feat: Add ReferenceGrant support for HTTPRoute#147
Closed
dspo wants to merge 10 commits into
Closed
Conversation
This commit introduces functionality to handle the ReferenceGrant resource in the Gateway API. It updates the Gateway controller logic, adds necessary permissions in RBAC manifests, and integrates condition handling for cross-namespace references. Additionally, skipped conformance tests related to ReferenceGrants are reinstated.
This commit introduces support for Gateway API ReferenceGrant CRD, enabling cross-namespace references for HTTPRoutes. It refactors backend reference handling to validate Service references and check ReferenceGrants. Also includes minor code cleanups, added cluster role permissions for ReferenceGrants, and adjustments to e2e manifests.
Contributor
conformance test reportapiVersion: gateway.networking.k8s.io/v1
date: "2025-05-21T09:44:51Z"
gatewayAPIChannel: standard
gatewayAPIVersion: v1.2.0
implementation:
contact: null
organization: APISIX
project: apisix-ingress-controller
url: https://github.com/apache/apisix-ingress-controller.git
version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
result: partial
skippedTests:
- HTTPRouteHTTPSListener
statistics:
Failed: 0
Passed: 32
Skipped: 1
name: GATEWAY-HTTP
summary: Core tests partially succeeded with 1 test skips. |
…nce-grant-for-route
…reference-grant-for-route # Conflicts: # test/conformance/conformance_test.go
Reorganized and simplified the predicate logic for ReferenceGrant handling across gateway and HTTPRoute controllers. Consolidated duplicate code into reusable functions, reducing redundancy and improving maintainability. This centralization ensures consistent behavior and clearer code structure.
…nce-grant-for-route # Conflicts: # internal/controller/gateway_controller.go # internal/controller/utils.go # test/conformance/conformance_test.go
… cross-namespace checks
12 tasks
Contributor
There was a problem hiding this comment.
Pull Request Overview
Adds support for Gateway API ReferenceGrant CRDs in HTTPRoute handling to enable cross-namespace backend references.
- Refactors resolvedRefs condition logic and introduces
ReasonErrorand shared ReferenceGrant utilities. - Enhances HTTPRoute controller to watch ReferenceGrant changes and validate cross-namespace Service refs.
- Simplifies Gateway controller predicates for ReferenceGrant and cleans up event handling.
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| test/conformance/conformance_test.go | Removed skips for HTTPRoute cross-namespace tests, leaving a TODO. |
| internal/controller/utils.go | Introduced ReasonError, predicate builders, and consolidated helpers. |
| internal/controller/httproute_controller.go | Updated backend ref logic, added ReferenceGrant watching and checking. |
| internal/controller/gateway_controller.go | Swapped custom predicates for generic referenceGrantPredicates. |
Comments suppressed due to low confidence (5)
internal/controller/httproute_controller.go:641
- [nitpick] The method name
lisHTTPRoutesForReferenceGrantseems to have a typo; change it tolistHTTPRoutesForReferenceGrantfor consistency.
func (r *HTTPRouteReconciler) lisHTTPRoutesForReferenceGrant(ctx context.Context, obj client.Object) (requests []reconcile.Request) {
internal/controller/utils.go:956
- The
fmt.Sprintfcall innewInvalidKindErrorrequires importing thefmtpackage; please add"fmt"to the imports.
Message: fmt.Sprintf("Invalid kind %s, only Service is supported", kind),
internal/controller/utils.go:950
- The
slices.Containscall requires importing theslicespackage (Go 1.21+); please add"slices"to the imports or adjust accordingly.
return slices.Contains(reasons, Reason(re.Reason))
internal/controller/gateway_controller.go:179
- The logged
NamespacedNameomits theNamefield, so the gateway name will be empty; includeName: gateway.GetName()for complete context.
r.Log.Error(err, "failed to get listener status", "gateway", types.NamespacedName{Namespace: gateway.GetNamespace()})
internal/controller/httproute_controller.go:482
- Double-check that
v1beta1.RouteReasonRefNotPermittedis the correct constant for HTTPRoute resolvedRefs; if this constant belongs to the v1 package, switch togatewayv1.RouteReasonRefNotPermitted.
Reason: string(v1beta1.RouteReasonRefNotPermitted),
Contributor
Author
|
This is closed, please view #149 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This commit introduces support for Gateway API ReferenceGrant CRD, enabling cross-namespace references for HTTPRoutes. It refactors backend reference handling to validate Service references and check ReferenceGrants. Also includes minor code cleanups, added cluster role permissions for ReferenceGrants, and adjustments to e2e manifests.
Type of change:
What this PR does / why we need it:
Pre-submission checklist: