From 499c71b31c9e1e41699dca935fd4f23f90a4f7a7 Mon Sep 17 00:00:00 2001
From: duynguyen <huonghaiduynhim@gmail.com>
Date: Sun, 12 Apr 2026 17:38:48 +0700
Subject: [PATCH] Remove deprecated httproute.yaml and implement
 server-httproute.yaml template for Vault HTTPRoute configuration in Helm
 chart.

---
 manifest/vault/httproute.yaml                 | 35 ----------------
 .../vault/templates/server-httproute.yaml     | 40 +++++++++++++++++++
 manifest/vault/values.yaml                    |  4 +-
 3 files changed, 42 insertions(+), 37 deletions(-)
 delete mode 100644 manifest/vault/httproute.yaml
 create mode 100644 manifest/vault/templates/server-httproute.yaml

diff --git a/manifest/vault/httproute.yaml b/manifest/vault/httproute.yaml
deleted file mode 100644
index 3cd6927..0000000
--- a/manifest/vault/httproute.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-# HTTPRoute for HashiCorp Vault behind Envoy Gateway (Gateway API).
-# Matches the intent of server.httpRoute in values.yaml (chart may not render it yet).
-#
-# Before applying:
-#   kubectl get svc -n vault
-# If the Vault Service is not named "vault" (e.g. release "foo" -> Service "foo-vault"),
-# change spec.rules[].backendRefs[].name below.
-#
-# Ensure your Gateway allows routes from namespace "vault" (listener allowedRoutes / infrastructure).
-#
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: vault-httproute
-  namespace: vault
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: envoy-gateway
-      namespace: envoy-gateway-system
-      sectionName: http
-  hostnames:
-    - vault.fireflylab.local
-  rules:
-    - matches:
-        - path:
-            type: PathPrefix
-            value: /
-      backendRefs:
-        - group: ""
-          kind: Service
-          name: vault
-          port: 8200
-          weight: 1
diff --git a/manifest/vault/templates/server-httproute.yaml b/manifest/vault/templates/server-httproute.yaml
new file mode 100644
index 0000000..e080393
--- /dev/null
+++ b/manifest/vault/templates/server-httproute.yaml
@@ -0,0 +1,40 @@
+{{/*
+HTTPRoute for Vault behind Gateway API (e.g. Envoy Gateway).
+Only Helm files under templates/ are rendered; a sibling httproute.yaml at chart root is ignored by Argo CD Helm.
+*/}}
+{{- if .Values.server.httpRoute.enabled }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ template "vault.fullname" . }}-httproute
+  namespace: {{ include "vault.namespace" . }}
+  labels:
+    helm.sh/chart: {{ include "vault.chart" . }}
+    app.kubernetes.io/name: {{ include "vault.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  parentRefs:
+{{- range .Values.server.httpRoute.parentRefs }}
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: {{ .name }}
+      namespace: {{ .namespace }}
+{{- if .sectionName }}
+      sectionName: {{ .sectionName }}
+{{- end }}
+{{- end }}
+  hostnames:
+{{- range .Values.server.httpRoute.hostnames }}
+    - {{ . | quote }}
+{{- end }}
+  rules:
+    - matches:
+{{ toYaml .Values.server.httpRoute.matches | nindent 8 }}
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: {{ template "vault.fullname" . }}
+          port: {{ .Values.server.service.port }}
+          weight: 1
+{{- end }}
diff --git a/manifest/vault/values.yaml b/manifest/vault/values.yaml
index f53184b..167c956 100644
--- a/manifest/vault/values.yaml
+++ b/manifest/vault/values.yaml
@@ -504,8 +504,8 @@ server:
         sectionName: http
     matches:
       - path:
-        type: PathPrefix
-        value: /
+          type: PathPrefix
+          value: /
     filters:
     additionalRules: []
     httpsRedirect: false