From 95391908075aae413eef81ed3b96376170ef2dd4 Mon Sep 17 00:00:00 2001
From: Thomas Boerger <thomas@webhippie.de>
Date: Mon, 11 May 2026 00:28:47 +0200
Subject: [PATCH 1/2] feat: add optional name to httproute rules

In order to apply security policies from gateway api implementations
like Envoy Gateway to the HTTPRoute I have added an optional name
attribute to the rules. These name attributes can be matched by the
sectionName of other resources.

Signed-off-by: Thomas Boerger <thomas@webhippie.de>
---
 helm/oauth2-proxy/Chart.yaml               |  8 ++++----
 helm/oauth2-proxy/ci/gateway-api-name.yaml | 16 ++++++++++++++++
 helm/oauth2-proxy/templates/httproute.yaml |  5 ++++-
 helm/oauth2-proxy/values.yaml              |  3 ++-
 4 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 helm/oauth2-proxy/ci/gateway-api-name.yaml

diff --git a/helm/oauth2-proxy/Chart.yaml b/helm/oauth2-proxy/Chart.yaml
index 7f65987e..cd414b8f 100644
--- a/helm/oauth2-proxy/Chart.yaml
+++ b/helm/oauth2-proxy/Chart.yaml
@@ -1,5 +1,5 @@
 name: oauth2-proxy
-version: 10.4.3
+version: 10.6.0
 apiVersion: v2
 appVersion: 7.15.2
 home: https://oauth2-proxy.github.io/oauth2-proxy/
@@ -30,8 +30,8 @@ maintainers:
 kubeVersion: ">=1.16.0-0"
 annotations:
   artifacthub.io/changes: |
-    - kind: changed
-      description: Bump OAuth2 Proxy image to v7.15.2
+    - kind: added
+      description: Added name attribute for HTTPRoute rules
       links:
         - name: GitHub PR
-          url: https://github.com/oauth2-proxy/manifests/pull/406
+          url: https://github.com/oauth2-proxy/manifests/pull/407
diff --git a/helm/oauth2-proxy/ci/gateway-api-name.yaml b/helm/oauth2-proxy/ci/gateway-api-name.yaml
new file mode 100644
index 00000000..9d04c05d
--- /dev/null
+++ b/helm/oauth2-proxy/ci/gateway-api-name.yaml
@@ -0,0 +1,16 @@
+# Gateway API configuration with rule name
+gatewayApi:
+  enabled: true
+  gatewayRef:
+    name: test-gateway
+  rules:
+    - name: service
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+    - name: metrics
+      matches:
+        - path:
+            type: PathPrefix
+            value: /metrics
diff --git a/helm/oauth2-proxy/templates/httproute.yaml b/helm/oauth2-proxy/templates/httproute.yaml
index 001fc208..35f1f875 100644
--- a/helm/oauth2-proxy/templates/httproute.yaml
+++ b/helm/oauth2-proxy/templates/httproute.yaml
@@ -30,7 +30,10 @@ spec:
   rules:
   {{- if .Values.gatewayApi.rules }}
   {{- range .Values.gatewayApi.rules }}
-  - matches:
+  - {{- if .name }}
+    name: {{ .name | quote }}
+    {{- end }}
+    matches:
     {{- if .matches }}
     {{- toYaml .matches | nindent 4 }}
     {{- else }}
diff --git a/helm/oauth2-proxy/values.yaml b/helm/oauth2-proxy/values.yaml
index dd2f6592..ac87524e 100644
--- a/helm/oauth2-proxy/values.yaml
+++ b/helm/oauth2-proxy/values.yaml
@@ -361,7 +361,8 @@ gatewayApi:
   gatewayRef: {}
   # HTTPRoute rule configuration
   # rules:
-  # - matches:
+  # - name: service        # optional: enables targeting by sectionName in policies
+  #   matches:
   #   - path:
   #       type: PathPrefix
   #       value: /

From 256bde11be0a7587e894023d8a6ac202cb182b28 Mon Sep 17 00:00:00 2001
From: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Date: Fri, 22 May 2026 12:01:43 +0200
Subject: [PATCH 2/2] docs: document gatewayApi.rules[].name and sectionName
 targeting

Update the Helm chart README to:
- include the optional 'name' field in the Advanced Gateway API
  configuration example
- add a new subsection explaining how rules[].name maps to sectionName
  on policies (SecurityPolicy, BackendTrafficPolicy, etc.) so that
  consumers can target individual HTTPRoute rules.

Addresses Copilot review comment on Chart.yaml:37.

Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
---
 helm/oauth2-proxy/README.md | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/helm/oauth2-proxy/README.md b/helm/oauth2-proxy/README.md
index d983f8ef..1d023f33 100644
--- a/helm/oauth2-proxy/README.md
+++ b/helm/oauth2-proxy/README.md
@@ -361,7 +361,8 @@ gatewayApi:
   hostnames:
     - oauth.example.com
   rules:
-    - matches:
+    - name: oauth2
+      matches:
         - path:
             type: PathPrefix
             value: /oauth2
@@ -380,6 +381,31 @@ gatewayApi:
 If you don't specify custom rules, the chart will create a default rule that matches all paths with `PathPrefix: /` and routes to the oauth2-proxy service.
 If you don't specify a sectionName, the rules will be applied to all listeners of the referenced Gateway.
 
+### Targeting Rules with Policies via `sectionName`
+
+The optional `name` field on each rule (e.g. `rules[].name: oauth2`) lets policies such as `SecurityPolicy`, `BackendTrafficPolicy`, or any other Gateway API policy that supports `sectionName` target a specific HTTPRoute rule rather than the entire route. Example:
+
+```yaml
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: oauth2-proxy-policy
+spec:
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: oauth2-proxy
+      sectionName: oauth2          # matches rules[].name above
+  jwt:
+    providers:
+      - name: example
+        issuer: https://issuer.example.com
+        remoteJWKS:
+          uri: https://issuer.example.com/.well-known/jwks.json
+```
+
+Without a rule `name`, policies cannot target individual rules and must apply to the whole HTTPRoute.
+
 ## TLS Configuration
 
 See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/).