Add support for GatewayAPI's TLSRoute (#2118)

* Add support for GatewayAPI's TLSRoute

Signed-off-by: Andre Aguas <andre.aguas@protonmail.com>

* Local setup for TLSRoute + docs

Signed-off-by: Yury Tsarev <yury@upbound.io>

* Make resource as headers so table of contents picks it up

Signed-off-by: Yury Tsarev <yury@upbound.io>

* Prettify headers

Signed-off-by: Yury Tsarev <yury@upbound.io>

---------

Signed-off-by: Andre Aguas <andre.aguas@protonmail.com>
Signed-off-by: Yury Tsarev <yury@upbound.io>
Co-authored-by: Yury Tsarev <yury@upbound.io>

Author: abaguas

Makefile

@@ -286,6 +286,9 @@ deploy-test-apps: ## Deploy Podinfo (example app) and Apply Gslb Custom Resource
 	@echo -e "\n$(YELLOW)Deploy GSLB CR for Gateway API UDPRoute $(NC)"
 	$(call apply-cr,deploy/gslb/k8gb.absa.oss_v1beta1_gslb_cr_failover_gatewayapi_udproute.yaml)
 
+	@echo -e "\n$(YELLOW)Deploy GSLB CR for Gateway API TLSRoute $(NC)"
+	$(call apply-cr,deploy/gslb/k8gb.absa.oss_v1beta1_gslb_cr_failover_gatewayapi_tlsroute.yaml)
+
 	@echo -e "\n$(YELLOW)Deploy podinfo $(NC)"
 	kubectl apply -f deploy/test-apps
 	helm repo add podinfo https://stefanprodan.github.io/podinfo

controllers/refresolver/gatewayapitlsroute/adapter.go

@@ -0,0 +1,69 @@
+package gatewayapitlsroute
+
+/*
+Copyright 2021-2025 The k8gb Contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Generated by GoLic, for more details see: https://github.com/AbsaOSS/golic
+*/
+
+import (
+	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapi"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayapiv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gatewayapiv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+)
+
+// TLSRouteAdapter adapts TLSRoute to the RouteAdapter interface
+type TLSRouteAdapter struct {
+	tlsRoute *gatewayapiv1alpha3.TLSRoute
+}
+
+// NewTLSRouteAdapter creates a new TLSRoute adapter
+func NewTLSRouteAdapter(tlsRoute *gatewayapiv1alpha3.TLSRoute) *TLSRouteAdapter {
+	return &TLSRouteAdapter{tlsRoute: tlsRoute}
+}
+
+func (a *TLSRouteAdapter) GetHostnames() ([]gatewayapiv1alpha3.Hostname, error) {
+	return a.tlsRoute.Spec.Hostnames, nil
+}
+
+func (a *TLSRouteAdapter) GetParentRefs() []gatewayapiv1.ParentReference {
+	return a.tlsRoute.Spec.ParentRefs
+}
+
+func (a *TLSRouteAdapter) GetRules() []gatewayapi.RouteRule {
+	rules := make([]gatewayapi.RouteRule, len(a.tlsRoute.Spec.Rules))
+	for i := range a.tlsRoute.Spec.Rules {
+		rules[i] = &TLSRouteRuleAdapter{rule: &a.tlsRoute.Spec.Rules[i]}
+	}
+	return rules
+}
+
+func (a *TLSRouteAdapter) GetName() string {
+	return a.tlsRoute.Name
+}
+
+func (a *TLSRouteAdapter) GetNamespace() string {
+	return a.tlsRoute.Namespace
+}
+
+// TLSRouteRuleAdapter adapts TLSRouteRule to the RouteRule interface
+type TLSRouteRuleAdapter struct {
+	rule *gatewayapiv1alpha2.TLSRouteRule
+}
+
+func (a *TLSRouteRuleAdapter) GetBackendRefs() []gatewayapiv1.BackendRef {
+	return a.rule.BackendRefs
+}

controllers/refresolver/gatewayapitlsroute/gatewayapitlsroute.go

@@ -0,0 +1,115 @@
+package gatewayapitlsroute
+
+/*
+Copyright 2021-2025 The k8gb Contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Generated by GoLic, for more details see: https://github.com/AbsaOSS/golic
+*/
+
+import (
+	"fmt"
+
+	context "context"
+
+	k8gbv1beta1 "github.com/k8gb-io/k8gb/api/v1beta1"
+	"github.com/k8gb-io/k8gb/controllers/logging"
+	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapi"
+	"github.com/k8gb-io/k8gb/controllers/refresolver/queryopts"
+	"github.com/k8gb-io/k8gb/controllers/utils"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayapiv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+)
+
+var log = logging.Logger()
+
+type ReferenceResolver struct {
+	tlsRoute *TLSRouteAdapter
+	gateway  *gatewayapiv1.Gateway
+}
+
+// NewReferenceResolver creates a new reference resolver capable of understanding `networking.gateway.api/v1` resources
+func NewReferenceResolver(gslb *k8gbv1beta1.Gslb, k8sClient client.Client) (*ReferenceResolver, error) {
+	tlsRouteList, err := getGslbTLSRouteRef(gslb, k8sClient)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(tlsRouteList) != 1 {
+		return nil, fmt.Errorf("exactly 1 TLSRoute resource expected but %d were found", len(tlsRouteList))
+	}
+	tlsRoute := tlsRouteList[0]
+
+	tlsRouteAdapter := NewTLSRouteAdapter(&tlsRoute)
+	gateway, err := gatewayapi.GetGateway(tlsRouteAdapter, k8sClient)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ReferenceResolver{
+		tlsRoute: tlsRouteAdapter,
+		gateway:  gateway,
+	}, nil
+}
+
+// getGslbTLSRouteRef resolves a Gateway API TLSRoute resource referenced by the Gslb spec
+func getGslbTLSRouteRef(gslb *k8gbv1beta1.Gslb, k8sClient client.Client) ([]gatewayapiv1alpha3.TLSRoute, error) {
+	query, err := queryopts.Get(gslb.Spec.ResourceRef, gslb.Namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	switch query.Mode {
+	case queryopts.QueryModeGet:
+		var tlsRoute = gatewayapiv1alpha3.TLSRoute{}
+		err = k8sClient.Get(context.TODO(), *query.GetKey, &tlsRoute)
+		if err != nil {
+			if errors.IsNotFound(err) {
+				log.Info().
+					Str("gslb", gslb.Name).
+					Str("namespace", gslb.Namespace).
+					Msg("Can't find referenced TLSRoute resource")
+			}
+			return nil, err
+		}
+		return []gatewayapiv1alpha3.TLSRoute{tlsRoute}, nil
+
+	case queryopts.QueryModeList:
+		tlsrouteList := &gatewayapiv1alpha3.TLSRouteList{}
+		err = k8sClient.List(context.TODO(), tlsrouteList, query.ListOpts...)
+		if err != nil {
+			if errors.IsNotFound(err) {
+				log.Info().
+					Str("gslb", gslb.Name).
+					Str("namespace", gslb.Namespace).
+					Msg("Can't find referenced TLSRoute resource")
+			}
+			return nil, err
+		}
+		return tlsrouteList.Items, nil
+	}
+	return nil, fmt.Errorf("unknown query mode %v", query.Mode)
+}
+
+// GetServers retrieves the GSLB server configuration from the TLSRoute resource
+func (rr *ReferenceResolver) GetServers() ([]*k8gbv1beta1.Server, error) {
+	return gatewayapi.GetServersFromRoute(rr.tlsRoute)
+}
+
+// GetGslbExposedIPs retrieves the load balancer IP address of the GSLB
+func (rr *ReferenceResolver) GetGslbExposedIPs(gslbAnnotations map[string]string, parentZoneDNSServers utils.DNSList) ([]string, error) {
+	return gatewayapi.GetGslbExposedIPs(rr.gateway, gslbAnnotations, parentZoneDNSServers)
+}

controllers/refresolver/gatewayapitlsroute/gatewayapitlsroute_test.go

@@ -0,0 +1,125 @@
+package gatewayapitlsroute
+
+/*
+Copyright 2021-2025 The k8gb Contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Generated by GoLic, for more details see: https://github.com/AbsaOSS/golic
+*/
+
+import (
+	"testing"
+
+	k8gbv1beta1 "github.com/k8gb-io/k8gb/api/v1beta1"
+	"github.com/k8gb-io/k8gb/controllers/utils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetServers(t *testing.T) {
+	var tests = []struct {
+		name            string
+		tlsRouteFile    string
+		expectedServers []*k8gbv1beta1.Server
+	}{
+		{
+			name:         "single hostname and backend; backend without namespace specified",
+			tlsRouteFile: "../testdata/gatewayapi_tlsroute.yaml",
+			expectedServers: []*k8gbv1beta1.Server{
+				{
+					Host: "gatewayapi-tlsroute.cloud.example.com",
+					Services: []*k8gbv1beta1.NamespacedName{
+						{
+							Name:      "gatewayapi-tlsroute-service",
+							Namespace: "test-gslb",
+						},
+					},
+				},
+			},
+		},
+		{
+			name:         "single hostname and backend; backend with namespace specified",
+			tlsRouteFile: "./testdata/gatewayapi_tlsroute_backend_with_namespace.yaml",
+			expectedServers: []*k8gbv1beta1.Server{
+				{
+					Host: "gatewayapi-tlsroute.cloud.example.com",
+					Services: []*k8gbv1beta1.NamespacedName{
+						{
+							Name:      "gatewayapi-tlsroute-service",
+							Namespace: "test-backend",
+						},
+					},
+				},
+			},
+		},
+		{
+			name:         "multiple hostnames",
+			tlsRouteFile: "./testdata/gatewayapi_tlsroute_multiple_hostnames.yaml",
+			expectedServers: []*k8gbv1beta1.Server{
+				{
+					Host: "gatewayapi-tlsroute1.cloud.example.com",
+					Services: []*k8gbv1beta1.NamespacedName{
+						{
+							Name:      "gatewayapi-tlsroute-service",
+							Namespace: "test-gslb",
+						},
+					},
+				},
+				{
+					Host: "gatewayapi-tlsroute2.cloud.example.com",
+					Services: []*k8gbv1beta1.NamespacedName{
+						{
+							Name:      "gatewayapi-tlsroute-service",
+							Namespace: "test-gslb",
+						},
+					},
+				},
+			},
+		},
+		{
+			name:         "multiple backendRefs",
+			tlsRouteFile: "./testdata/gatewayapi_tlsroute_multiple_backendrefs.yaml",
+			expectedServers: []*k8gbv1beta1.Server{
+				{
+					Host: "gatewayapi-tlsroute.cloud.example.com",
+					Services: []*k8gbv1beta1.NamespacedName{
+						{
+							Name:      "gatewayapi-tlsroute-service1",
+							Namespace: "test-gslb",
+						},
+						{
+							Name:      "gatewayapi-tlsroute-service2",
+							Namespace: "test-gslb",
+						},
+					},
+				},
+			},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			// arrange
+			tlsRoute := utils.FileToGatewayApiTlsRoute(test.tlsRouteFile)
+			resolver := ReferenceResolver{
+				tlsRoute: NewTLSRouteAdapter(tlsRoute),
+			}
+
+			// act
+			servers, err := resolver.GetServers()
+			assert.NoError(t, err)
+
+			// assert
+			assert.Equal(t, test.expectedServers, servers)
+		})
+	}
+}

controllers/refresolver/gatewayapitlsroute/testdata/gatewayapi_tlsroute_backend_with_namespace.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: TLSRoute
+metadata:
+  name: gatewayapi-tlsroute
+  namespace: test-gslb
+spec:
+  parentRefs:
+  - name: gatewayapi-gateway
+  hostnames:
+  - gatewayapi-tlsroute.cloud.example.com
+  rules:
+  - backendRefs:
+    - name: gatewayapi-tlsroute-service
+      namespace: test-backend
+      port: 8080

controllers/refresolver/gatewayapitlsroute/testdata/gatewayapi_tlsroute_multiple_backendrefs.yaml

@@ -0,0 +1,21 @@
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: TLSRoute
+metadata:
+  name: gatewayapi-tlsroute
+  namespace: test-gslb
+spec:
+  parentRefs:
+  - name: gatewayapi-gateway
+  hostnames:
+  - gatewayapi-tlsroute.cloud.example.com
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        prefix: /debug
+    backendRefs:
+    - name: gatewayapi-tlsroute-service1
+      port: 8080
+  - backendRefs:
+    - name: gatewayapi-tlsroute-service2
+      port: 8080

controllers/refresolver/gatewayapitlsroute/testdata/gatewayapi_tlsroute_multiple_hostnames.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: TLSRoute
+metadata:
+  name: gatewayapi-tlsroute
+  namespace: test-gslb
+spec:
+  parentRefs:
+  - name: gatewayapi-gateway
+  hostnames:
+  - gatewayapi-tlsroute1.cloud.example.com
+  - gatewayapi-tlsroute2.cloud.example.com
+  rules:
+  - backendRefs:
+    - name: gatewayapi-tlsroute-service
+      port: 8080

controllers/refresolver/refresolver.go

@@ -26,6 +26,7 @@ import (
 	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapigrpcroute"
 	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapihttproute"
 	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapitcproute"
+	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapitlsroute"
 	"github.com/k8gb-io/k8gb/controllers/refresolver/gatewayapiudproute"
 	"github.com/k8gb-io/k8gb/controllers/refresolver/ingress"
 	"github.com/k8gb-io/k8gb/controllers/refresolver/istiovirtualservice"
@@ -71,5 +72,8 @@ func New(gslb *k8gbv1beta1.Gslb, k8sClient client.Client) (GslbReferenceResolver
 	if gslb.Spec.ResourceRef.Kind == "UDPRoute" && gslb.Spec.ResourceRef.APIVersion == "gateway.networking.k8s.io/v1alpha2" {
 		return gatewayapiudproute.NewReferenceResolver(gslb, k8sClient)
 	}
+	if gslb.Spec.ResourceRef.Kind == "TLSRoute" && gslb.Spec.ResourceRef.APIVersion == "gateway.networking.k8s.io/v1alpha3" {
+		return gatewayapitlsroute.NewReferenceResolver(gslb, k8sClient)
+	}
 	return nil, fmt.Errorf("APIVersion:%s, Kind:%s not supported", gslb.Spec.ResourceRef.APIVersion, gslb.Spec.ResourceRef.Kind)
 }