gateway-api: fix supported route kind validation

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-group.out.yaml

@@ -19,6 +19,7 @@ gateways:
     status:
       listeners:
         - name: http
+          supportedKinds: []
           attachedRoutes: 0
           conditions:
             - type: ResolvedRefs

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.in.yaml

@@ -0,0 +1,37 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+            kinds:
+              - group: gateway.networking.k8s.io
+                kind: FooRoute
+              - group:
+                kind: HTTPRoute
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - matches:
+            - path:
+                value: "/"
+          backendRefs:
+            - name: service-1
+              port: 8080

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind-and-supported.out.yaml

@@ -0,0 +1,76 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: Gateway
+    metadata:
+      namespace: envoy-gateway
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+            kinds:
+              - group: gateway.networking.k8s.io
+                kind: FooRoute
+              - group: 
+                kind: HTTPRoute
+    status:
+      listeners:
+        - name: http
+          attachedRoutes: 0
+          supportedKinds:
+            - kind: HTTPRoute
+          conditions:
+            - type: ResolvedRefs
+              status: "False"
+              reason: InvalidRouteKinds
+              message: "FooRoute is not supported, kind must be HTTPRoute"
+            - type: Programmed
+              status: "False"
+              reason: Invalid
+              message: Listener is invalid, see other Conditions for details.
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1beta1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+      rules:
+        - matches:
+            - path:
+                value: "/"
+          backendRefs:
+            - name: service-1
+              port: 8080
+    status:
+      parents:
+        - parentRef:
+            namespace: envoy-gateway
+            name: gateway-1
+          controllerName: gateway.envoyproxy.io/gatewayclass-controller
+          conditions:
+            - type: Accepted
+              status: "False"
+              reason: NoReadyListeners
+              message: There are no ready listeners for this parent ref
+xdsIR:
+  envoy-gateway-gateway-1: {}
+infraIR:
+  envoy-gateway-gateway-1:
+    proxy:
+      metadata:
+        labels:
+          gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
+          gateway.envoyproxy.io/owning-gateway-name: gateway-1
+      name: envoy-gateway-gateway-1
+      image: envoyproxy/envoy:translator-tests
+      listeners:
+        - address: ""

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-routes-kind.out.yaml

@@ -20,11 +20,12 @@ gateways:
       listeners:
         - name: http
           attachedRoutes: 0
+          supportedKinds: []
           conditions:
             - type: ResolvedRefs
               status: "False"
               reason: InvalidRouteKinds
-              message: "Kind is not supported, kind must be HTTPRoute"
+              message: "FooRoute is not supported, kind must be HTTPRoute"
             - type: Programmed
               status: "False"
               reason: Invalid

internal/gatewayapi/testdata/gateway-with-listener-with-invalid-allowed-tls-route-kind.out.yaml

@@ -23,11 +23,12 @@ gateways:
       listeners:
         - name: tls
           attachedRoutes: 0
+          supportedKinds: []
           conditions:
             - type: ResolvedRefs
               status: "False"
               reason: InvalidRouteKinds
-              message: "Kind is not supported, kind must be TLSRoute"
+              message: "HTTPRoute is not supported, kind must be TLSRoute"
             - type: Programmed
               status: "False"
               reason: Invalid

internal/gatewayapi/validate.go

@@ -392,30 +392,38 @@ func (t *Translator) validateHostName(listener *ListenerContext) {
 func (t *Translator) validateAllowedRoutes(listener *ListenerContext, routeKind v1beta1.Kind) {
 	if listener.AllowedRoutes == nil || len(listener.AllowedRoutes.Kinds) == 0 {
 		listener.SetSupportedKinds(v1beta1.RouteGroupKind{Group: GroupPtr(v1beta1.GroupName), Kind: routeKind})
-	} else {
-		for _, kind := range listener.AllowedRoutes.Kinds {
-			if kind.Group != nil && string(*kind.Group) != v1beta1.GroupName {
-				listener.SetCondition(
-					v1beta1.ListenerConditionResolvedRefs,
-					metav1.ConditionFalse,
-					v1beta1.ListenerReasonInvalidRouteKinds,
-					fmt.Sprintf("Group is not supported, group must be %s", v1beta1.GroupName),
-				)
-				continue
-			}
+		return
+	}
 
-			if kind.Kind != routeKind {
-				listener.SetCondition(
-					v1beta1.ListenerConditionResolvedRefs,
-					metav1.ConditionFalse,
-					v1beta1.ListenerReasonInvalidRouteKinds,
-					fmt.Sprintf("Kind is not supported, kind must be %s", routeKind),
-				)
-				continue
-			}
-			listener.SetSupportedKinds(kind)
+	supportedKinds := make([]v1beta1.RouteGroupKind, 0, len(listener.AllowedRoutes.Kinds))
+
+	for _, kind := range listener.AllowedRoutes.Kinds {
+
+		// if there is a group it must match `gateway.networking.k8s.io`
+		if kind.Group != nil && string(*kind.Group) != v1beta1.GroupName {
+			listener.SetCondition(
+				v1beta1.ListenerConditionResolvedRefs,
+				metav1.ConditionFalse,
+				v1beta1.ListenerReasonInvalidRouteKinds,
+				fmt.Sprintf("Group is not supported, group must be %s", v1beta1.GroupName),
+			)
+			continue
+		}
+
+		if kind.Kind != routeKind {
+			listener.SetCondition(
+				v1beta1.ListenerConditionResolvedRefs,
+				metav1.ConditionFalse,
+				v1beta1.ListenerReasonInvalidRouteKinds,
+				fmt.Sprintf("%s is not supported, kind must be %s", kind.Kind, routeKind),
+			)
+			continue
 		}
+
+		supportedKinds = append(supportedKinds, kind)
 	}
+
+	listener.SetSupportedKinds(supportedKinds...)
 }
 
 type portListeners struct {

test/conformance/conformance_test.go

@@ -80,6 +80,7 @@ func TestGatewayAPIConformance(t *testing.T) {
 		tests.GatewaySecretMissingReferenceGrant,
 		tests.GatewaySecretInvalidReferenceGrant,
 		tests.GatewayInvalidTLSConfiguration,
+		tests.GatewayInvalidRouteKind,
 		tests.HTTPRouteReferenceGrant,
 		tests.HTTPRoutePartiallyInvalidViaInvalidReferenceGrant,
 	}