add gateway configuration

Author: Diaphteiros

Taskfile.yaml

@@ -48,14 +48,7 @@ tasks:
           runCommand:
           - platformservice
           - run
-          extraVolumes:
-          - name: webhooks-tls
-            secret:
-              defaultMode: 420
-              secretName: project-workspace-operator-webhooks-tls
-          extraVolumeMounts:
-          - mountPath: /tmp/k8s-webhook-server/serving-certs
-            name: webhooks-tls
-            readOnly: true
+          webhook:
+            enabled: true
         EOF
       silent: true

cmd/project-workspace-operator/app/app.go

@@ -1,15 +1,20 @@
 package app
 
 import (
+	"context"
 	"fmt"
 	"os"
 
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/spf13/cobra"
 
 	"github.com/openmcp-project/controller-utils/pkg/clusters"
 	"github.com/openmcp-project/controller-utils/pkg/logging"
+	openmcpconst "github.com/openmcp-project/openmcp-operator/api/constants"
 )
 
 func NewPlatformServiceProjectWorkspaceCommand() *cobra.Command {
@@ -80,3 +85,39 @@ func (o *SharedOptions) Complete() error {
 
 	return nil
 }
+
+func resolveWebhookPort(ctx context.Context, platformClusterClient client.Client, targetPort intstr.IntOrString) (int, error) {
+	log := logging.FromContextOrDiscard(ctx)
+	webhookPort := targetPort.IntValue()
+	if webhookPort == 0 {
+		// this should only have happened if the user configured a named port
+		portName := targetPort.StrVal
+		if portName == "" {
+			return 0, fmt.Errorf("invalid webhook target port configuration: %v", targetPort)
+		}
+		log.Info("Resolving webhook port from named port", "portName", portName)
+		pod := &corev1.Pod{}
+		pod.Name = os.Getenv(openmcpconst.EnvVariablePodName)
+		pod.Namespace = os.Getenv(openmcpconst.EnvVariablePodNamespace)
+		if pod.Name == "" || pod.Namespace == "" {
+			return 0, fmt.Errorf("environment variables %s and %s must be set to resolve webhook port from named port", openmcpconst.EnvVariablePodName, openmcpconst.EnvVariablePodNamespace)
+		}
+		if err := platformClusterClient.Get(ctx, client.ObjectKey{Name: pod.Name, Namespace: pod.Namespace}, pod); err != nil {
+			return 0, fmt.Errorf("unable to get pod '%s/%s' to resolve webhook port from named port: %w", pod.Namespace, pod.Name, err)
+		}
+		namedPorts := pod.Spec.Containers[0].Ports
+		found := false
+		for _, p := range namedPorts {
+			if p.Name == portName {
+				webhookPort = int(p.ContainerPort)
+				found = true
+				log.Info("Resolved webhook port from named port", "portName", portName, "port", webhookPort)
+				break
+			}
+		}
+		if !found {
+			return 0, fmt.Errorf("unable to find named port '%s' in pod '%s/%s' to resolve webhook port", portName, pod.Namespace, pod.Name)
+		}
+	}
+	return webhookPort, nil
+}

cmd/project-workspace-operator/app/init.go

@@ -9,6 +9,7 @@ import (
 	"github.com/spf13/cobra"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	ctrlutils "github.com/openmcp-project/controller-utils/pkg/controller"
@@ -17,11 +18,13 @@ import (
 	clustersv1alpha1 "github.com/openmcp-project/openmcp-operator/api/clusters/v1alpha1"
 	openmcpconst "github.com/openmcp-project/openmcp-operator/api/constants"
 	"github.com/openmcp-project/openmcp-operator/lib/clusteraccess"
+	libutils "github.com/openmcp-project/openmcp-operator/lib/utils"
 
 	pwv1alpha1 "github.com/openmcp-project/project-workspace-operator/api/core/v1alpha1"
 	"github.com/openmcp-project/project-workspace-operator/api/crds"
 	providerscheme "github.com/openmcp-project/project-workspace-operator/api/install"
 	"github.com/openmcp-project/project-workspace-operator/internal/controller/core"
+	"github.com/openmcp-project/project-workspace-operator/internal/dns"
 )
 
 func NewInitCommand(so *SharedOptions) *cobra.Command {
@@ -140,8 +143,70 @@ func (o *InitOptions) Run(ctx context.Context) error {
 
 	suffix := "-webhook"
 	whServiceName := ctrlutils.ShortenToXCharactersUnsafe(o.ProviderName, ctrlutils.K8sMaxNameLength-len(suffix)) + suffix
-	suffix = "-webhook-tls"
-	whSecretName := ctrlutils.ShortenToXCharactersUnsafe(o.ProviderName, ctrlutils.K8sMaxNameLength-len(suffix)) + suffix
+	whSecretName, err := libutils.WebhookSecretName(o.ProviderName)
+	if err != nil {
+		return fmt.Errorf("unable to determine webhook secret name: %w", err)
+	}
+
+	webhookPort, err := resolveWebhookPort(ctx, o.PlatformCluster.Client(), *pwc.Spec.Webhook.TargetPort)
+	if err != nil {
+		return err
+	}
+
+	// setup gateway for webhooks
+	dnsInstance := &dns.Instance{
+		Name:            whServiceName,
+		Namespace:       providerSystemNamespace,
+		SubDomainPrefix: "pwo-webhooks",
+		BackendName:     whServiceName,
+		BackendPort:     int32(webhookPort),
+	}
+	dnsReconciler := dns.NewReconciler()
+	timeout := 3 * time.Minute
+	log.Info("Verifying default Gateway is available", "timeout", timeout.String())
+	waitCtx, cancelCtx := context.WithTimeout(ctx, timeout)
+	defer cancelCtx()
+	var gatewayResult dns.GatewayReconcileResult
+	err = wait.PollUntilContextTimeout(waitCtx, 10*time.Second, timeout, true, func(ctx context.Context) (bool, error) {
+		gatewayResult, err = dnsReconciler.ReconcileGateway(ctx, dnsInstance, o.PlatformCluster)
+		if err != nil {
+			log.Error(err, "Error reconciling Gateway, retrying...")
+			return false, nil
+		}
+		if gatewayResult.RequeueAfter > 0 {
+			log.Debug("Default Gateway is not yet available, retrying...")
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		return fmt.Errorf("default Gateway did not become available within %s: %w", timeout.String(), err)
+	}
+	log.Info("Default Gateway is available", "hostName", gatewayResult.HostName)
+
+	log.Info("Waiting for TLS route to become ready", "timeout", timeout.String())
+	waitCtx, cancelCtx = context.WithTimeout(ctx, timeout)
+	defer cancelCtx()
+	err = wait.PollUntilContextTimeout(waitCtx, 10*time.Second, timeout, true, func(ctx context.Context) (bool, error) {
+		if err := dnsReconciler.ReconcileTLSRoute(ctx, dnsInstance, o.PlatformCluster); err != nil {
+			log.Error(err, "Error reconciling TLS route, retrying...")
+			return false, nil
+		}
+		tlsReady, err := dnsReconciler.IsTLSRouteReady(ctx, dnsInstance, o.PlatformCluster)
+		if err != nil {
+			log.Error(err, "Error checking TLS route readiness, retrying...")
+			return false, nil
+		}
+		if !tlsReady {
+			log.Debug("TLS route is not yet ready, retrying...")
+			return false, nil
+		}
+		return true, nil
+	})
+	if err != nil {
+		return fmt.Errorf("TLS route did not become ready within %s: %w", timeout.String(), err)
+	}
+	log.Info("TLS route is ready")
 
 	opts := []webhooks.InstallOption{
 		webhooks.WithWebhookService{Name: whServiceName, Namespace: providerSystemNamespace},

cmd/project-workspace-operator/app/run.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/spf13/cobra"
 
-	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -310,36 +309,9 @@ func (o *RunOptions) Run(ctx context.Context) error {
 		}
 	}
 
-	webhookPort := pwc.Spec.Webhook.TargetPort.IntValue()
-	if webhookPort == 0 {
-		// this should only have happened if the user configured a named port
-		portName := pwc.Spec.Webhook.TargetPort.StrVal
-		if portName == "" {
-			return fmt.Errorf("invalid webhook target port configuration: %v", pwc.Spec.Webhook.TargetPort)
-		}
-		setupLog.Info("Resolving webhook port from named port", "portName", portName)
-		pod := &corev1.Pod{}
-		pod.Name = os.Getenv(openmcpconst.EnvVariablePodName)
-		pod.Namespace = os.Getenv(openmcpconst.EnvVariablePodNamespace)
-		if pod.Name == "" || pod.Namespace == "" {
-			return fmt.Errorf("environment variables %s and %s must be set to resolve webhook port from named port", openmcpconst.EnvVariablePodName, openmcpconst.EnvVariablePodNamespace)
-		}
-		if err := o.PlatformCluster.Client().Get(ctx, client.ObjectKey{Name: pod.Name, Namespace: pod.Namespace}, pod); err != nil {
-			return fmt.Errorf("unable to get pod '%s/%s' to resolve webhook port from named port: %w", pod.Namespace, pod.Name, err)
-		}
-		namedPorts := pod.Spec.Containers[0].Ports
-		found := false
-		for _, p := range namedPorts {
-			if p.Name == portName {
-				webhookPort = int(p.ContainerPort)
-				found = true
-				setupLog.Info("Resolved webhook port from named port", "portName", portName, "port", webhookPort)
-				break
-			}
-		}
-		if !found {
-			return fmt.Errorf("unable to find named port '%s' in pod '%s/%s' to resolve webhook port", portName, pod.Namespace, pod.Name)
-		}
+	webhookPort, err := resolveWebhookPort(ctx, o.PlatformCluster.Client(), *pwc.Spec.Webhook.TargetPort)
+	if err != nil {
+		return err
 	}
 
 	webhookServer := webhook.NewServer(webhook.Options{

go.mod

@@ -34,22 +34,22 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.37.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20251002181428-27f1f14c8bb9 // indirect
 	golang.org/x/mod v0.28.0 // indirect
 	golang.org/x/sync v0.17.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 // indirect
+	google.golang.org/grpc v1.75.1 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	k8s.io/apiserver v0.34.1 // indirect
 	k8s.io/component-base v0.34.1 // indirect
@@ -110,6 +110,7 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
+	sigs.k8s.io/gateway-api v1.4.0
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/yaml v1.6.0
 )

go.sum

@@ -177,20 +177,20 @@ go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJyS
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
-go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
+go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
+go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
+go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
+go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
+go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
+go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
@@ -252,12 +252,14 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7 h1:FiusG7LWj+4byqhbvmB+Q93B/mOxJLN2DTozDuZm4EU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:kXqgZtrWaf6qS3jZOCnCH7WYfrvFjkC51bM8fz3RsCA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1 h1:pmJpJEvT846VzausCQ5d7KreSROcDqmO388w5YbnltA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250826171959-ef028d996bc1/go.mod h1:GmFNa4BdJZ2a8G+wCe9Bg3wwThLrJun751XstdJt5Og=
+google.golang.org/grpc v1.75.1 h1:/ODCNEuf9VghjgO3rqLcfg8fiOP0nSluljWFlDxELLI=
+google.golang.org/grpc v1.75.1/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -294,6 +296,8 @@ sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTi
 sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8=
 sigs.k8s.io/e2e-framework v0.6.0 h1:p7hFzHnLKO7eNsWGI2AbC1Mo2IYxidg49BiT4njxkrM=
 sigs.k8s.io/e2e-framework v0.6.0/go.mod h1:IREnCHnKgRCioLRmNi0hxSJ1kJ+aAdjEKK/gokcZu4k=
+sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ=
+sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=