From 03a1e70df32e380c5836e79174f3887e9f46366f Mon Sep 17 00:00:00 2001
From: "s0wlz (Matthias Puchstein)" <matthias@puchstein.lu>
Date: Wed, 29 Apr 2026 21:24:13 +0200
Subject: [PATCH] fix(deploy): correct HTTPRoute parentRefs, cert-manager
 annotation, imagePullSecrets

- httproute.yaml: name=default namespace=nginx-gateway (was: itsh-gateway, no namespace)
- httproute.yaml: add cert-manager.io/cluster-issuer annotation for TLS cert issuance
- httproute.yaml: parameterise sectionNames and parentRefs through values
- deployment.yaml: render imagePullSecrets from values (itsh-registry pull secret)
- values.yaml: add parentRefs, annotations, httpRedirectSectionName, imagePullSecrets
---
 deploy/templates/deployment.yaml |  4 ++++
 deploy/templates/httproute.yaml  | 18 ++++++++++++++----
 deploy/values.yaml               |  9 +++++++++
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/deploy/templates/deployment.yaml b/deploy/templates/deployment.yaml
index 8f9a1b5..1b1ac42 100644
--- a/deploy/templates/deployment.yaml
+++ b/deploy/templates/deployment.yaml
@@ -16,6 +16,10 @@ spec:
         {{- include "tutortool.selectorLabels" . | nindent 8 }}
     spec:
       serviceAccountName: {{ include "tutortool.serviceAccountName" . }}
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       securityContext:
         fsGroup: 1000
       containers:
diff --git a/deploy/templates/httproute.yaml b/deploy/templates/httproute.yaml
index a2c0e53..8c17c99 100644
--- a/deploy/templates/httproute.yaml
+++ b/deploy/templates/httproute.yaml
@@ -5,10 +5,17 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "tutortool.labels" . | nindent 4 }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   parentRefs:
-    - name: itsh-gateway
-      sectionName: {{ .Values.httpRoute.sectionName }}
+    {{- range .Values.httpRoute.parentRefs }}
+    - name: {{ .name }}
+      namespace: {{ .namespace }}
+      sectionName: {{ $.Values.httpRoute.sectionName }}
+    {{- end }}
   hostnames:
     {{- range .Values.httpRoute.hostnames }}
     - {{ . | quote }}
@@ -31,8 +38,11 @@ metadata:
     {{- include "tutortool.labels" . | nindent 4 }}
 spec:
   parentRefs:
-    - name: itsh-gateway
-      sectionName: http-tutor-puchstein-dev
+    {{- range .Values.httpRoute.parentRefs }}
+    - name: {{ .name }}
+      namespace: {{ .namespace }}
+      sectionName: {{ $.Values.httpRoute.httpRedirectSectionName }}
+    {{- end }}
   hostnames:
     {{- range .Values.httpRoute.hostnames }}
     - {{ . | quote }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
index 1f20a10..2a46a84 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -27,10 +27,19 @@ pvc:
   storageClassName: hcloud-volumes
   storage: 1Gi
 
+imagePullSecrets:
+  - name: itsh-registry
+
 httpRoute:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  parentRefs:
+    - name: default
+      namespace: nginx-gateway
   hostnames:
     - tutor.puchstein.dev
   sectionName: https-tutor-puchstein-dev
+  httpRedirectSectionName: http-tutor-puchstein-dev
 
 # JWT_SECRET provisioned as a pre-existing K8s Secret named here.
 # Do not set jwtSecretValue in committed values — provision via kubectl manually.