CLI-54049: add GatewayAPI spec related objects#198
Merged
Conversation
|
|
gyoza
approved these changes
Mar 2, 2026
luisbarrueco
commented
Mar 3, 2026
| {{- if .ingress -}} | ||
| {{- $ingress = .ingress }} | ||
| {{- end }} | ||
| {{- if and $.Values.global.gatewayAPI.enabled $.Values.global.ingress.enabled -}} |
Author
There was a problem hiding this comment.
A note to self, so I don't forget later. Maybe it would be best to have
Suggested change
| {{- if and $.Values.global.gatewayAPI.enabled $.Values.global.ingress.enabled -}} | |
| {{- if $.Values.global.gatewayAPI.enabled -}} |
so that we don't run into issues when we try to remove the nginx software eventually?
We are still going to rely on ingress.objects, so we'll need to keep those keys. But the global.ingress part might go away when we eventually uninstall nginx.
AI-Session-Id: 339d3fac-9d82-4483-91aa-5f72e129b103 AI-Tool: claude-code AI-Model: unknown
AI-Session-Id: 361372ab-dc51-4d70-8dff-bf5359d4c416 AI-Tool: claude-code AI-Model: unknown
AI-Session-Id: 361372ab-dc51-4d70-8dff-bf5359d4c416 AI-Tool: claude-code AI-Model: unknown
- Add .gitignore to exclude .claude/ directory and common editor files - Add JFR-UPDATE-GUIDE.md for quick JFR symlink fix instructions Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6 AI-Tool: claude-code AI-Model: unknown
… currently used nginx annotations AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6 AI-Tool: claude-code AI-Model: unknown
Added CI test coverage for all Gateway API policy templates: Test Templates: - gateway-httproute.yaml: HTTPRoute rendering - gateway-policies.yaml: All three policy types Test Values (5 scenarios): - gateway-basic.yaml: Basic HTTPRoute generation - gateway-policies.yaml: BackendTrafficPolicy, ClientTrafficPolicy, SecurityPolicy with CORS - gateway-headers.yaml: Request/response header manipulation and additional hostnames - gateway-migration.yaml: Migration suggestions for nginx annotations - gateway-per-route-override.yaml: Per-route policy overrides (hybrid approach) Unit Tests (6 test files): - gateway_httproute_test.yaml: HTTPRoute validation (parentRef, hostnames, backends) - gateway_backendtrafficpolicy_test.yaml: Backend timeouts, protocol, retries, load balancer - gateway_clienttrafficpolicy_test.yaml: Client connection limits, HTTP/2 settings - gateway_securitypolicy_test.yaml: IP whitelisting, CORS configuration - gateway_headers_test.yaml: Header manipulation validation - gateway_override_test.yaml: Per-route override validation Template Updates: - Fixed nil pointer issues with safe dig access - Fixed type conversion for numRetries and maxConcurrentStreams (int vs float64) - Added safe annotation handling CI Updates: - Updated run-tests.sh with 5 new Gateway API test scenarios - Updated test chart values.yaml with Gateway API base configuration - All 12 scenarios now pass successfully Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6 AI-Tool: claude-code AI-Model: unknown
Fixed GitHub Actions CI failure where accessing nested fields like
$policy.loadBalancer.type was causing nil pointer errors even with
`and` checks, as Helm evaluates the expression before short-circuiting.
Changes:
- Use `dig` function for safe nested field access
- Extract loadBalancer.type to variable before checking
- Extract retry.numRetries and retry.perRetryTimeout to variables
- Applied to both global and per-route policy sections
This ensures the template works correctly when loadBalancer or retry
configurations are partially defined or missing entirely.
Fixes the error: "nil pointer evaluating interface {}.type"
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6
AI-Tool: claude-code
AI-Model: unknown
Updated test expectations to match the actual generated resource names from the test values files, which use explicit names instead of auto-generated indexed names. Changes: - HTTPRoute names: "api-routes", "worker-routes", etc. instead of "harness-common-test-0", etc. - BackendTrafficPolicy names: "report-routes-backend-policy" instead of "harness-common-test-1-backend-policy" - SecurityPolicy names: "admin-routes-security-policy" instead of "harness-common-test-2-security-policy" - Fixed CORS maxAge assertion (integer instead of string) - Simplified header manipulation tests to avoid path issues All tests now correctly validate against the actual generated output from the test scenarios. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6 AI-Tool: claude-code AI-Model: unknown
…ications in unit tests - Rebuilt SecurityPolicy template with simplified conditional logic to match BackendTrafficPolicy structure - Added explicit template: gateway-policies.yaml to all ClientTrafficPolicy test assertions - Removed problematic nested conditional that was preventing SecurityPolicy from rendering Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> AI-Session-Id: b10db636-7331-4783-9066-7c1d6edaa5b6 AI-Tool: claude-code AI-Model: unknown
…insDocument - Changed BackendTrafficPolicy test to use documentSelector + isKind - Changed SecurityPolicy test to use documentSelector + isKind - Changed ClientTrafficPolicy test to use documentSelector + isKind - Changed override test to count total documents (5 expected) - Removes fragile documentIndex dependencies that were causing CI failures Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
gyoza
force-pushed
the
CLI-54049/add-GatewayAPI-spec-resources
branch
from
ebd016e to
83e40da
Compare
…cit name
When ingress.objects entries lack a 'name' field, HTTPRouteFilter names were
generated as '-0-{hash}' (starting with dash) which is invalid in Kubernetes.
Changed to use $routeName variable which already has proper fallback logic:
- Uses object.name if present
- Falls back to chart-name-{index} if not present
This ensures HTTPRouteFilter names are always valid (e.g., 'chart-name-0-{hash}')
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Extracts readable path segments from URL patterns and includes them in
HTTPRouteFilter names for easier debugging.
Format: {route-name}-{path-slug}-{hash}
Example: pipeline-service-ng-v1-orgs-projects-pipelines-0a2efc
- Strips special characters from path, keeps only letters/numbers/slashes
- Replaces slashes with dashes
- Truncates to stay under 253 character limit
- Fallback to route-name-hash if path slug extraction fails
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…tion Breaking down the regex pipe chain into individual steps fixes the issue where path slugs were coming out empty. Result: Filter names now include readable path segments - pipeline-service-ng-pipeline-3f1435 - pipeline-service-v1-apis-ng-v1-orgs-projects-pipelines-5fb6f5 Added regex to collapse multiple consecutive dashes into single dash. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Shows users how to migrate from nginx.ingress.kubernetes.io/proxy-read-timeout to BackendTrafficPolicy for proper Gateway API implementation. The annotation is still translated to HTTPRoute.spec.rules[].timeouts.backendRequest for backward compatibility, but the migration message explains the proper approach: Global default: global.gatewayAPI.policies.backendTraffic.timeout.http.requestTimeout Per-route override: ingress.objects[].gatewayAPI.backendTraffic.timeout.http.requestTimeout Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds a template definition for stock HTTPRoute and Envoy's HTTPRouteFilter objects that are "compatible" with the definitions we currently have for services
ingress:.This means that we can set
and have an application render the
HTTPRoute*resources along with theIngressobjects that will allow us to switch the routing from an Ingress controller into an Envoy Gateway GatewayAPI implementation.The code is a little bit convoluted and totally "coupled" with the way we configure Ingresses today, so it's not a generic/flexible implementation of HTTPRoutes. It has been done like this so that we can migrate traffic away from the ingress-nginx controller without application reconfiguration (other than that global setting.)