Skip to content

feat: add Gateway API HTTPRoute support & existing secret for DB credentials#70

Open
aagarwal-apexanalytix wants to merge 3 commits intogravitl:masterfrom
aagarwal-apexanalytix:feature/gateway-api-httproute
Open

feat: add Gateway API HTTPRoute support & existing secret for DB credentials#70
aagarwal-apexanalytix wants to merge 3 commits intogravitl:masterfrom
aagarwal-apexanalytix:feature/gateway-api-httproute

Conversation

@aagarwal-apexanalytix
Copy link

@aagarwal-apexanalytix aagarwal-apexanalytix commented Feb 19, 2026
edited
Loading

Summary

  • Adds native Kubernetes Gateway API HTTPRoute support as an alternative (or complement) to traditional Ingress resources
  • Adds db.existingSecret support to pull DB credentials from an existing Kubernetes secret (e.g. CrunchyData pguser secret) instead of hardcoding them in the ConfigMap
  • Reverts db.sslmode default to disable to match upstream

Changes

1. Gateway API HTTPRoute support

File Change
values.yaml Added gateway section (disabled by default) with enabled, annotations, and parentRefs fields
templates/httproute.yaml New template — generates 3 gateway.networking.k8s.io/v1 HTTPRoute resources

New values:

gateway:
  enabled: false
  annotations: {}
  parentRefs:
    - name: ""
      namespace: ""
      sectionName: https
  • Independent of Ingress: ingress.enabled and gateway.enabled are fully independent — both can be true for migration scenarios
  • Reuses existing hostname values: Hostnames come from ingress.hostPrefix.{broker,rest,ui} + baseDomain
  • No breaking changes: Default gateway.enabled: false means existing deployments are unaffected

2. Existing Kubernetes secret for DB credentials

File Change
values.yaml Added db.existingSecret block with enabled, name, and keys sub-fields; reverted db.sslmode default to disable
templates/configmap.yml Conditionally omit SQL_HOST/SQL_PORT/SQL_DB/SQL_USER/SQL_PASS when existingSecret.enabled is true (SQL_SSL_MODE always stays)
templates/netmaker-statefulset.yaml Add conditional env entries with secretKeyRef that override ConfigMap values
templates/mq.yaml Same conditional env block for the MQ deployment

New values:

db:
  existingSecret:
    enabled: false
    name: ""
    keys:
      host: "pgbouncer-host"
      port: "pgbouncer-port"
      username: "user"
      password: "password"
      database: "dbname"
  • Default key mappings match CrunchyData's pguser secret format — users with different secrets can override individual key names
  • Backward compatible: When existingSecret.enabled is false (default), behavior is identical to before
  • env overrides envFrom: Kubernetes merges envFrom first, then env entries override, so the secret values take precedence over any ConfigMap values

Test plan

  • helm template test . with defaults — ConfigMap has all SQL_* keys, no secretKeyRef, no HTTPRoutes
  • helm template test . --set gateway.enabled=true --set 'gateway.parentRefs[0].name=my-gw' — verify 3 HTTPRoute resources
  • helm template test . --set db.existingSecret.enabled=true --set db.existingSecret.name=postgres-pguser-usrnetmaker — ConfigMap omits SQL creds, both StatefulSet and MQ Deployment have secretKeyRef entries
  • helm template test . --set db.existingSecret.enabled=true --set db.existingSecret.name=my-secret --set db.existingSecret.keys.host=my-host-key — verify custom key mappings work

@aagarwal-apexanalytix
feat: add Gateway API HTTPRoute support
190e875 
Add native support for Kubernetes Gateway API HTTPRoutes as an
alternative (or complement) to traditional Ingress resources.

New values:
- gateway.enabled: toggle HTTPRoute generation (default: false)
- gateway.annotations: optional annotations for HTTPRoute resources
- gateway.parentRefs: list of parent Gateway references

Creates three HTTPRoute resources (broker, api, dashboard) that derive
hostnames from the existing ingress.hostPrefix.* + baseDomain values.
Both ingress.enabled and gateway.enabled are independent flags and can
coexist, allowing gradual migration from Ingress to Gateway API.
@aagarwal-apexanalytix
fix: default db.sslmode to require for secure PostgreSQL connections
07ab675 
Most production PostgreSQL deployments enforce SSL. Changing the default
from disable to require ensures secure connections out of the box.
@aagarwal-apexanalytix
feat: support existing Kubernetes secret for DB credentials
65eb173 
Allow the chart to pull SQL_HOST, SQL_PORT, SQL_USER, SQL_PASS, and
SQL_DB from an existing Kubernetes secret (e.g. CrunchyData pguser
secret) instead of hardcoding them in the ConfigMap. This avoids
duplicating credentials that are already managed by a PostgreSQL
operator.

When db.existingSecret.enabled is true, the five SQL_* keys are omitted
from the ConfigMap and injected as env vars with secretKeyRef on both
the netmaker StatefulSet and the MQ Deployment. Key mappings default to
CrunchyData's pguser secret format but are fully configurable.

Also reverts db.sslmode default to "disable" to match upstream.
@aagarwal-apexanalytix aagarwal-apexanalytix changed the title feat: add Gateway API HTTPRoute support feat: add Gateway API HTTPRoute support & existing secret for DB credentials Feb 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aagarwal-apexanalytix