Skip to content

Update Gateway API to v1.3.0, target Envoy Gateway v1.5.0, expose new APIs#62

Merged
joshlreese merged 43 commits into
mainfrom
integration/proxy-updates
Oct 3, 2025
Merged

Update Gateway API to v1.3.0, target Envoy Gateway v1.5.0, expose new APIs#62
joshlreese merged 43 commits into
mainfrom
integration/proxy-updates

Conversation

@joshlreese

@joshlreese joshlreese commented Oct 3, 2025

Copy link
Copy Markdown
Contributor

Summary

The following CRDs will be installed into project control planes and available to users to tweak gateway resource configuration:

Note

The HTTPProxy resource has not been directly updated to support features provided by the above API types. However, users can apply policies that target the underlying Gateway and HTTPRoute resources managed by an HTTPProxy if they wish.

Default Gateway hostnames

From #49

Before these changes, downstream gateways were being provisioned with listeners which are considered to have overlapping hostnames. This is a result of configuring the <uuid>.<targetDomain> hostname on a listener, along with the [v4|v6].<uuid>.<targetDomain> hostnames on listeners. When this occurs, Envoy Gateway will disable HTTP2 on the listeners, requiring explicit ALPN configuration via a ClientTrafficPolicy.

To make sure we provide users with gateways which support HTTP2 out of the box, the decision was made to no longer configure the gateway with the v4 or v6 prefixed hostnames. These addresses will remain in DNS, responding only with A or AAAA records.

In an effort to make it more clear to users which hostnames a gateway will accept, the system now injects default HTTP and HTTPS listeners into gateways created by the user which have the <uuid>.<targetDomain> hostname. The user may remove these listeners if they wish. All three DNS addresses will remain in the Status.Addresses field of the Gateway, which now makes this field more aligned with the intent defined in the spec.

The default listener names are now default-http and default-https, which will result in the reconfiguration of some gateway resources upon deployment - particularly those maintained via HTTPProxy resources.

See: https://gateway-api.sigs.k8s.io/geps/gep-3567/

Conformance suite and e2e tests

The Gateway API conformance suite and Envoy Gateway e2e tests have been incorporated into the project, providing significant test coverage for both control plane and data plane concerns.

Syncing ConfigMaps and Secrets

APIs introduced in these changes may need to reference ConfigMaps or Secrets to be useful. Users must add the networking.datumapis.com/gateway-sync label to these resources in order for them to be synced to edge clusters. This requirement is in place to prevent replication of unrelated secrets (metric exports, future services), and to avoid what would be a significant amount of code to support replicating only resources which are referenced by configurations.

References

PRs that went into this integration branch:

Closes:

joshlreese and others added 30 commits September 17, 2025 11:06
Updated e2e test to avoid assertion failure on the
`OverlappingTLSConfig` condition. Future work will
be done to remove the v4 and v6 hostnames from being
programmed on Gateways, which will remove this condition.
Before these changes, downstream gateways were being provisioned with listeners
which are considered to have overlapping hostnames. This is a result of
configuring the `<uuid>.<targetDomain>` hostname on a listener, along with the
`[v4|v6].<uuid>.<targetDomain>` hostnames on listeners. When this occurs, Envoy
Gateway will disable HTTP2 on the listeners, requiring explicit ALPN
configuration via a ClientTrafficPolicy.

To make sure we provide users with gateways which support HTTP2 out of the box,
the decision was made to no longer configure the gateway with the v4 or v6
prefixed hostnames. These addresses will remain in DNS, responding only with
A or AAAA records.

In an effort to make it more clear to users which hostnames a gateway will
accept, the system now injects default HTTP and HTTPS listeners into gateways
created by the user which have the `<uuid>.<targetDomain>` hostname. The user
may remove these listeners if they wish. All three DNS addresses will remain in
the `Status.Addresses` field of the Gateway, which now makes this field more
aligned with the intent defined in the spec.

The default listener names are now `default-http` and `default-https`,
which will result in the reconfiguration of some gateway resources upon
deployment - particularly those maintained via HTTPProxy resources.

See: https://gateway-api.sigs.k8s.io/geps/gep-3567/
…in the HTTPProxy reconciler, move the HTTPProxy reconciler to accumulate hostnames based on listeners and their status, instead of addresses.
Due to limitations in how Envoy Gateway programs listeners,
a ClientTrafficPolicy cannot be applied to non-TLS listeners
with overlapping ports. Application to TLS listeners works
without issue, however the inconsistency is undesirable.

Future TLS settings can be provided via the Gateway Listener's
TLS configuration.

Header manipulation, while not "early", can be accomplished
today via `RequestHeaderModifier` filters. Timeouts can
also be defined in existing route rules.

Remaining features are mostly around tuning, where there can
be generous defaults set on the platform.
Update Gateway API to v1.3.0, target Envoy Gateway v1.5.0.
Default Gateway hostname changes to avoid issues outlined in GEP-3567.
… HTTPRouteFilters, SecurityPolicies.

Validation for BackendTrafficPolicies is complete.

Validation for Backends, HTTPRouteFilters, and SecurityPolicies will come next,
along with test coverage.

A generic resource replicator has been created to replicate resources from
upstream control planes into the downstream control plane, while transforming
namespace names. In addition to the Envoy Gateway types now supported, there's
default support to replicate ConfigMaps and Secrets which are labeled
appropriately.

Additional work is required to replicate downstream resource status into
upstream resources. This will come in after validation and validation test
suites are complete.
Add support for Envoy Gateway APIs: Backends, BackendTrafficPolicies, HTTPRouteFilters, SecurityPolicies.
…d SecurityPolicies.

The next set of changes will add validation options to BackendTrafficPolicies,
and wire validation options in from the service configuration.

In the future, many of these limits may be influenced by quotas.
…JSON marshaling implementation, leverage defaulter-gen instead of direct defaulting functions.
…urce replicator.

Each GVK can have a status transformer to rewrite fields such as namespaces
or controller names. In addition, a handler can be registered to rewrite
condition messages for specific condition types and reasons.

This code was largely written with support by the gpt-5-codex model. I
have reviewed both the reconciler and test suite to ensure it meets
expectations.
Validation for Backends, BackendTrafficPolicies, HTTPRouteFilters, and SecurityPolicies.
Sync downstream resource status to upstream resources in gateway resource replicator.
…pdate downstream RBAC with necessary access for the operator.
Add new ProtectedResource entries for Envoy Gateway API Extensions
Move the webhook kustomization to be a Component so it can be included via Flux Kustomizations.
…nd not via a helm chart, required for use in Flux Kustomization.
…lease-artifact

Install Gateway API and Envoy Gateway API CRDs via direct manifests
…gement

Allow management of secrets in the downstream control plane.
Prefix cluster names obtained from UserInfo.Extra with a slash.
This suite expects to run against two control planes,
which can be the same ones used for e2e tests.

Run with:

make test-conformance GATEWAY_CONFORMANCE_CLASS=network-services-operator-datum-external-global-proxy

Other changes include:

- Configuration option to allow Service backends for conformance testing.
- Changing the label selector used by the Gateway resource replicator to "networking.datumapis.com/gateway-sync" for both ConfigMaps and Secrets.
- Upgraded controller-runtime dep to align with otel dep upgrade from Envoy Gateway dep.
- Allow HTTPRouteFilter to be used as ExtensionRef filters in rules.
Joshua Reese and others added 8 commits October 2, 2025 10:26
Gateway API conformance suite implementation.
…way API.

Considering BackendTLSPolicy is moving from v1alpha3 to v1 in the v1.4.0
release of the Gateway API, we'll expose that version for users to
integrate with. The v1alpha3 version is also available to use, and
will auto upgrade to v1. There are currently no structural changes between
the v1alpha3 and v1 versions of the CRD.

The operator will configure downstream BackendTLSPolicies with v1alpha3,
until Envoy Gateway is updated to support v1.

The only restriction added to BackendTLSPolicies is that they must target
Backend resources only.

The generic resource replication controller has been configured to replicate
BackendTLSPolicies between the upstream and downstream clusters, with a
tweak to update the upstream resource's status using the v1 version of
the CRD.
Support v1 BackendTLSPolicies from the v1.4.0-rc2 release of the Gateway API.
Add ProtectedResource for BackendTLSPolicies, update gateway admin and viewer roles with necessary permissions.
Forgot to add the BackendTLSPolicy ProtectedResource to the kustomization.
scotwells
scotwells previously approved these changes Oct 3, 2025
…way APIs are installed. The Makefile was changed to not deploy envoy-gateway to the standard cluster during prepare-e2e, which results in this need.
…eady before GatewayClass resource is created.
@joshlreese
joshlreese merged commit f434906 into main Oct 3, 2025
10 checks passed
@joshlreese
joshlreese deleted the integration/proxy-updates branch October 3, 2025 19:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants