feat: Add ReferenceGrant support for HTTPRoute #149
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit introduces functionality to handle the ReferenceGrant resource in the Gateway API. It updates the Gateway controller logic, adds necessary permissions in RBAC manifests, and integrates condition handling for cross-namespace references. Additionally, skipped conformance tests related to ReferenceGrants are reinstated.
This commit introduces support for Gateway API ReferenceGrant CRD, enabling cross-namespace references for HTTPRoutes. It refactors backend reference handling to validate Service references and check ReferenceGrants. Also includes minor code cleanups, added cluster role permissions for ReferenceGrants, and adjustments to e2e manifests.
…nce-grant-for-route
…reference-grant-for-route # Conflicts: # test/conformance/conformance_test.go
Reorganized and simplified the predicate logic for ReferenceGrant handling across gateway and HTTPRoute controllers. Consolidated duplicate code into reusable functions, reducing redundancy and improving maintainability. This centralization ensures consistent behavior and clearer code structure.
…nce-grant-for-route # Conflicts: # internal/controller/gateway_controller.go # internal/controller/utils.go # test/conformance/conformance_test.go
… cross-namespace checks
Contributor
conformance test reportapiVersion: gateway.networking.k8s.io/v1
date: "2025-05-21T10:49:13Z"
gatewayAPIChannel: standard
gatewayAPIVersion: v1.2.0
implementation:
contact: null
organization: APISIX
project: apisix-ingress-controller
url: https://github.com/apache/apisix-ingress-controller.git
version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
result: partial
skippedTests:
- HTTPRouteHTTPSListener
statistics:
Failed: 0
Passed: 32
Skipped: 1
name: GATEWAY-HTTP
summary: Core tests partially succeeded with 1 test skips. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds a feature to detect and enable cross-namespace ReferenceGrant support, refactors reference grant checks and condition handling, and updates controllers to watch ReferenceGrant events.
- Introduce a global
enableReferenceGrantflag and detect theReferenceGrantCRD inmanager/run.go - Refactor utilities to unify reference grant logic (
checkReferenceGrant, predicates) and simplify condition construction - Update both HTTPRoute and Gateway controllers to watch and reconcile based on
ReferenceGrantchanges - Remove skipped conformance tests for traditional routes, replacing the skip list with a TODO
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| test/conformance/conformance_test.go | Cleared out skipped tests list for traditional routes |
| internal/manager/run.go | Added ReferenceGrant CRD detection and SetEnableReferenceGrant |
| internal/controller/utils.go | Refactored SetRouteConditionResolvedRefs, added grant predicates |
| internal/controller/httproute_controller.go | Wired in cross-namespace grant checks and new predicates |
| internal/controller/gateway_controller.go | Replaced custom predicates with shared grant predicate logic |
Comments suppressed due to low confidence (5)
test/conformance/conformance_test.go:27
- With all traditional route skips removed, add or update test cases to cover the new cross-namespace
ReferenceGrantbehaviors or adjust the skip list to reflect expected conformance changes.
var skippedTestsForTraditionalRoutes []string // TODO: HTTPRoute hostname intersection and listener hostname matching
internal/controller/utils.go:16
- The import
"cmp"has no path and will fail to compile. Please replace it with the correct module path (e.g.,"github.com/google/go-cmp/cmp"or appropriate Go 1.21 import).
"cmp"
internal/controller/utils.go:961
- The code uses
slices.Containsbut theslicespackage is not imported. Addimport "slices"(Go 1.21) or the appropriate module path.
return slices.Contains(reasons, Reason(re.Reason))
internal/controller/utils.go:273
- When
erris not aReasonError, the condition’s Reason remains the defaultResolvedRefs, which may misrepresent the actual failure. Consider setting a generic reason or mapping other error types to an appropriate Reason.
if errors.As(err, &re) {
internal/manager/run.go:187
- [nitpick] Mixing
setupLogandloggerfor logging here may be confusing. UsesetupLog.Errorconsistently for controller startup logs.
logger.Error(err, "CRD ReferenceGrants is not installed")
12 tasks
dspo
changed the title
ronething
reviewed
May 21, 2025
test/conformance/conformance_test.go
Outdated
|
|
||
| // TODO: HTTPRoute hostname intersection and listener hostname matching | ||
| } | ||
| var skippedTestsForTraditionalRoutes []string // TODO: HTTPRoute hostname intersection and listener hostname matching |
Contributor
There was a problem hiding this comment.
we can remove this line?
ronething
reviewed
May 21, 2025
internal/manager/run.go
Outdated
| Resource: "referencegrants", | ||
| }) | ||
| if err != nil { | ||
| logger.Error(err, "CRD ReferenceGrants is not installed") |
Contributor
There was a problem hiding this comment.
Not need to print logs, or should it not be error-level logs?
AlinsRan
reviewed
May 21, 2025
| Watches(&v1alpha1.GatewayProxy{}, | ||
| handler.EnqueueRequestsFromMapFunc(r.listHTTPRoutesForGatewayProxy), | ||
| ). | ||
| Watches(&v1beta1.ReferenceGrant{}, |
Contributor
There was a problem hiding this comment.
Do we allow not installing RefereGrant?
If not installed, an error will occur here.
Contributor
Author
There was a problem hiding this comment.
Yes, it is allowed to not install ReferenceGrant and an error will occur here if not installed ReferenceGrant.
Let me fix it.
AlinsRan
approved these changes
May 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change:
What this PR does / why we need it:
feat: Add ReferenceGrant support for HTTPRoute
Pre-submission checklist: