gateway-api.yaml | sed -n '1,100p'

Repository: GluuFederation/flex

Length of output: 3706

---

🏁 Script executed:

# Check for other routes and their path matching strategies
rg -n "type: (Exact|PathPrefix)" ./charts/gluu-all-in-one/templates/gateway-api.yaml -B 2 -A 2

Repository: GluuFederation/flex

Length of output: 3143

---

🏁 Script executed:

# Check for ReplaceFullPath vs ReplacePrefixMatch usage
rg -n "(ReplaceFullPath|ReplacePrefixMatch)" ./charts/gluu-all-in-one/templates/gateway-api.yaml -B 2 -A 2

Repository: GluuFederation/flex

Length of output: 2214

---

🌐 Web query:

Kubernetes Gateway API HTTPRoute path matching Exact vs PathPrefix behavior specification

💡 Result:

Summary — Exact vs PathPrefix (Gateway API HTTPRoute)

• Exact

  • Matches the URL path exactly, case-sensitive.
  • /abc matches only /abc (does NOT match /abc/, /Abc, /abcd). [1][2]

• PathPrefix

  • Matches on path elements (split by “/”), case-sensitive.
  • A trailing “/” on the prefix is ignored. Example: prefix "/abc" matches "/abc", "/abc/", and "/abc/def" but NOT "/abcd". Matching is element-wise (full path segments). [1][2]
  • ReplacePrefixMatch (rewrite behavior) follows the same element semantics (e.g., replacing "/foo" in "/foo/bar" → "/xyz/bar"). [1]

• Precedence when multiple matches apply

  • Exact matches take priority.
  • Then PathPrefix matches with the longest number of characters.
  • Then method match, then number of header matches, then number of query-param matches. (RegularExpression precedence is implementation-specific.) [1][2]

Sources:
[1] Kubernetes Gateway API — HTTPRoute / PathMatchType and precedence.
[2] Gateway API HTTPRoute reference (Kubernetes docs).

---

🌐 Web query:

Kubernetes Gateway API URLRewrite ReplaceFullPath vs ReplacePrefixMatch documentation

💡 Result:

Short answer: ReplaceFullPath replaces the entire request path with the provided value; ReplacePrefixMatch replaces only the matched PathPrefix portion and preserves the remainder of the path. ReplacePrefixMatch requires the match to be PathPrefix (it operates on path elements and ignores a trailing “/”). Implementations may vary—some providers (e.g., older GKE docs) didn’t support ReplaceFullPath. [1][2][3]

Examples:

• ReplaceFullPath -> request /foo/bar with replaceFullPath: /x => upstream path = /x. [1]
• ReplacePrefixMatch -> request /foo/bar with PathPrefix /foo and replacePrefixMatch: /xyz => upstream path = /xyz/bar. (Only valid when match.type = PathPrefix.) [1][2][3]

Sources:
[1] Kubernetes Gateway API — HTTP redirects and rewrites guide.
[2] GKE “Deploying Gateways” URLRewrite example.
[3] Traefik / Gateway API spec excerpts and validations.

---

Jans Lock route should preserve subpaths.

Using Exact path matching only routes /jans-lock itself (not subpaths like /jans-lock/login). Combined with ReplaceFullPath, any matched requests would also lose their subpath on rewrite. To handle multi-endpoint services correctly (and match the pattern used for Admin UI and other services in this file), use PathPrefix with ReplacePrefixMatch instead.

🔧 Suggested fix (prefix match + prefix rewrite)

-  - matches:
-    - path:
-        type: Exact
-        value: /jans-lock
-    filters:
-    - type: URLRewrite
-      urlRewrite:
-        path:
-          type: ReplaceFullPath
-          replaceFullPath: /jans-auth
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /jans-lock
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /jans-auth

🤖 Prompt for AI Agents

In `@charts/gluu-all-in-one/templates/gateway-api.yaml` around lines 269 - 283,
The Jans Lock route currently uses Exact match and ReplaceFullPath which drops
subpaths; update the HTTPRoute block for the Jans Lock section (the stanza
guarded by the checks on (index .Values "auth-server" "lockEnabled") and (index
.Values "auth-server" "ingress" "lockEnabled")) to use a PathPrefix match with
value "/jans-lock" and change the URL rewrite in the filter from ReplaceFullPath
to ReplacePrefixMatch so subpaths like "/jans-lock/login" are preserved while
rewriting the prefix to "/jans-auth"; keep the same backendRefs using {{
$svcName }} and {{ $svcPort }}.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the gateway-api.yaml file to understand the context
find . -name "gateway-api.yaml" -type f

Repository: GluuFederation/flex

Length of output: 155

---

🏁 Script executed:

# Search for the Jans Lock route and surrounding context
rg -A 20 "Jans Lock" charts/

Repository: GluuFederation/flex

Length of output: 3049

---

🏁 Script executed:

# Look for ingress configuration to understand expected behavior
find . -name "*ingress*" -type f | head -20

Repository: GluuFederation/flex

Length of output: 582

---

🏁 Script executed:

# Check if there are other URL rewrite examples in gateway-api.yaml
rg "URLRewrite|ReplaceFullPath|ReplacePrefixMatch" charts/gluu/templates/gateway-api.yaml -A 5 -B 2

Repository: GluuFederation/flex

Length of output: 3736

---

🏁 Script executed:

# Check ingress configuration for Jans Lock to understand expected behavior
rg -i "jans-lock" charts/gluu/charts/nginx-ingress/templates/ingress.yaml -B 5 -A 5

Repository: GluuFederation/flex

Length of output: 370

---

🏁 Script executed:

# Also check the other ingress templates
rg -i "jans-lock" charts/gluu/charts/nginx-ingress/templates/ -B 3 -A 3

Repository: GluuFederation/flex

Length of output: 614

---

🏁 Script executed:

# Search for any documentation or comments about Jans Lock paths
rg -i "jans-lock" . --type yaml --type md -B 2 -A 2

Repository: GluuFederation/flex

Length of output: 10675

---

🏁 Script executed:

# Check if there's a Jans Lock values or configuration file
find . -name "*.yaml" -o -name "*.yml" | xargs grep -l "jans-lock" | head -20

Repository: GluuFederation/flex

Length of output: 420

---

🏁 Script executed:

# Look at auth-server-protected-ingress to see how other paths are configured
cat charts/gluu/charts/nginx-ingress/templates/auth-server-protected-ingress.yaml | head -100

Repository: GluuFederation/flex

Length of output: 4359

---

🏁 Script executed:

# Let's examine the Istio VirtualService config more closely
cat charts/gluu/charts/auth-server/templates/auth-server-virtual-services.yaml | grep -A 10 -B 5 "jans-lock"

Repository: GluuFederation/flex

Length of output: 583

---

🏁 Script executed:

# Search for any references to /jans-lock with subpaths in the codebase
rg "/jans-lock/" . --type yaml --type md --type json

Repository: GluuFederation/flex

Length of output: 143

---

🏁 Script executed:

# Check if there are integration tests or examples showing Jans Lock API usage
find . -name "*.md" -o -name "*.txt" | xargs grep -l "jans-lock" 2>/dev/null | head -10

Repository: GluuFederation/flex

Length of output: 257

---

🏁 Script executed:

# Let's look at the complete auth-server-virtual-services.yaml to understand the pattern
cat charts/gluu/charts/auth-server/templates/auth-server-virtual-services.yaml

Repository: GluuFederation/flex

Length of output: 6344

---

🏁 Script executed:

# Check if there are any known issues or TODOs related to Jans Lock routing
rg -i "jans-lock|pathprefix|prefix match" charts/gluu/templates/gateway-api.yaml -B 5 -A 5

Repository: GluuFederation/flex

Length of output: 3696

---

🏁 Script executed:

# Search for issue references in git history related to jans-lock ingress
git log --oneline --all | grep -i "jans-lock" 2>/dev/null | head -20

Repository: GluuFederation/flex

Length of output: 45

---

Jans Lock route should preserve subpaths.

Exact + ReplaceFullPath only matches /jans-lock itself; subpaths won't be routed. This is inconsistent with all other service routes in the same Gateway API file (admin, jans-auth, jans-casa, jans-config-api, jans-fido2, jans-scim, kc) which use PathPrefix. The Istio VirtualService already uses prefix: "/jans-lock", confirming this is the intended behavior. Use PathPrefix with ReplacePrefixMatch to match /jans-lock/* and preserve request paths.

🔧 Suggested fix (prefix match + prefix rewrite)

-  - matches:
-    - path:
-        type: Exact
-        value: /jans-lock
-    filters:
-    - type: URLRewrite
-      urlRewrite:
-        path:
-          type: ReplaceFullPath
-          replaceFullPath: /jans-auth
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /jans-lock
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /jans-auth

🤖 Prompt for AI Agents

In `@charts/gluu/templates/gateway-api.yaml` around lines 275 - 289, The Jans Lock
route currently uses an Exact path match with a ReplaceFullPath rewrite so
subpaths like /jans-lock/* are dropped; update the Gateway API stanza for the
Jans Lock block (the matches/path/type and filters/urlRewrite settings) to use a
PathPrefix match and change the URLRewrite from ReplaceFullPath to
ReplacePrefixMatch so requests under /jans-lock preserve their subpaths and are
forwarded to the backendRef (name: {{ $authSvc }}, port: 8080) with the prefix
rewritten to /jans-auth.

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud