feat!(networking): configurable ingress host address and group networking related config options under common networking key

[florianzwagemaker]

This PR modifies how networking and public-facing URLs are constructed for Loculus deployments.

New ingressHosts key in the helm chart

This modification allows for changing of the hostnames for each service Ingress rule (for each public facing service).
Every Ingress host rule was computed from .Values.host and .Values.subdomainSeparator with a predefined (hardcoded) prefix.
i.e. backend.host.xyz, lapis.host.xyz, or authentication.host.xyz.
The default behavior should be okay for the majority of deployments, however in some environments there might be a requirement for different hostnames either due to security policies, predefined hostname standards or potentially multiple deployments.
This change makes this optionally configurable to allow for compatibility with these potential usecases by introducing a new ingressHosts key with properties for each ingress resource, allowing ingress hostnames to be set independently of the public urls. An example can be found below.

⚠️ breaking change; introduction of common networking key and moving of several properties to this group

With the introduction of the ingressHosts properties i figured it would be neater to group all keys together that are involved in URLs and hostnames. Including the keys that are used in the automatic construction of urls. The moved properties are public (here renamed to publicHosts), subdomainSeparator, enforceHTTPS, and traefikVersion.

In case the ingressHosts keys are kept empty, the previously computed default hostnames will be used instead.
The chain is as follows:

networking.publicHosts.backendUrl   ← explicit external URL (highest priority)
        ↓ (if empty)
networking.ingressHosts.backend     ← hostname derived from ingress (with https://)
        ↓ (if empty)
subdomainSeparator + host           ← legacy computed default
        ↓ (if local dev)
localhost:port                      ← development fallback

This means that the ingressHosts keys will only be used if a publicHosts key is set for the same service.
If ingressHosts is kept empty then the url template files will fall back to the previously computed default values based on subdomainSeparator + host

This makes the logic mostly backwards compatible, but i figured it would be better to consider this a breaking change as the moved keys for public urls would require existing deployments to change the helm chart.

Full example of proposed structure:

networking:
  publicHosts: # <-- moved and renamed from `public`
    websiteUrl: "https://loculus.host.org"
    backendUrl: "https://backend.loculus.host.org"
    keycloakUrl: "https://auth.loculus.host.org"
    lapisUrlTemplate: "https://lapis.loculus.host.org/%organism%"
  ingressHosts: # <-- newly introduced
    website: "loculus.cluster.local"
    backend: "api.cluster.local"
    keycloak: "authentication.cluster.local"
    lapis: "lapis.cluster.local"
    minio: "s3.cluster.local"
    docs: "docs-preview.cluster.local"
  subdomainSeparator: "." # <-- moved from root property to nested
  enforceHTTPS: true # <-- moved from root property to nested
  traefikVersion: "2" # <-- moved from root property to nested

networking is just a suggestion of course, if please feel free to suggest another key name if necessary.

all URL and host references in templates (such as _urls.tpl, ingressroute.yaml, lapis-ingress.yaml, etc.) have been changed to use the new .Values.networking structure

I figured to not move the keys host and localHost as i believe these are used too broadly throughout the chart, also outside of networking, or are used only in a development setting.

Please let me know your opinions on this, happy to make adjustments or to explore a different approach if this is not in line with your roadmap :)

🚀 Preview: Add preview label to enable

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR restructures Helm chart configuration related to networking by moving URL/host/ingress-related values under a new .Values.networking object and updating templates/helpers to consume the new structure.

Changes:

• Introduces .Values.networking with publicHosts, ingressHosts, subdomainSeparator, enforceHTTPS, and traefikVersion.
• Updates multiple Helm templates/helpers to compute hosts/URLs from .Values.networking.* and optional ingress host overrides.
• Updates deployment tooling (deploy.py) to set networking.publicHosts instead of the previous top-level public.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
kubernetes/loculus/values.yaml	Moves enforceHTTPS, traefikVersion, and subdomainSeparator under networking.
kubernetes/loculus/values.schema.json	Adds schema for networking (publicHosts/ingressHosts + related fields) and removes old top-level keys.
kubernetes/loculus/templates/lapis-ingress.yaml	Uses networking.ingressHosts + networking.subdomainSeparator + networking.traefikVersion + networking.enforceHTTPS.
kubernetes/loculus/templates/keycloak-config-map.yaml	Switches Keycloak host/redirect URIs to use networking.ingressHosts overrides.
kubernetes/loculus/templates/ingressroute.yaml	Uses networking.* and introduces overridable website/backend/keycloak/minio ingress hosts.
kubernetes/loculus/templates/ingest-config.yaml	Uses the shared loculus.backendUrl helper for server backend URL.
kubernetes/loculus/templates/ena-submission-config.yaml	Uses the shared loculus.backendUrl helper for server backend URL.
kubernetes/loculus/templates/docs-preview.yaml	Uses networking.ingressHosts.docs override for docs hostname.
kubernetes/loculus/templates/autoapprove-config.yaml	Uses the shared loculus.backendUrl helper for server backend URL.
kubernetes/loculus/templates/_urls.tpl	Updates URL helpers to read from networking.publicHosts and networking.ingressHosts.
kubernetes/loculus/templates/_common-metadata.tpl	Updates runtime config generation to use networking.publicHosts and networking.ingressHosts.
deploy.py	Updates Helm --set-json path from public to networking.publicHosts.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.