Merge pull request #2438 from MAIF/feature/k8s-gateway-api

Experimental support for k8s gateway api

Author: mathieuancelin

.gitignore

@@ -31,4 +31,5 @@ otoroshi/javascript/stats.json
 .scala-build
 *.iml
 CLAUDE.md
-_doc-research
+_doc-research
+gateway-api-conformance-suite

kubernetes/helm/otoroshi/crds/crds-gateway.yaml

@@ -0,0 +1,28 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: plugins.proxy.otoroshi.io
+spec:
+  group: proxy.otoroshi.io
+  names:
+    kind: Plugin
+    plural: plugins
+    singular: plugin
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    served: false
+    storage: false
+    deprecated: true
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: object
+  - name: v1
+    served: true
+    storage: true
+    deprecated: false
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: object

kubernetes/helm/otoroshi/crds/crds.yaml

@@ -707,4 +707,32 @@ spec:
       openAPIV3Schema:
         x-kubernetes-preserve-unknown-fields: true
         type: "object"
-
+---
+apiVersion: "apiextensions.k8s.io/v1"
+kind: "CustomResourceDefinition"
+metadata:
+  name: "plugins.proxy.otoroshi.io"
+spec:
+  group: "proxy.otoroshi.io"
+  names:
+    kind: "Plugin"
+    plural: "plugins"
+    singular: "plugin"
+  scope: "Namespaced"
+  versions:
+  - name: "v1alpha1"
+    served: false
+    storage: false
+    deprecated: true
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: "object"
+  - name: "v1"
+    served: true
+    storage: true
+    deprecated: false
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: "object"

kubernetes/helm/otoroshi/templates/rbac-gateway.yaml

@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otoroshi-admin-user
+rules:
+  # Core resources (existing Otoroshi needs)
+  - apiGroups: [""]
+    resources: [services, endpoints, secrets, configmaps, namespaces, pods]
+    verbs: [get, list, watch]
+  - apiGroups: ["apps"]
+    resources: [deployments]
+    verbs: [get, list, watch]
+  # EndpointSlices for pod-level target resolution
+  - apiGroups: [discovery.k8s.io]
+    resources: [endpointslices]
+    verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources: [secrets, configmaps]
+    verbs: [update, create, delete]
+  # Ingress
+  - apiGroups: [extensions, networking.k8s.io]
+    resources: [ingresses, ingressclasses]
+    verbs: [get, list, watch]
+  - apiGroups: [extensions, networking.k8s.io]
+    resources: [ingresses/status]
+    verbs: [update]
+  # Otoroshi CRDs
+  - apiGroups: [proxy.otoroshi.io]
+    resources: ["*"]
+    verbs: [get, list, watch]
+  # Gateway API — read resources
+  - apiGroups: [gateway.networking.k8s.io]
+    resources: [gatewayclasses, gateways, httproutes, grpcroutes, referencegrants, backendtlspolicies]
+    verbs: [get, list, watch]
+  # Gateway API — update status subresources
+  - apiGroups: [gateway.networking.k8s.io]
+    resources: [gatewayclasses/status, gateways/status, httproutes/status, grpcroutes/status]
+    verbs: [get, update, patch]

kubernetes/helm/otoroshi/templates/rbac.yaml

@@ -56,6 +56,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:
@@ -68,6 +76,7 @@ rules:
       - delete
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses
       - ingressclasses
@@ -77,6 +86,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:

kubernetes/kustomize/base/crds-gateway.yaml

@@ -0,0 +1,20 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: plugins.proxy.otoroshi.io
+spec:
+  group: proxy.otoroshi.io
+  names:
+    kind: Plugin
+    plural: plugins
+    singular: plugin
+  scope: Namespaced
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    deprecated: false
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: object

kubernetes/kustomize/base/crds.yaml

@@ -699,6 +699,35 @@ spec:
     singular: "simple-admin-user"
   scope: "Namespaced"
   versions:
+  - name: "v1"
+    served: true
+    storage: true
+    deprecated: false
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: "object"
+---
+apiVersion: "apiextensions.k8s.io/v1"
+kind: "CustomResourceDefinition"
+metadata:
+  name: "plugins.proxy.otoroshi.io"
+spec:
+  group: "proxy.otoroshi.io"
+  names:
+    kind: "Plugin"
+    plural: "plugins"
+    singular: "plugin"
+  scope: "Namespaced"
+  versions:
+  - name: "v1alpha1"
+    served: false
+    storage: false
+    deprecated: true
+    schema:
+      openAPIV3Schema:
+        x-kubernetes-preserve-unknown-fields: true
+        type: "object"
   - name: "v1"
     served: true
     storage: true

kubernetes/kustomize/base/rbac-gateway.yaml

@@ -0,0 +1,38 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: otoroshi-admin-user
+rules:
+  # Core resources (existing Otoroshi needs)
+  - apiGroups: [""]
+    resources: [services, endpoints, secrets, configmaps, namespaces, pods]
+    verbs: [get, list, watch]
+  - apiGroups: ["apps"]
+    resources: [deployments]
+    verbs: [get, list, watch]
+  # EndpointSlices for pod-level target resolution
+  - apiGroups: [discovery.k8s.io]
+    resources: [endpointslices]
+    verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources: [secrets, configmaps]
+    verbs: [update, create, delete]
+  # Ingress
+  - apiGroups: [extensions, networking.k8s.io]
+    resources: [ingresses, ingressclasses]
+    verbs: [get, list, watch]
+  - apiGroups: [extensions, networking.k8s.io]
+    resources: [ingresses/status]
+    verbs: [update]
+  # Otoroshi CRDs
+  - apiGroups: [proxy.otoroshi.io]
+    resources: ["*"]
+    verbs: [get, list, watch]
+  # Gateway API — read resources
+  - apiGroups: [gateway.networking.k8s.io]
+    resources: [gatewayclasses, gateways, httproutes, grpcroutes, referencegrants, backendtlspolicies]
+    verbs: [get, list, watch]
+  # Gateway API — update status subresources
+  - apiGroups: [gateway.networking.k8s.io]
+    resources: [gatewayclasses/status, gateways/status, httproutes/status, grpcroutes/status]
+    verbs: [get, update, patch]

kubernetes/kustomize/base/rbac.yaml

@@ -44,6 +44,14 @@ rules:
       - get
       - list
       - watch
+  - apiGroups:
+      - discovery.k8s.io
+    resources:
+      - endpointslices
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - ""
     resources:

manual/src/main/paradox/deploy/kubernetes.md

@@ -1353,8 +1353,103 @@ kind: ApiKey
 metadata:
   name: http-app-2-apikey-3
 spec:
-  exportSecret: true 
+  exportSecret: true
   secretName: secret-3
   daikokuToken: RShQrvINByiuieiaCBwIZfGFgdPu7tIJEN5gdV8N8YeH4RI9ErPYJzkuFyAkZ2xy
 ```
 
+## Kubernetes Gateway API
+
+Starting from version 17.13.0, Otoroshi supports the [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/) specification (v1.4). This is the standard Kubernetes API for managing ingress traffic, designed as the successor to the Ingress resource.
+
+With Gateway API support enabled, you can define `GatewayClass`, `Gateway`, `HTTPRoute`, and `GRPCRoute` resources in your cluster and Otoroshi will automatically convert them into native `NgRoute` entities. This allows you to use standard, portable Kubernetes manifests while benefiting from Otoroshi's full feature set. GRPCRoute backends are automatically called using HTTP/2.
+
+### Quick setup
+
+First, install the Gateway API CRDs on your cluster:
+
+```sh
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+```
+
+Make sure the Otoroshi ServiceAccount has RBAC permissions for Gateway API resources (`gatewayclasses`, `gateways`, `httproutes`, `grpcroutes`, `referencegrants`, `backendtlspolicies` and their status subresources).
+
+Then enable the Gateway API controller job in your Otoroshi deployment configuration:
+
+```json
+{
+  "config": {
+    "scripts": {
+      "enabled": true,
+      "jobRefs": [
+        "cp:otoroshi.plugins.jobs.kubernetes.KubernetesGatewayApiControllerJob"
+      ],
+      "jobConfig": {
+        "KubernetesConfig": {
+          "namespaces": ["*"],
+          "gatewayApi": true,
+          "gatewayApiControllerName": "otoroshi.io/gateway-controller",
+          "gatewayApiHttpListenerPort": 8080,
+          "gatewayApiHttpsListenerPort": 8443,
+          "gatewayApiSyncIntervalSeconds": 30
+        }
+      }
+    }
+  }
+}
+```
+
+Once configured, you can create Gateway API resources:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: otoroshi
+spec:
+  controllerName: otoroshi.io/gateway-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: otoroshi
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 8080
+    hostname: "*.my.domain"
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: my-route
+  namespace: default
+spec:
+  parentRefs:
+  - name: my-gateway
+    sectionName: http
+  hostnames:
+  - "api.my.domain"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: my-service
+      port: 80
+```
+
+Otoroshi will automatically create an `NgRoute` that forwards traffic for `api.my.domain` to `my-service:80`.
+
+@@@ note
+The Gateway API controller can run alongside the existing CRDs controller. Both share the same `KubernetesConfig` configuration block.
+@@@
+
+For the full documentation — including supported filters, configuration reference, current limitations, and troubleshooting — see @ref:[Kubernetes Gateway API support](../topics/kubernetes-gateway-api.md).