feat: make API internal-only, expose only Portal externally

- Disable api.gateway and api.ingress by default
- Portal remains externally accessible via Gateway API (default)
- Add helper functions to auto-generate internal Service URLs
- Portal accesses API via cluster Service (http://<release>-api:8000)
- Update values-gateway.yaml and values-ingress.yaml examples
- Update README.md documentation

BREAKING CHANGE: API is no longer exposed externally by default.
The Portal communicates with the API via internal cluster Service.

Author: rafaelrsantosti

tron/README.md

@@ -11,10 +11,10 @@ This Helm chart installs [Tron Platform](https://github.com/grid-labs-tech/tron)
 
 The architecture diagram above illustrates the complete Tron Platform deployment on Kubernetes, including:
 
-- **External Access**: Users and developers accessing the platform
-- **Ingress/Gateway API**: Traffic routing and TLS termination
-- **Frontend**: Portal service (React application)
-- **Backend**: API service (FastAPI)
+- **External Access**: Users and developers accessing the Portal
+- **Ingress/Gateway API**: Traffic routing and TLS termination (Portal only)
+- **Frontend**: Portal service (React application) - externally exposed
+- **Backend**: API service (FastAPI) - internal only, accessed via cluster Service
 - **Data Layer**: PostgreSQL database with persistent storage
 - **Configuration**: ConfigMaps and Secrets for application configuration
 - **Management**: HPA (autoscaling), PDB (high availability), and NetworkPolicy (security)
@@ -76,8 +76,8 @@ helm uninstall tron
 | `api.image.tag` | API image tag | `latest` |
 | `api.service.type` | API service type | `ClusterIP` |
 | `api.service.port` | API service port | `8000` |
-| `api.ingress.enabled` | Enable Ingress for API | `false` |
-| `api.gateway.enabled` | Enable Gateway API for API | `true` |
+| `api.ingress.enabled` | Enable Ingress for API (internal by default) | `false` |
+| `api.gateway.enabled` | Enable Gateway API for API (internal by default) | `false` |
 | `portal.enabled` | Enable Portal deployment | `true` |
 | `portal.replicaCount` | Number of Portal replicas | `2` |
 | `portal.image.repository` | Portal image repository | `grid-labs-tech/tron-portal` |
@@ -126,35 +126,17 @@ api:
 
 ### Gateway API (Default)
 
-By default, the chart uses Kubernetes Gateway API to expose services. To configure:
+By default, only the **Portal is exposed externally** via Gateway API. The API is internal-only and accessed by the Portal via cluster Service.
 
 ```yaml
-api:
-  gateway:
-    enabled: true
-    gatewayRef:
-      name: my-gateway
-      namespace: default  # Optional, uses release namespace if not specified
-    hostnames:
-      - api.tron.example.com
-    rules:
-      - path: /
-        pathType: PathPrefix
-    tls:
-      enabled: true
-      mode: Terminate
-      certificateRefs:
-        - name: tron-api-tls
-          kind: Secret
-
 portal:
   gateway:
     enabled: true
     gatewayRef:
       name: my-gateway
-      namespace: default
+      namespace: default  # Optional, uses release namespace if not specified
     hostnames:
-      - portal.tron.example.com
+      - tron.example.com
     rules:
       - path: /
         pathType: PathPrefix
@@ -168,42 +150,28 @@ portal:
 
 **Note**: To use Gateway API, you need to have Gateway API CRDs installed in your cluster. The chart does not create the Gateway resource, only the HTTPRoutes that reference an existing Gateway.
 
+See `values-gateway.yaml` for a complete example configuration.
+
 ### Ingress Controller (Alternative)
 
-The chart also supports traditional Ingress Controller as an alternative to Gateway API. To use Ingress:
+The chart also supports traditional Ingress Controller as an alternative to Gateway API. To use Ingress for the Portal:
 
 ```yaml
-api:
-  gateway:
-    enabled: false  # Disable Gateway API
-  ingress:
-    enabled: true
-    className: nginx
-    hosts:
-      - host: api.tron.example.com
-        paths:
-          - path: /
-            pathType: Prefix
-    tls:
-      - secretName: tron-api-tls
-        hosts:
-          - api.tron.example.com
-
 portal:
   gateway:
     enabled: false  # Disable Gateway API
   ingress:
     enabled: true
     className: nginx
     hosts:
-      - host: portal.tron.example.com
+      - host: tron.example.com
         paths:
           - path: /
             pathType: Prefix
     tls:
       - secretName: tron-portal-tls
         hosts:
-          - portal.tron.example.com
+          - tron.example.com
 ```
 
 See `values-ingress.yaml` for a complete example configuration using Ingress Controller.
@@ -399,49 +367,32 @@ portal:
     enabled: true
     minReplicas: 3
     maxReplicas: 15
-
-postgresql:
-  primary:
-    persistence:
-      size: 100Gi
-    resources:
-      requests:
-        cpu: 1000m
-        memory: 2Gi
-      limits:
-        cpu: 2000m
-        memory: 4Gi
-
-api:
   gateway:
     enabled: true
     gatewayRef:
       name: production-gateway
       namespace: gateway-system
     hostnames:
-      - api.tron.example.com
-    tls:
-      enabled: true
-      mode: Terminate
-      certificateRefs:
-        - name: tron-api-tls
-          kind: Secret
-
-portal:
-  gateway:
-    enabled: true
-    gatewayRef:
-      name: production-gateway
-      namespace: gateway-system
-    hostnames:
-      - portal.tron.example.com
+      - tron.example.com
     tls:
       enabled: true
       mode: Terminate
       certificateRefs:
         - name: tron-portal-tls
           kind: Secret
 
+postgresql:
+  primary:
+    persistence:
+      size: 100Gi
+    resources:
+      requests:
+        cpu: 1000m
+        memory: 2Gi
+      limits:
+        cpu: 2000m
+        memory: 4Gi
+
 networkPolicy:
   enabled: true
 ```
@@ -482,7 +433,8 @@ This chart is available on [Artifact Hub](https://artifacthub.io/packages/helm/g
 
 ### Chart Features
 
-- ✅ Support for Gateway API (default) and Ingress Controller
+- ✅ Portal exposed via Gateway API (default) or Ingress Controller
+- ✅ API internal-only (accessed via cluster Service)
 - ✅ Horizontal Pod Autoscaler (HPA)
 - ✅ Pod Disruption Budgets
 - ✅ Network Policies

tron/templates/_helpers.tpl

@@ -240,3 +240,17 @@ Generate API token secret if not provided
 {{- end }}
 {{- end }}
 {{- end }}
+
+{{/*
+Internal API URL (for Portal to access API via cluster Service)
+*/}}
+{{- define "tron.api.internalUrl" -}}
+{{- printf "http://%s-api:%d" (include "tron.fullname" .) (.Values.api.service.port | int) }}
+{{- end }}
+
+{{/*
+Internal Portal URL
+*/}}
+{{- define "tron.portal.internalUrl" -}}
+{{- printf "http://%s-portal:%d" (include "tron.fullname" .) (.Values.portal.service.port | int) }}
+{{- end }}

tron/templates/configmap.yaml

@@ -6,8 +6,8 @@ metadata:
   labels:
     {{- include "tron.labels" . | nindent 4 }}
 data:
-  API_URL: {{ .Values.config.apiUrl | quote }}
-  PORTAL_URL: {{ .Values.config.portalUrl | quote }}
+  API_URL: {{ .Values.config.apiUrl | default (include "tron.api.internalUrl" .) | quote }}
+  PORTAL_URL: {{ .Values.config.portalUrl | default (include "tron.portal.internalUrl" .) | quote }}
   DATABASE_HOST: {{ include "tron.database.host" . | quote }}
   DATABASE_PORT: {{ include "tron.database.port" . | quote }}
   DATABASE_NAME: {{ include "tron.database.name" . | quote }}

tron/values-gateway.yaml

@@ -1,33 +1,15 @@
 # Example values for Gateway API with TLS enabled
-# Gateway API is enabled by default, this file shows a production-ready configuration
+# Only Portal is exposed externally, API is internal-only
 # Usage: helm install tron grid-labs-tech/tron -f values-gateway.yaml
 
-api:
-  gateway:
-    enabled: true
-    gatewayRef:
-      name: my-gateway        # Name of your Gateway resource
-      namespace: default      # Namespace where Gateway is deployed
-    hostnames:
-      - api.tron.example.com
-    rules:
-      - path: /
-        pathType: PathPrefix
-    tls:
-      enabled: true
-      mode: Terminate
-      certificateRefs:
-        - name: tron-api-tls
-          kind: Secret
-
 portal:
   gateway:
     enabled: true
     gatewayRef:
       name: my-gateway        # Name of your Gateway resource
       namespace: default      # Namespace where Gateway is deployed
     hostnames:
-      - portal.tron.example.com
+      - tron.example.com
     rules:
       - path: /
         pathType: PathPrefix

tron/values-ingress.yaml

@@ -1,25 +1,7 @@
 # Example values using Ingress Controller instead of Gateway API
+# Only Portal is exposed externally, API is internal-only
 # Usage: helm install tron grid-labs-tech/tron -f values-ingress.yaml
 
-api:
-  gateway:
-    enabled: false  # Disable Gateway API
-  ingress:
-    enabled: true
-    className: nginx  # Change to your ingress class (nginx, traefik, etc.)
-    annotations:
-      # nginx.ingress.kubernetes.io/rewrite-target: /
-      # cert-manager.io/cluster-issuer: letsencrypt-prod
-    hosts:
-      - host: api.tron.example.com
-        paths:
-          - path: /
-            pathType: Prefix
-    tls:
-      - hosts:
-          - api.tron.example.com
-        secretName: tron-api-tls
-
 portal:
   gateway:
     enabled: false  # Disable Gateway API
@@ -30,11 +12,11 @@ portal:
       # nginx.ingress.kubernetes.io/rewrite-target: /
       # cert-manager.io/cluster-issuer: letsencrypt-prod
     hosts:
-      - host: portal.tron.example.com
+      - host: tron.example.com
         paths:
           - path: /
             pathType: Prefix
     tls:
       - hosts:
-          - portal.tron.example.com
+          - tron.example.com
         secretName: tron-portal-tls

tron/values.yaml

@@ -1,9 +1,9 @@
 # Default values for tron
 # This is a YAML-formatted file.
 #
-# Gateway API is enabled by default. To use Ingress Controller instead,
-# disable Gateway API and enable Ingress in the api.ingress and portal.ingress sections.
-# See values-ingress.yaml for an example configuration using Ingress Controller.
+# Only the Portal is exposed externally by default (via Gateway API).
+# The API is internal-only and accessed by the Portal via cluster Service.
+# To use Ingress Controller instead of Gateway API, see values-ingress.yaml.
 
 global:
   imageRegistry: ""
@@ -26,7 +26,10 @@ api:
     port: 8000
     targetPort: 8000
 
-  # Ingress Configuration (alternative to Gateway API)
+  # API is internal-only by default (accessed via cluster Service)
+  # Enable ingress or gateway only if you need external API access
+  
+  # Ingress Configuration (disabled by default)
   ingress:
     enabled: false
     className: ""
@@ -38,9 +41,9 @@ api:
             pathType: Prefix
     tls: []
 
-  # Gateway API Configuration (default)
+  # Gateway API Configuration (disabled by default)
   gateway:
-    enabled: true
+    enabled: false
     gatewayRef:
       name: ""
       namespace: ""
@@ -149,20 +152,20 @@ portal:
     className: ""
     annotations: {}
     hosts:
-      - host: tron-portal.local
+      - host: tron.local
         paths:
           - path: /
             pathType: Prefix
     tls: []
 
-  # Gateway API Configuration (default)
+  # Gateway API Configuration (default for Portal)
   gateway:
     enabled: true
     gatewayRef:
       name: ""
       namespace: ""
     hostnames:
-      - tron-portal.local
+      - tron.local
     rules:
       - path: /
         pathType: PathPrefix
@@ -278,9 +281,10 @@ externalDatabase:
 
 # Application Configuration
 config:
-  # API Configuration
-  apiUrl: "http://tron-api:8000"
-  portalUrl: "http://tron-portal:3000"
+  # Internal URLs are auto-generated based on release name
+  # Override only if using external services
+  apiUrl: ""   # Leave empty to auto-generate: http://<release>-api:<port>
+  portalUrl: "" # Leave empty to auto-generate: http://<release>-portal:<port>
 
   # Database Configuration
   database: