feat: add Gateway API HTTPRoute support to all ingress-capable apps

[patrick-hermann-sva]

Summary

Standardize all ingress-capable components to support Gateway API HTTPRoute as an option alongside (or replacing) traditional nginx Ingress. Some components already use HTTPRoute, but several still rely exclusively on nginx Ingress.

Current State

Already using standalone httproute.yaml

Component	Notes
infra/vault	httproute.yaml in kustomization.yaml
infra/prometheus	httproute.yaml in kustomization.yaml
apps/uptime-kuma	httproute.yaml in kustomization.yaml
apps/claim-machinery-api	httproute.yaml + patches to remove Ingress from OCI base

Using chart-native HTTPRoute (configured inline in release.yaml values)

Component	Helm values field
apps/headlamp	httpRoute.enabled: true
apps/homepage	route.main.enabled: true

Separate optional httproute subdirectory

Component	Notes
apps/vault	httproute/ subdirectory with own kustomization.yaml — NOT included in main kustomization.yaml; consumer must reference it separately

Still using nginx Ingress only (no HTTPRoute option)

Component	Ingress pattern
apps/argo-cd	nginx Ingress with force-ssl-redirect + backend-protocol: HTTPS annotations
apps/clusterbook	nginx Ingress with backend-protocol: GRPC annotation
apps/keycloak	nginx Ingress with TLS
apps/minio	Two nginx Ingresses (console + API) with proxy-body-size annotation
apps/openldap	No ingress at all (LoadBalancer service)

Proposed Changes

For each component missing HTTPRoute support, add an httproute.yaml file following the established pattern:

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: <app-name>
  namespace: ${<PREFIX>_NAMESPACE:-<default>}
spec:
  parentRefs:
    - name: ${GATEWAY_NAME}
      namespace: ${GATEWAY_NAMESPACE:-default}
  hostnames:
    - "${HOSTNAME}.${DOMAIN}"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: <service-name>
          port: <service-port>

Per-component considerations

apps/argo-cd

• Backend uses HTTPS (gRPC), so the HTTPRoute may need a BackendTLSPolicy or the backend ref should target the HTTPS port
• Add httproute.yaml and set ingress.enabled: false as default

apps/clusterbook

• Uses gRPC backend protocol — Gateway API supports gRPC via GRPCRoute (or HTTPRoute with appropriate backend config)
• May need GRPCRoute instead of HTTPRoute

apps/keycloak

• Straightforward HTTPRoute to port 8080
• Add httproute.yaml, set ingress.enabled: ${INGRESS_ENABLED:-false}

apps/minio

• Needs TWO HTTPRoutes: one for console (port 9001) and one for API (port 9000)
• Different hostnames for each (${INGRESS_HOSTNAME_CONSOLE} and ${INGRESS_HOSTNAME_API})
• proxy-body-size annotation has no direct Gateway API equivalent — handled at Gateway level or via policy

apps/vault (apps/ variant)

• Already has httproute/ subdirectory but it's not wired into the main kustomization.yaml
• Either integrate it as an optional resource or document the separate reference pattern

apps/openldap

• Uses LDAP protocol (not HTTP) — HTTPRoute is not applicable
• Skip this component

Acceptance Criteria

• apps/argo-cd — add httproute.yaml, default ingress to disabled
• apps/clusterbook — add httproute.yaml or grpcroute.yaml for gRPC backend
• apps/keycloak — add httproute.yaml, default ingress to disabled
• apps/minio — add httproute.yaml with two routes (console + API)
• apps/vault — integrate existing httproute/ into main kustomization or document pattern
• All new HTTPRoutes use consistent variables: GATEWAY_NAME, GATEWAY_NAMESPACE, HOSTNAME, DOMAIN
• Each modified component's README updated with HTTPRoute deployment example