kbind-dev · mjudeikis · Nov 27, 2025 · Nov 21, 2025 · Nov 26, 2025
diff --git a/backend/http/server.go b/backend/http/server.go
@@ -49,7 +49,7 @@ func (s *Server) Addr() net.Addr {
 }
 
 func (s *Server) Start(ctx context.Context) error {
-	log.Println("Starting HTTP server")
+	log.Println("Starting web server")
 	server := &http.Server{
 		Handler:           s.Router,
 		ReadHeaderTimeout: 1 * time.Minute,

diff --git a/deploy/charts/backend/templates/gateway-api.yaml b/deploy/charts/backend/templates/gateway-api.yaml
@@ -0,0 +1,88 @@
+{{- if .Values.gatewayApi.enabled }}
+{{- if .Values.certManager.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "kube-bind.fullname" . }}-tls
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+spec:
+  secretName: {{ include "kube-bind.fullname" . }}-tls
+  issuerRef:
+    name: {{ .Values.certManager.clusterIssuer }}
+    kind: ClusterIssuer
+  {{- if .Values.gatewayApi.route.hostnames }}
+  dnsNames:
+  {{- range .Values.gatewayApi.route.hostnames }}
+  - {{ . }}
+  {{- end }}
+  {{- end }}
+---
+{{- end }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: {{ include "kube-bind.fullname" . }}-gateway
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+  {{- with .Values.gatewayApi.gateway.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  gatewayClassName: {{ .Values.gatewayApi.gateway.className }}
+  listeners:
+  - name: https
+    protocol: HTTPS
+    port: {{ .Values.gatewayApi.gateway.httpsPort | default 443 }}
+    tls:
+      mode: Terminate
+      certificateRefs:
+      {{- if .Values.certManager.enabled }}
+      - name: {{ include "kube-bind.fullname" . }}-tls
+      {{- else if .Values.gatewayApi.gateway.tls.certificateRefs }}
+      {{- range .Values.gatewayApi.gateway.tls.certificateRefs }}
+      - name: {{ .name }}
+        {{- if .namespace }}
+        namespace: {{ .namespace }}
+        {{- end }}
+        {{- if .group }}
+        group: {{ .group }}
+        {{- end }}
+        {{- if .kind }}
+        kind: {{ .kind }}
+        {{- end }}
+      {{- end }}
+      {{- end }}
+  - name: http
+    protocol: HTTP
+    port: {{ .Values.gatewayApi.gateway.httpPort | default 80 }}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ include "kube-bind.fullname" . }}-route
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+  {{- with .Values.gatewayApi.route.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+  - name: {{ include "kube-bind.fullname" . }}-gateway
+  {{- if .Values.gatewayApi.route.hostnames }}
+  hostnames:
+  {{- range .Values.gatewayApi.route.hostnames }}
+  - {{ . | quote }}
+  {{- end }}
+  {{- end }}
+  rules:
+  - matches:
+    - path:
+        type: {{ .Values.gatewayApi.route.pathType | default "PathPrefix" }}
+        value: {{ .Values.gatewayApi.route.path | default "/" }}
+    backendRefs:
+    - name: {{ include "kube-bind.fullname" . }}
+      port: {{ .Values.service.port }}
+{{- end }}
diff --git a/deploy/charts/backend/values.yaml b/deploy/charts/backend/values.yaml
@@ -37,6 +37,28 @@ certManager:
   enabled: false
   clusterIssuer: ""
 
+# Gateway API configuration
+gatewayApi:
+  enabled: false
+  gateway:
+    className: ""
+    httpPort: 80
+    httpsPort: 443
+    annotations: {}
+    tls:
+      certificateRefs: []
+      # Example:
+      # - name: tls-cert
+      #   namespace: default
+  route:
+    hostnames: []
+    # Example:
+    # - "example.com"
+    # - "api.example.com"
+    path: "/"
+    pathType: "PathPrefix"
+    annotations: {}
+
 examples:
   # Example resources to seed on first start
   enabled: false

diff --git a/docs/content/developers/.pages b/docs/content/developers/.pages
@@ -3,4 +3,5 @@ nav:
   - Development Environment: dev-environments.md
   - Backend: backend
   - Konnector: konnector
-  - Publishing a release: publishing-a-release.md
+  - Publishing a release: publishing-a-release.md
+  - Testing changes: testing-changes.md
diff --git a/docs/content/developers/testing-changes.md b/docs/content/developers/testing-changes.md
@@ -0,0 +1,83 @@
+---
+description: >
+  How to test changes made to kube-bind in your development environment.
+weight: 30
+title: Testing Changes
+---
+
+# Testing code changes
+
+When making changes to kube-bind, it's important to test them in a realistic multi-cluster environment.
+
+Follow [development setup instructions](../developers/development-setup/) to set up your development environment using kcp.
+kcp allows you to simulate multiple clusters using logical clusters.
+
+
+# Testing helm chart changes
+
+By default, in helm chart, the backend component does not have TLS enabled, and the embedded OIDC server is not used.
+To test changes related to TLS or OIDC, you need to enable them explicitly by setting the appropriate Helm values.
+
+To test basic Helm-install flow you will need GatewayAPI enabled kubernetes cluster with cert-manager installed.
+By default it will use TLS termination at the Gateway level.
+
+
+```bash
+# Use a specific development version:
+# VERSION=0.0.0-9fd9281e661c0d9a426a941111d3d8b08019ebc1
+```
+
+And run full helm install command with additional parameters:
+```bash
+helm upgrade \
+      --install \
+      --namespace kube-bind \
+      --create-namespace \
+      --set certManager.enabled=true \
+      --set certManager.clusterIssuer=letsencrypt-prod \
+      --set backend.oidc.issuerUrl=https://auth.genericcontrolplane.io \
+      --set backend.oidc.clientId=platform-mesh \
+      --set backend.oidc.clientSecret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+      --set backend.oidc.callbackUrl=https://kube-bind.genericcontrolplane.io/api/callback \
+      --set gatewayApi.enabled=true \
+      --set gatewayApi.gateway.className=nginx \
+      --set gatewayApi.gateway.httpPort=80 \
+      --set gatewayApi.gateway.httpsPort=443 \
+      --set 'gatewayApi.gateway.tls.certificateRefs[0].name=backend-tls-cert' \
+      --set 'gatewayApi.route.hostnames[0]=kube-bind.genericcontrolplane.io' \
+      --set gatewayApi.route.path=/ \
+      --set gatewayApi.route.pathType=PathPrefix \
+      --set image.tag=${VERSION} \
+      kube-bind \
+      ./deploy/charts/backend
+```
+
+After the deployment at minimum url should be accessible:
+
+```bash
+ curl https://kube-bind.genericcontrolplane.io
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/vite.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Kube Bind</title>
+    <script type="module" crossorigin src="./assets/index.41dda553.js"></script>
+    <link rel="stylesheet" href="./assets/index.952308d6.css">
+  </head>
+  <body>
+    <div id="app"></div>
+
+  </body>
+</html>%                                                           
+```
+
+
+# Local dev environment testing
+
+If you changed helm charts and neet to test them in local development environment you can do the following:
+
+```bash
+ ./bin/kubectl-bind dev create --chart-path ./deploy/charts/backend       
+```
diff --git a/docs/content/setup/helm.md b/docs/content/setup/helm.md
@@ -10,8 +10,6 @@ The backend chart is available as an OCI image for service providers, with konne
 
 ## Quick Start
 
-**Important**: Current version of kube-bind uses application-level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
-
 ## Prerequisites & Setup Guides
 
 The following prerequisites are required. Click the links below for detailed setup instructions:
@@ -20,6 +18,7 @@ The following prerequisites are required. Click the links below for detailed set
 - **[Helm 3.x](#helm)** - Package manager for Kubernetes
 - **[cert-manager](#cert-manager-setup)** - For TLS certificate management
 - **[OIDC provider](#oidc-provider-setup)** - For authentication (Dex, Keycloak, etc.)
+- **[Gateway API](#gateway-api-setup)** - (Optional) For advanced ingress management
 
 ### Install kube-bind Backend
 
@@ -31,7 +30,7 @@ The following prerequisites are required. Click the links below for detailed set
    VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
 
    # Or use a specific development version:
-   # VERSION=0.0.0-<git-sha>
+   # VERSION=0.0.0-9fd9281e661c0d9a426a941111d3d8b08019ebc1
    ```
 
 2. **Configure your values:**
@@ -41,21 +40,35 @@ The following prerequisites are required. Click the links below for detailed set
    - Update hostnames to match your setup
 
 3. **Install the backend using OCI chart:**
-   ```bash
+
+  Note !!!
+    To install production configuration, you will need to have OIDC provider. 
+    For more information, just check out the [quickstart guide].(./quickstart.md)
+
+```bash
    # Using latest release version
-   helm upgrade --install \
-       --namespace kube-bind \
-       --create-namespace \
-       --values ./deploy/charts/backend/examples/values-local-development.yaml \
-       kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
-
-   # Or install a specific development version
-   helm upgrade --install \
-       --namespace kube-bind \
-       --create-namespace \
-       --values ./deploy/charts/backend/examples/values-local-development.yaml \
-       kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a50df39d7e4c71f7808f4209ec23f294c5ac8f86
-   ```
+helm upgrade \
+      --install \
+      --namespace kube-bind \
+      --create-namespace \
+      --set certManager.enabled=true \
+      --set certManager.clusterIssuer=letsencrypt-prod \
+      --set backend.oidc.issuerUrl=https://auth.example.com \
+      --set backend.oidc.clientId=platform-mesh \
+      --set backend.oidc.clientSecret=<client-secret-from-oidc-provider> \
+      --set backend.oidc.callbackUrl=https://kube-bind.example.com/api/callback \
+      --set gatewayApi.enabled=true \
+      --set gatewayApi.gateway.className=nginx \
+      --set gatewayApi.gateway.httpsPort=443 \
+      --set 'gatewayApi.gateway.tls.certificateRefs[0].name=backend-tls-cert' \
+      --set 'gatewayApi.route.hostnames[0]=kube-bind.example.com' \
+      --set gatewayApi.route.path=/ \
+      --set gatewayApi.route.pathType=PathPrefix \
+      --set image.tag=${VERSION} \
+      kube-bind \
+      kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
+```
+
 
 4. **Seed with example resources (optional):**
 ```bash
@@ -70,13 +83,6 @@ That's it! Your kube-bind backend is now ready to use.
 
 ---
 
-### Kubernetes Cluster
-You need a running Kubernetes cluster with `kubectl` configured. For testing, you can create a local cluster:
-
-```bash
-kind create cluster --name kube-bind-test
-```
-
 ### Helm
 Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs/intro/install/)
 
@@ -85,6 +91,23 @@ Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs
 export HELM_EXPERIMENTAL_OCI=1
 ```
 
+### Gateway API Setup
+
+Install gateway API CRDs and controller for advanced ingress management. Kube-bind supports Gateway API for routing traffic to the backend service.
+
+Follow the official Gateway API installation instructions:
+https://gateway-api.sigs.k8s.io/guides/ 
+
+```bash
+kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+```
+
+We used NGINX Gateway controller for testing. Install it as follows:
+
+```bash
+helm upgrade --install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway 
+```
+
 ### cert-manager Setup
 
 Install cert-manager for automatic TLS certificate management:
@@ -216,7 +239,7 @@ config:
       redirectURIs:
       - https://auth.example.com/callback
       - http://localhost:8000
-      - https://kube-bind.example.com/callback  # Replace with your domain
+      - https://kube-bind.example.com/api/callback  # Replace with your domain
       name: 'KubeBindApp'
       secret: ### REPLACE ME ###
 
@@ -281,20 +304,4 @@ curl -s https://api.github.com/repos/kube-bind/kube-bind/releases | grep '"tag_n
 # Get latest release version
 VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
 echo "Latest version: ${VERSION}"
-```
-
-**Development versions:**
-Development charts are built from every commit to the main branch with the format `0.0.0-<short-git-sha>`.
-
-### Installing Different Versions
-
-```bash
-# Install latest stable release (recommended for production)
-helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
-
-# Install specific release version
-helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 1.0.0
-
-# Install development build (for testing)
-helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a1b2c3d
-```
+```
diff --git a/docs/content/setup/kind-setup.md b/docs/content/setup/kind-setup.md
@@ -24,12 +24,14 @@ export KIND_EXPERIMENTAL_DOCKER_NETWORK=kube-bind
 kind create cluster --name provider 
 kubectl cluster-info --context kind-provider
 
-helm upgrade --install \
+helm upgrade \
+    --install \
     --namespace kube-bind \
     --create-namespace \
     kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a50df39d7e4c71f7808f4209ec23f294c5ac8f86
 
-helm upgrade --install \
+helm upgrade \
+    --install \
     --namespace kube-bind \
     --create-namespace \
     --set image.repository=ghcr.io/mjudeikis/kube-bind/backend \