fix: mcp route to gateway cross namespace reference (#1489)

**Description**
Previously when MCPRoute being reconciled, the controller assumed that
all the parentRefs are local, which was a bug for cross-namespace use
cases. This fixes the bug which existed in the syncGateawy function of
MCPRoute controller.

**Related Issues / PRs**

Fixes #1483

---------

Signed-off-by: Hritik003 <[email protected]>

Author: Hritik003

internal/controller/mcp_route.go

@@ -432,7 +432,11 @@ func (c *MCPRouteController) newPerBackendRefHTTPRoute(ctx context.Context, dst
 // syncGateways synchronizes the gateways referenced by the MCPRoute by sending events to the gateway controller.
 func (c *MCPRouteController) syncGateways(ctx context.Context, mcpRoute *aigv1a1.MCPRoute) error {
 	for _, p := range mcpRoute.Spec.ParentRefs {
-		c.syncGateway(ctx, mcpRoute.Namespace, string(p.Name))
+		gwNamespace := mcpRoute.Namespace
+		if p.Namespace != nil {
+			gwNamespace = string(*p.Namespace)
+		}
+		c.syncGateway(ctx, gwNamespace, string(p.Name))
 	}
 	return nil
 }

internal/controller/mcp_route_test.go

@@ -372,3 +372,44 @@ func TestMCPRouteController_ensureMCPBackendRefHTTPFilter(t *testing.T) {
 	require.NoError(t, err)
 	require.Nil(t, httpFilter.Spec.CredentialInjection)
 }
+
+func TestMCPRouteController_syncGateways_NamespaceCrossReference(t *testing.T) {
+	c := requireNewFakeClientWithIndexesForMCP(t)
+	eventCh := internaltesting.NewControllerEventChan[*gwapiv1.Gateway]()
+
+	gateway1 := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Name: "gateway1", Namespace: "default"},
+	}
+	gateway2 := &gwapiv1.Gateway{
+		ObjectMeta: metav1.ObjectMeta{Name: "gateway2", Namespace: "other-ns"},
+	}
+
+	err := c.Create(t.Context(), gateway1)
+	require.NoError(t, err)
+	err = c.Create(t.Context(), gateway2)
+	require.NoError(t, err)
+
+	ctrlr := NewMCPRouteController(c, fakekube.NewClientset(), logr.Discard(), eventCh.Ch)
+
+	mcpRoute := &aigv1a1.MCPRoute{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-route", Namespace: "default"},
+		Spec: aigv1a1.MCPRouteSpec{
+			ParentRefs: []gwapiv1.ParentReference{
+				{Name: gwapiv1.ObjectName("gateway1"), Namespace: ptr.To(gwapiv1.Namespace("default"))},
+				{Name: gwapiv1.ObjectName("gateway2"), Namespace: ptr.To(gwapiv1.Namespace("other-ns"))},
+			},
+		},
+	}
+	err = ctrlr.syncGateways(t.Context(), mcpRoute)
+	require.NoError(t, err)
+
+	// Verify that events were sent for both gateways.
+	// We should receive 2 events (one for each parent reference).
+	gateways := eventCh.RequireItemsEventually(t, 2)
+	require.Len(t, gateways, 2)
+
+	require.Equal(t, "gateway1", gateways[0].Name)
+	require.Equal(t, "default", gateways[0].Namespace)
+	require.Equal(t, "gateway2", gateways[1].Name)
+	require.Equal(t, "other-ns", gateways[1].Namespace)
+}

tests/e2e/cross_namespace_test.go

@@ -7,9 +7,11 @@ package e2e
 
 import (
 	"context"
+	"fmt"
 	"testing"
 	"time"
 
+	"github.com/modelcontextprotocol/go-sdk/mcp"
 	"github.com/openai/openai-go"
 	"github.com/openai/openai-go/option"
 	"github.com/stretchr/testify/require"
@@ -69,3 +71,37 @@ func TestCrossNamespace(t *testing.T) {
 		}, 40*time.Second, 3*time.Second)
 	})
 }
+
+// TestCrossNamespaceMCPRoute tests MCPRoute with cross-namespace references.
+// This test validates that:
+//  1. A Gateway in one namespace (mcp-gw) can be referenced by an MCPRoute in another namespace (mcp-tenant)
+func TestCrossNamespaceMCPRoute(t *testing.T) {
+	const manifest = "testdata/cross_namespace_mcproute.yaml"
+	require.NoError(t, e2elib.KubectlApplyManifest(t.Context(), manifest))
+	t.Cleanup(func() {
+		_ = e2elib.KubectlDeleteManifest(context.Background(), manifest)
+	})
+
+	const egSelector = "gateway.envoyproxy.io/owning-gateway-name=mcp-gateway"
+	e2elib.RequireWaitForGatewayPodReady(t, egSelector)
+	fwd := e2elib.RequireNewHTTPPortForwarder(t, e2elib.EnvoyGatewayNamespace, egSelector, e2elib.EnvoyGatewayDefaultServicePort)
+	defer fwd.Kill()
+	client := mcp.NewClient(&mcp.Implementation{Name: "demo-http-client", Version: "0.1.0"}, nil)
+
+	require.Eventually(t, func() bool {
+		ctx, cancel := context.WithTimeout(t.Context(), 10*time.Second)
+		defer cancel()
+		var err error
+		sess, err := client.Connect(
+			ctx,
+			&mcp.StreamableClientTransport{
+				Endpoint: fmt.Sprintf("%s/mcp/cross-ns", fwd.Address()),
+			}, nil)
+		if err != nil {
+			t.Logf("failed to connect to MCP server: %v", err)
+			return false
+		}
+		defer sess.Close()
+		return true
+	}, 40*time.Second, 3*time.Second, "failed to connect to MCP server")
+}

tests/e2e/testdata/cross_namespace_mcproute.yaml

@@ -0,0 +1,108 @@
+# Copyright Envoy AI Gateway Authors
+# SPDX-License-Identifier: Apache-2.0
+# The full text of the Apache license is available in the LICENSE file at
+# the root of the repo.
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mcp-tenant
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mcp-gw
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: mcp-gateway-class
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: mcp-gateway
+  namespace: mcp-gw
+spec:
+  gatewayClassName: mcp-gateway-class
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+  infrastructure:
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: mcp-envoyproxy
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: mcp-envoyproxy
+  namespace: mcp-gw
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyDeployment:
+        container:
+          resources: {}
+---
+# This is the ONLY MCPRoute in this test to avoid side effects from reconciliation of other routes.
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: MCPRoute
+metadata:
+  name: mcp-tenant-route
+  namespace: mcp-tenant
+spec:
+  path: "/mcp/cross-ns"
+  parentRefs:
+    - name: mcp-gateway
+      kind: Gateway
+      group: gateway.networking.k8s.io
+      namespace: mcp-gw
+  backendRefs:
+    - name: mcp-backend-tenant
+      namespace: mcp-tenant
+      port: 1063
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mcp-backend-tenant
+  namespace: mcp-tenant
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mcp-backend-tenant
+  template:
+    metadata:
+      labels:
+        app: mcp-backend-tenant
+    spec:
+      containers:
+        - name: mcp-backend-tenant
+          image: docker.io/envoyproxy/ai-gateway-testmcpserver:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 1063
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mcp-backend-tenant
+  namespace: mcp-tenant
+spec:
+  selector:
+    app: mcp-backend-tenant
+  ports:
+    - protocol: TCP
+      port: 1063
+      targetPort: 1063
+  type: ClusterIP