googlecloudrobotics · ensonic · May 21, 2026 · May 21, 2026
diff --git a/src/app_charts/base/cloud/domain-redirect.yaml b/src/app_charts/base/cloud/domain-redirect.yaml
@@ -20,4 +20,23 @@ spec:
             name: dummy
             port:
               number: 80
-{{ end }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: domain-redirect
+spec:
+  hostnames:
+  - "www.endpoints.{{ .Values.project }}.cloud.goog"
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        hostname: {{ .Values.domain }}
+        statusCode: 301
+{{- end }}
diff --git a/src/app_charts/base/cloud/kubernetes-api.yaml b/src/app_charts/base/cloud/kubernetes-api.yaml
@@ -1,4 +1,4 @@
-{{ if eq .Values.onprem_federation "true" }}
+{{- if eq .Values.onprem_federation "true" }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -23,4 +23,46 @@ spec:
             name: kubernetes
             port:
               number: 443
-{{ end }}
+---
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-api{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /auth
+    backendRefs:
+    - name: cr-syncer-auth-webhook
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: kubernetes
+      port: 443
+{{- end }}
+---
+{{- end }}
+{{- end }}
diff --git a/src/app_charts/base/cloud/oauth2-proxy.yaml b/src/app_charts/base/cloud/oauth2-proxy.yaml
@@ -99,4 +99,50 @@ spec:
             name: oauth2-proxy
             port:
               name: http
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: oauth2-proxy
+spec:
+  hostnames:
+  - {{ .Values.domain }}
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /web-apis
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /apis
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: oauth2-proxy-interactive
+spec:
+  hostnames:
+  - {{ .Values.domain }}
+  parentRefs:
+  - name: crc-gateway
+    namespace: default
+    sectionName: https
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /oauth2
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
 {{ end }}
diff --git a/src/app_charts/k8s-relay/cloud/http-route.yaml b/src/app_charts/k8s-relay/cloud/http-route.yaml
@@ -0,0 +1,81 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-relay-client{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes-relay/client
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify
+    backendRefs:
+    - name: token-vendor
+      namespace: app-token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /client
+    backendRefs:
+    - name: kubernetes-relay-server
+      port: 80
+{{- end }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: kubernetes-relay-server{{ . }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.kubernetes-relay/server
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=true
+    backendRefs:
+    - name: token-vendor
+      namespace: app-token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /server
+    backendRefs:
+    - name: kubernetes-relay-server
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/grafana-http-route.yaml b/src/app_charts/prometheus/cloud/grafana-http-route.yaml
@@ -0,0 +1,43 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: grafana{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /grafana
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: {{ tpl $.Values.gf_ingress_auth_url $ }}
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: prom-grafana
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/prometheus-http-route.yaml b/src/app_charts/prometheus/cloud/prometheus-http-route.yaml
@@ -0,0 +1,43 @@
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: prometheus{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /prometheus
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: {{ tpl $.Values.prom_ingress_auth_url $ }}
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /
+    backendRefs:
+    - name: kube-prometheus
+      port: 9090
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/prometheus/cloud/prometheus-relay.yaml b/src/app_charts/prometheus/cloud/prometheus-relay.yaml
@@ -102,3 +102,47 @@ spec:
   selector:
     matchLabels:
       app: prometheus-relay-server
+---
+{{- range list "" "-auth" }}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: prometheus-relay-server{{ . }}
+  labels:
+    app.kubernetes.io/name: {{ $.Chart.Name }}
+spec:
+  hostnames:
+  - {{ $.Values.domain }}
+  parentRefs:
+  - name: crc{{ . }}-gateway
+    namespace: default
+    sectionName: {{ $sectionName }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /apis/core.prometheus-relay/server
+{{- if eq . "-auth" }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplaceFullPath
+          replaceFullPath: /apis/core.token-vendor/v1/token.verify?robots=true
+    backendRefs:
+    - name: token-vendor
+      port: 80
+{{- else }}
+    filters:
+    - type: URLRewrite
+      urlRewrite:
+        path:
+          type: ReplacePrefixMatch
+          replacePrefixMatch: /server
+    backendRefs:
+    - name: prometheus-relay-server
+      port: 80
+{{- end }}
+---
+{{- end }}
diff --git a/src/app_charts/token-vendor/cloud/http-route.yaml b/src/app_charts/token-vendor/cloud/http-route.yaml
@@ -1,5 +1,5 @@
 {{- range list "" "-auth" }}
-{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end -}}
+{{- $sectionName := "https" }}{{ if eq . "-auth" }}{{ $sectionName = "http" }}{{ end }}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:

diff --git a/src/bootstrap/cloud/terraform/.terraform.lock.hcl b/src/bootstrap/cloud/terraform/.terraform.lock.hcl