feat(gateway): configure DNS records for Gateway API resources

Add Gateway reconciler, route DNS sub-reconcilers, GC, and Gateway API
scheme registration. Include controller-runtime and Gateway status mocks,
gateway-related golangci config, and shared controller metrics constants.

Author: wenyingd

cmd/main.go

@@ -23,10 +23,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	"github.com/vmware-tanzu/nsx-operator/pkg/apis/legacy/v1alpha1"
 	crdv1alpha1 "github.com/vmware-tanzu/nsx-operator/pkg/apis/vpc/v1alpha1"
 	"github.com/vmware-tanzu/nsx-operator/pkg/config"
+	"github.com/vmware-tanzu/nsx-operator/pkg/controllers/gateway"
 	"github.com/vmware-tanzu/nsx-operator/pkg/controllers/inventory"
 	"github.com/vmware-tanzu/nsx-operator/pkg/controllers/ipaddressallocation"
 	namespacecontroller "github.com/vmware-tanzu/nsx-operator/pkg/controllers/namespace"
@@ -83,6 +85,7 @@ func init() {
 	utilruntime.Must(crdv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(v1alpha1.AddToScheme(scheme))
 	utilruntime.Must(vmv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(gatewayv1.Install(scheme))
 	config.AddFlags()
 
 	cf, err = config.NewNSXOperatorConfigFromFile()
@@ -248,6 +251,7 @@ func startServiceController(mgr manager.Manager, nsxClient *nsx.Client) {
 			pod.NewPodReconciler(mgr, subnetPortService, subnetService, vpcService, nodeService),
 			networkpolicycontroller.NewNetworkPolicyReconciler(mgr, commonService, vpcService),
 			service.NewServiceLbReconciler(mgr, commonService, dnsRecordService),
+			gateway.NewGatewayReconciler(mgr, dnsRecordService),
 			subnetbindingcontroller.NewReconciler(mgr, subnetService, subnetBindingService),
 			subnetipreservationcontroller.NewReconciler(mgr, subnetIPReservationService, subnetService),
 		)

pkg/controllers/common/types.go

@@ -25,6 +25,7 @@ const (
 	MetricResTypeNode                       = "node"
 	MetricResTypeServiceLb                  = "servicelb"
 	MetricResTypeStatefulSet                = "statefulset"
+	MetricResTypeGateway                    = "gateway"
 	MaxConcurrentReconciles                 = 8
 	NSXOperatorError                        = "nsx-op/error"
 	//sync the error with NCP side
@@ -35,6 +36,9 @@ const (
 
 	LabelK8sMasterRole  = "node-role.kubernetes.io/master"
 	LabelK8sControlRole = "node-role.kubernetes.io/control-plane"
+
+	ManagedK8sGatewayClassIstio = "istio"
+	ManagedK8sGatewayClassAviLB = "avi-lb"
 )
 
 var (

pkg/controllers/gateway/dns_owner_endpoints.go

@@ -0,0 +1,104 @@
+/* Copyright © 2026 Broadcom, Inc. All Rights Reserved.
+   SPDX-License-Identifier: Apache-2.0 */
+
+package gateway
+
+import (
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+
+	servicecommon "github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/common"
+	"github.com/vmware-tanzu/nsx-operator/pkg/nsx/services/dns"
+	extdns "github.com/vmware-tanzu/nsx-operator/pkg/third_party/externaldns/endpoint"
+	extdnssrc "github.com/vmware-tanzu/nsx-operator/pkg/third_party/externaldns/source"
+)
+
+// Route DNS: hostnames + ipCache → extdns.Endpoint; Gateway annotation DNS → owner-scoped batches (no ListenerSet annotation DNS).
+func (r *GatewayReconciler) buildEndpointsFromAnnotations(obj client.Object, targets extdns.Targets, owner *dns.ResourceRef, gwNN types.NamespacedName) (*dns.AggregatedDNSEndpoints, map[string]string, error) {
+	parseHostnamesFromAnnotation := func(rawAnno map[string]string) []string {
+		if rawAnno == nil {
+			return nil
+		}
+		hostnames := rawAnno[servicecommon.AnnotationDNSHostnameKey]
+		if strings.TrimSpace(hostnames) == "" {
+			return nil
+		}
+		anno := map[string]string{
+			servicecommon.AnnotationDNSHostnameSourceKey: extdnssrc.GatewayHostnameSourceAnnotationOnly,
+			servicecommon.AnnotationDNSHostnameKey:       hostnames,
+		}
+		hosts := extdnssrc.RouteHostnames(&metav1.ObjectMeta{Annotations: anno}, nil,
+			servicecommon.AnnotationDNSHostnameSourceKey, servicecommon.AnnotationDNSHostnameKey, false)
+		return hosts
+	}
+
+	hosts := parseHostnamesFromAnnotation(obj.GetAnnotations())
+	if len(hosts) == 0 {
+		return nil, nil, nil
+	}
+	var eps []*extdns.Endpoint
+	buildEndpoints(&eps, hosts, targets, gwNN.String())
+	if len(eps) == 0 {
+		return nil, nil, nil
+	}
+	endpointRows, allowed, err := r.DNS.ValidateEndpointsByZone(obj.GetNamespace(), owner, eps)
+	if err != nil {
+		return nil, allowed, err
+	}
+	return dns.NewOwnerScopedAggregatedRouteDNS(owner, endpointRows), allowed, nil
+}
+
+type parentGatewayMatch struct {
+	nn     types.NamespacedName
+	filter string
+	ips    extdns.Targets
+}
+
+func mergeTargetsUnion(a, b extdns.Targets) extdns.Targets {
+	return extdns.NewTargets(append(append([]string(nil), a...), b...)...)
+}
+
+// buildRouteDNSMergedEndpoints builds owner-scoped Route DNS rows (Gateway or ListenerSet→root Gateway, same rules as aggregation).
+func (a routeReconcilerAdapter[PT, T]) buildRouteDNSMergedEndpoints(route PT) (*dns.AggregatedDNSEndpoints, map[string]string, error) {
+	owner := route.GetResourceRef()
+	eps, allowed, err := a.reconciler.buildRouteDNSEndpointsForAggregation(route.GetNamespace(), owner, route.GetParentRefs(), route.GetRouteParentStatus(), route.GetObjectMeta(), route.GetSpecHostnames())
+	if err != nil || len(eps) == 0 {
+		return nil, allowed, err
+	}
+	return dns.NewOwnerScopedAggregatedRouteDNS(owner, eps), allowed, nil
+}
+
+// buildEndpoints appends extdns endpoints per hostname; sets EndpointLabelParentGateway to gatewayLabel (comma-separated if merged).
+func buildEndpoints(out *[]*extdns.Endpoint, hostnames []string, targets extdns.Targets, parentGatewayLabel string) {
+	ttl := extdns.TTL(0)
+	for _, h := range hostnames {
+		if h == "" {
+			continue
+		}
+		for _, ep := range extdns.EndpointsForHostname(h, targets, ttl) {
+			if ep == nil {
+				continue
+			}
+			if parentGatewayLabel != "" {
+				ep.WithLabel(dns.EndpointLabelParentGateway, parentGatewayLabel)
+			}
+			*out = append(*out, ep)
+		}
+	}
+}
+
+// collectGatewayEndpointsByAnnotation builds Gateway owner DNS from hostname annotation + targets.
+func (r *GatewayReconciler) collectGatewayEndpointsByAnnotation(gw *gatewayv1.Gateway, targets extdns.Targets) (*dns.AggregatedDNSEndpoints, map[string]string, error) {
+	owner := &dns.ResourceRef{Kind: dns.ResourceKindGateway, Object: gw.GetObjectMeta()}
+	gwNN := types.NamespacedName{Namespace: gw.Namespace, Name: gw.Name}
+	out, allowed, err := r.buildEndpointsFromAnnotations(gw, targets, owner, gwNN)
+	if err != nil {
+		log.Error(err, "Failed to build DNS Endpoints for Gateway annotations", "Gateway", gwNN.String())
+		return nil, allowed, err
+	}
+	return out, allowed, nil
+}