fix(DMVP-9224): support templates in hostname(and not only) variables of gateway api common htproute/istio-envoyfilter/istio-authorizationpolicy configs

charts/gateway-api/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.5
+version: 0.1.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/gateway-api/README.md

@@ -28,7 +28,7 @@ You can either set `gateways[].infrastructure.parametersRef` to reference an exi
 | `httpRoutes` | List of HTTPRoute resources | `[]`; see suboptions below |
 | `httpRoutes[].name`, `nameSuffix` | Route name and optional suffix for the resource name | e.g. name: main, nameSuffix: -route |
 | `httpRoutes[].parentRefs` | Gateway parent refs (name, sectionName, kind, group); optional if defaultParentRefs set | name: main, sectionName: http |
-| `httpRoutes[].hostnames` | Hostnames this route matches | e.g. example.com |
+| `httpRoutes[].hostnames` | Hostnames this route matches. Supports templated expressions via Helm `tpl`. | e.g. `{{ .Values.global.environment }}.example.com` |
 | `httpRoutes[].rules` | Route rules: `matches` (path, headers), `backendRefs`, `filters` (e.g. RequestRedirect), `directResponse` | PathPrefix /, backendRefs to service |
 | `httpRoutes[].rules[].directResponse.status` | Direct response status. `403` keeps AuthorizationPolicy flow; non-`403` statuses are rendered via Istio EnvoyFilter | `403` or `200-599` |
 | `httpRoutes[].rules[].directResponse.body` | Optional response body for non-`403` direct responses | `""` (empty string) |
@@ -39,7 +39,13 @@ You can either set `gateways[].infrastructure.parametersRef` to reference an exi
 | `istio` | Istio-specific CRDs (when using Istio as Gateway implementation) | see suboptions below |
 | `istio.defaultTargetRefs` | Default targetRefs for AuthorizationPolicy | `[]` |
 | `istio.gateways` | List of Istio Gateway resources (networking.istio.io; for VirtualService) | selector, servers |
-| `istio.authorizationPolicies` | List of AuthorizationPolicy (allow/deny by path, host, IP) | action DENY/ALLOW, rules |
+| `istio.authorizationPolicies` | List of AuthorizationPolicy (allow/deny by path, host, IP). `rules` supports templated expressions via Helm `tpl`. | action DENY/ALLOW, rules |
 | `istio.peerAuthentications` | List of PeerAuthentication (mTLS) | mode STRICT/PERMISSIVE |
 | `istio.virtualServices` | List of VirtualService resources | hosts, http match/route |
 | `istio.sidecars` | List of Sidecar resources | `[]` |
+
+### Templating support notes
+
+- `httpRoutes[].hostnames` values are rendered with Helm `tpl`.
+- `istio.authorizationPolicies[].rules` values are rendered with Helm `tpl`.
+- Generated EnvoyFilter `configPatches` are rendered with Helm `tpl`, so templates that resolve through route hostnames and related values propagate correctly.

charts/gateway-api/templates/httproute.yaml

@@ -48,7 +48,7 @@ spec:
     {{- end }}
   {{- end }}
   {{- if $hostnames }}
-  hostnames: {{- toYaml $hostnames | nindent 2 }}
+  hostnames: {{- tpl (toYaml $hostnames) $outer | nindent 2 }}
   {{- end }}
   {{- if $allRules }}
   rules:

charts/gateway-api/templates/istio/authorizationpolicy.yaml

@@ -104,7 +104,7 @@ spec:
     {{- end }}
   {{- end }}
   {{- with $policy.rules }}
-  rules: {{- toYaml . | nindent 2 }}
+  rules: {{- tpl (toYaml .) $outer | nindent 2 }}
   {{- end }}
 {{- end }}
 {{- end }}

charts/gateway-api/templates/istio/envoyfilter.yaml

@@ -99,6 +99,6 @@ spec:
     {{- end }}
   {{- end }}
   configPatches:
-    {{- toYaml $filter.configPatches | nindent 4 }}
+    {{- tpl (toYaml $filter.configPatches) $outer | nindent 4 }}
 {{- end }}
 {{- end }}

examples/gateway-api/with-istio-envoyfilter-direct-response.yaml

@@ -32,3 +32,10 @@ httpRoutes:
               value: /custom-502
         directResponse:
           status: 502
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /
+        backendRefs:
+          - name: api-v1
+            port: 80

examples/gateway-api/with-template-hostname.yaml

@@ -0,0 +1,43 @@
+# helm diff upgrade --install -n istio-system with-template-hostname ./charts/gateway-api -f ./examples/gateway-api/with-template-hostname.yaml
+global:
+  environment: dev
+httpRoutes:
+  - parentRefs:
+      - name: main
+        sectionName: http-echo-gw-http
+    hostnames:
+      - "{{ .Values.global.environment }}.http-echo-gw.localhost"
+      # - "http-echo-gw.localhost"
+    rules:
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /restricted
+        directResponse:
+          status: 403
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /my-path
+        directResponse:
+          status: 200
+          body: "Hello, World!"
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /empty
+        directResponse:
+          status: 429
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /custom-502
+        directResponse:
+          status: 502
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /
+        backendRefs:
+          - name: api-v1
+            port: 80

specs/011-gateway-tpl-support/checklists/requirements.md

@@ -0,0 +1,34 @@
+# Specification Quality Checklist: Gateway API tpl Support
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning  
+**Created**: 2026-04-14  
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Validation pass 1: all checklist items passed; no additional revisions required.

specs/011-gateway-tpl-support/contracts/render-contract.md

@@ -0,0 +1,37 @@
+# Render Contract: Gateway API tpl Support
+
+## Contract Type
+
+Helm chart render contract (values input to manifest output).
+
+## Inputs
+
+- Chart: `./charts/gateway-api`
+- Values files (including examples) providing:
+  - HTTPRoute `hostnames`
+  - AuthorizationPolicy `rules`
+  - EnvoyFilter `configPatches`
+- Template context values referenced by expressions.
+
+## Output Guarantees
+
+When input templates resolve successfully:
+
+1. HTTPRoute manifests include resolved `hostnames`.
+2. AuthorizationPolicy manifests include resolved `rules`.
+3. EnvoyFilter manifests include resolved `configPatches`.
+4. Rendered manifests remain valid YAML and structurally valid for their target fields.
+5. Static-value behavior remains unchanged.
+
+## Failure Semantics
+
+When template expressions reference missing or invalid context:
+
+- Rendering fails during `helm template`.
+- Failure is explicit and blocks successful output generation.
+
+## Verification Signals
+
+- `helm lint ./charts/gateway-api` passes.
+- `helm template` passes for updated tpl example.
+- `helm template` passes for at least one existing related example to confirm no regression.

specs/011-gateway-tpl-support/data-model.md

@@ -0,0 +1,43 @@
+# Data Model: Gateway API tpl Support
+
+## Entity: Route Hostname Configuration
+
+- **Source**: Chart values under HTTPRoute configuration.
+- **Type**: Ordered list of hostname entries.
+- **Allowed content**:
+  - Static hostnames.
+  - Template expressions resolving to hostnames.
+- **Validation rules**:
+  - Must resolve into YAML list format accepted by HTTPRoute hostnames.
+  - Rendered output must remain valid YAML.
+
+## Entity: Authorization Rule Configuration
+
+- **Source**: Chart values under Istio AuthorizationPolicy configuration.
+- **Type**: List/object structure matching policy rules schema.
+- **Allowed content**:
+  - Static rule objects.
+  - Template expressions resolving to rule objects or lists.
+- **Validation rules**:
+  - Must resolve into valid policy rules structure.
+  - Missing referenced template values cause render-time failure.
+
+## Entity: Envoy Filter Patch Configuration
+
+- **Source**: Chart values under Istio EnvoyFilter configuration.
+- **Type**: List of filter patch objects.
+- **Allowed content**:
+  - Static patch objects.
+  - Template expressions resolving to one or more patch objects.
+- **Validation rules**:
+  - Must resolve into valid `configPatches` array content.
+  - Rendered output must preserve indentation and structure.
+
+## Entity: Rendered Manifest Output
+
+- **Produced by**: `helm template` over chart + values.
+- **Consumers**: Operators applying manifests to Kubernetes.
+- **Quality constraints**:
+  - Valid YAML document structure.
+  - Correct field placement in HTTPRoute, AuthorizationPolicy, EnvoyFilter objects.
+  - No behavior regression for static-only values.

specs/011-gateway-tpl-support/plan.md

@@ -0,0 +1,96 @@
+# Implementation Plan: Gateway API tpl Support
+
+**Branch**: `011-gateway-tpl-support` | **Date**: 2026-04-14 | **Spec**: `/specs/011-gateway-tpl-support/spec.md`  
+**Input**: Feature specification from `/specs/011-gateway-tpl-support/spec.md`
+
+## Summary
+
+Add templating support parity for Gateway API and Istio sections by allowing resolved template expressions in HTTPRoute hostnames, AuthorizationPolicy rules, and EnvoyFilter config patches. Deliver the change with chart/example validation, no regression to static values, and updated examples/documentation that show end-user usage.
+
+## Technical Context
+
+**Language/Version**: Helm template DSL (Go templates via `tpl`), YAML manifests  
+**Primary Dependencies**: Helm 3 CLI, Gateway API resources, Istio resources, chart values schema  
+**Storage**: N/A (render-time configuration only)  
+**Testing**: `helm lint`, `helm template` for changed/new examples, regression templates for existing examples  
+**Target Platform**: Kubernetes clusters consuming rendered Helm manifests  
+**Project Type**: Helm chart repository  
+**Performance Goals**: Render succeeds for all affected examples in a single run without manual post-processing  
+**Constraints**: Preserve existing static behavior; maintain valid YAML indentation and object structure; keep chart consumer-facing values contract stable  
+**Scale/Scope**: One chart (`gateway-api`) with related base chart dependency and examples/docs updates
+
+## Constitution Check
+
+*GATE: Must pass before Phase 0 research. Re-check after Phase 1 design.*
+
+- [x] **Chart-First**: Work remains within existing Helm charts under `charts/`.
+- [x] **Values Contract**: New behavior is template evaluation of user-provided values; no environment hardcoding introduced.
+- [x] **Lint & Template**: Plan includes mandatory `helm lint` and `helm template` validation for changed chart and examples.
+- [x] **Examples for new abilities**: Plan includes updates to `examples/gateway-api/` and regression checks for existing examples.
+- [x] **Example testing and regression**: Plan includes rendering updated example and additional existing examples.
+- [x] **Official documentation before implementation**: Plan includes validation against Gateway API and Istio field expectations for target sections.
+- [x] **Versioning & compatibility**: Plan includes chart version bump for modified charts before completion.
+
+## Project Structure
+
+### Documentation (this feature)
+
+```text
+specs/011-gateway-tpl-support/
+├── plan.md
+├── research.md
+├── data-model.md
+├── quickstart.md
+├── contracts/
+│   └── render-contract.md
+└── tasks.md
+```
+
+### Source Code (repository root)
+
+```text
+charts/
+├── gateway-api/
+│   ├── Chart.yaml
+│   └── templates/
+│       ├── httproute.yaml
+│       └── istio/
+│           ├── authorizationpolicy.yaml
+│           └── envoyfilter.yaml
+└── base/
+    └── Chart.yaml
+
+examples/
+├── gateway-api/
+│   └── with-istio-envoyfilter-direct-response.yaml
+└── base/
+    └── with-istio-gateway-api-http-route-only.yaml
+```
+
+**Structure Decision**: Keep all changes inside existing chart templates, chart metadata versions, and example values files. No new runtime components are introduced.
+
+## Phase 0: Research Plan
+
+- Confirm render behavior and indentation guarantees when using `tpl (toYaml ...)` in list/object fields.
+- Confirm expected field shapes for:
+  - HTTPRoute `hostnames`
+  - AuthorizationPolicy `rules`
+  - EnvoyFilter `configPatches`
+- Confirm validation commands and representative examples for non-regression coverage.
+
+## Phase 1: Design & Contracts Plan
+
+- Document value entities and render transformations in `data-model.md`.
+- Define render-time contract (inputs, outputs, and failure semantics) in `contracts/render-contract.md`.
+- Provide operator execution and verification flow in `quickstart.md`.
+- Re-check constitution compliance after artifact generation.
+
+## Post-Design Constitution Check
+
+- [x] No constitution violations introduced by planned approach.
+- [x] Plan explicitly includes example updates and regression rendering.
+- [x] Plan explicitly includes chart version bump expectations.
+
+## Complexity Tracking
+
+No constitution violations requiring justification.

specs/011-gateway-tpl-support/quickstart.md

@@ -0,0 +1,46 @@
+# Quickstart: Gateway API tpl Support
+
+## 1) Validate chart syntax
+
+Run from repository root:
+
+`helm lint ./charts/gateway-api`
+
+## 2) Render updated tpl example
+
+Run from repository root:
+
+`helm template gateway ./charts/gateway-api -f ./examples/gateway-api/with-istio-envoyfilter-direct-response.yaml`
+
+Expected:
+
+- Render succeeds without template errors.
+- HTTPRoute hostnames are resolved in output.
+- AuthorizationPolicy rules are resolved in output (including user-provided templated `istio.authorizationPolicies[].rules`).
+- EnvoyFilter config patches are resolved in output (generated from route rules and resolved hostnames).
+- Output contains the resolved hostname string (for example, `dev.http-echo-gw.localhost` when `global.environment=dev`).
+
+## 3) Run regression example renders
+
+Run from repository root:
+
+`helm template base ./charts/base -f ./examples/base/with-istio-gateway-api-http-route-only.yaml`
+
+Expected:
+
+- Existing static-value example still renders successfully.
+- No regressions in unaffected resources.
+
+## 4) Verify docs/examples updates
+
+- Ensure updated examples include runnable command comment at the top.
+- Ensure chart documentation describes tpl support for target fields.
+- Confirm README guidance explicitly calls out:
+  - `httpRoutes[].hostnames`
+  - `istio.authorizationPolicies[].rules`
+  - generated EnvoyFilter `configPatches`
+
+## 5) Final release hygiene
+
+- Bump chart version(s) for modified chart(s) in `Chart.yaml`.
+- Re-run lint and template commands after version bump.