project/gateway2: Adds GatewayClass SupportedVersion Condition

Previously, the gateway2 controller would unconditionally set the GatewayClass Accepted
condition to `True`. This PR updates the CRD watcher to trigger GatewayClass reconciliation.
The `ReconcileGatewayClasses()` method was updated to set GatewayClass status conditionas
based on the Gateway API spec.

Signed-off-by: Daneyon Hansen <[email protected]>

Author: danehans

changelog/v1.18.0-beta26/issue_10092.yaml

@@ -0,0 +1,9 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/solo-io/gloo/issues/10092
+    resolvesIssue: true
+    description: >-
+      Adds support for the GatewayClass `SupportedVersion` status condition and updates the ReconcileGatewayClasses()
+      method to manage status conditions according to the Gateway API specification. The gateway controller will now
+      reconcile supported Gateway API CRDs and set the `SupportedVersion` status condition based on the value of the
+      `gateway.networking.k8s.io/bundle-version` annotation.

install/helm/gloo/templates/44-rbac.yaml

@@ -30,6 +30,11 @@ rules:
   resources:
   - endpointslices
   verbs: ["get", "list", "watch"]
+- apiGroups:
+  - "apiextensions.k8s.io"
+  resources:
+  - customresourcedefinitions
+  verbs: ["get", "list", "watch"]
 - apiGroups:
   - "gateway.solo.io"
   resources:

projects/controller/pkg/api/v1/kube/wellknown/types.go

@@ -3,13 +3,14 @@ package wellknown
 import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
 var (
 	SecretGVK         = corev1.SchemeGroupVersion.WithKind("Secret")
 	ConfigMapGVK      = corev1.SchemeGroupVersion.WithKind("ConfigMap")
 	ServiceGVK        = corev1.SchemeGroupVersion.WithKind("Service")
 	ServiceAccountGVK = corev1.SchemeGroupVersion.WithKind("ServiceAccount")
-
-	DeploymentGVK = appsv1.SchemeGroupVersion.WithKind("Deployment")
+	CrdGVK            = apiextv1.SchemeGroupVersion.WithKind("CustomResourceDefinition")
+	DeploymentGVK     = appsv1.SchemeGroupVersion.WithKind("Deployment")
 )

projects/controller/pkg/servers/iosnapshot/history_test.go

@@ -13,6 +13,7 @@ import (
 	wellknownkube "github.com/solo-io/gloo/projects/controller/pkg/api/v1/kube/wellknown"
 
 	corev1 "k8s.io/api/core/v1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
 	skmatchers "github.com/solo-io/solo-kit/test/matchers"
 
@@ -186,6 +187,16 @@ var _ = Describe("History", func() {
 						"key": "value",
 					},
 				},
+				&apiextv1.CustomResourceDefinition{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "kube-crd",
+						Namespace: "crd",
+						ManagedFields: []metav1.ManagedFieldsEntry{{
+							Manager: "manager",
+						}},
+					},
+					Spec: apiextv1.CustomResourceDefinitionSpec{},
+				},
 				&apiv1.Gateway{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      "kube-gw",
@@ -420,6 +431,19 @@ var _ = Describe("History", func() {
 				), fmt.Sprintf("results should contain %v %s.%s", wellknownkube.ConfigMapGVK, "configmap", "kube-configmap"))
 			})
 
+			It("Includes CustomResourceDefinitions", func() {
+				returnedResources := getInputSnapshotObjects(ctx, history)
+				Expect(returnedResources).To(ContainElement(
+					matchers.MatchClientObject(
+						wellknownkube.CrdGVK,
+						types.NamespacedName{
+							Name:      "kube-crd",
+							Namespace: "crd",
+						},
+					),
+				), fmt.Sprintf("results should contain %v %s.%s", wellknownkube.CrdGVK, "crd", "kube-crd"))
+			})
+
 		})
 
 		Context("Kubernetes Gateway API Resources", func() {

projects/controller/pkg/servers/iosnapshot/resources.go

@@ -17,6 +17,10 @@ var (
 		wellknownkube.ConfigMapGVK,
 	}
 
+	KubernetesExtGVKs = []schema.GroupVersionKind{
+		wellknownkube.CrdGVK,
+	}
+
 	GlooGVKs = []schema.GroupVersionKind{
 		gloov1.SettingsGVK,
 		gloov1.UpstreamGVK,
@@ -68,5 +72,6 @@ var (
 		EdgeOnlyInputSnapshotGVKs,
 		KubernetesGatewayGVKs,
 		KubernetesGatewayIntegrationPolicyGVKs,
+		KubernetesExtGVKs,
 	)
 )

projects/gateway2/controller/controller.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	discoveryv1 "k8s.io/api/discovery/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
@@ -25,10 +27,12 @@ import (
 	apiv1 "sigs.k8s.io/gateway-api/apis/v1"
 	apiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
 	apiv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+	"sigs.k8s.io/gateway-api/pkg/consts"
 
 	gloov1 "github.com/solo-io/gloo/projects/controller/pkg/api/v1/kube/apis/gloo.solo.io/v1"
 	sologatewayv1 "github.com/solo-io/gloo/projects/gateway/pkg/api/v1/kube/apis/gateway.solo.io/v1"
 	"github.com/solo-io/gloo/projects/gateway2/api/v1alpha1"
+	"github.com/solo-io/gloo/projects/gateway2/crds"
 	"github.com/solo-io/gloo/projects/gateway2/deployer"
 	"github.com/solo-io/gloo/projects/gateway2/extensions"
 	"github.com/solo-io/gloo/projects/gateway2/query"
@@ -68,14 +72,15 @@ func NewBaseGatewayController(ctx context.Context, cfg GatewayConfig) error {
 	controllerBuilder := &controllerBuilder{
 		cfg: cfg,
 		reconciler: &controllerReconciler{
-			cli:    cfg.Mgr.GetClient(),
-			scheme: cfg.Mgr.GetScheme(),
-			kick:   cfg.Kick,
+			controllerName: cfg.ControllerName,
+			cli:            cfg.Mgr.GetClient(),
+			scheme:         cfg.Mgr.GetScheme(),
+			kick:           cfg.Kick,
 		},
 	}
 
 	return run(ctx,
-		controllerBuilder.watchCustomResourceDefinitions,
+		controllerBuilder.watchCRDs,
 		controllerBuilder.watchGwClass,
 		controllerBuilder.watchGw,
 		controllerBuilder.watchHttpRoute,
@@ -292,21 +297,24 @@ func (c *controllerBuilder) watchGwClass(_ context.Context) error {
 		Complete(reconcile.Func(c.reconciler.ReconcileGatewayClasses))
 }
 
-func (c *controllerBuilder) watchCustomResourceDefinitions(_ context.Context) error {
+// watchCustomResourceDefinitions sets up a controller to watch for changes to specific Gateway API
+// CRDs and triggers GatewayClass reconciliation if generation or annotations change.
+func (c *controllerBuilder) watchCRDs(_ context.Context) error {
 	return ctrl.NewControllerManagedBy(c.cfg.Mgr).
-		WithEventFilter(predicate.And(
+		For(&apiextv1.CustomResourceDefinition{}).
+		WithEventFilter(predicate.NewPredicateFuncs(func(object client.Object) bool {
+			crd, ok := object.(*apiextv1.CustomResourceDefinition)
+			if !ok {
+				return false
+			}
+			// Check if the CRD is one we care about
+			return c.cfg.CRDs.Has(crd.Name)
+		})).
+		WithEventFilter(predicate.Or(
+			predicate.AnnotationChangedPredicate{},
 			predicate.GenerationChangedPredicate{},
-			predicate.NewPredicateFuncs(func(object client.Object) bool {
-				crd, ok := object.(*apiextensionsv1.CustomResourceDefinition)
-				if !ok {
-					return false
-				}
-				// Check if the CRD is one we care about
-				return c.cfg.CRDs.Has(crd.Name)
-			}),
 		)).
-		For(&apiextensionsv1.CustomResourceDefinition{}).
-		Complete(reconcile.Func(c.reconciler.ReconcileCustomResourceDefinitions))
+		Complete(reconcile.Func(c.reconciler.ReconcileCRDs))
 }
 
 func (c *controllerBuilder) watchHttpRoute(_ context.Context) error {
@@ -412,9 +420,10 @@ func (c *controllerBuilder) watchSecrets(ctx context.Context) error {
 }
 
 type controllerReconciler struct {
-	cli    client.Client
-	scheme *runtime.Scheme
-	kick   func(ctx context.Context)
+	controllerName string
+	cli            client.Client
+	scheme         *runtime.Scheme
+	kick           func(ctx context.Context)
 }
 
 func (r *controllerReconciler) ReconcileHttpListenerOptions(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
@@ -491,12 +500,6 @@ func (r *controllerReconciler) ReconcileNamespaces(ctx context.Context, req ctrl
 	return ctrl.Result{}, nil
 }
 
-func (r *controllerReconciler) ReconcileCustomResourceDefinitions(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	// For now, simply trigger the main reconciliation loop
-	r.kick(ctx)
-	return ctrl.Result{}, nil
-}
-
 func (r *controllerReconciler) ReconcileHttpRoutes(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// TODO: consider finding impacted gateways and queue them
 	// TODO: consider enabling this
@@ -525,8 +528,41 @@ func (r *controllerReconciler) ReconcileReferenceGrants(ctx context.Context, req
 	return ctrl.Result{}, nil
 }
 
+func (r *controllerReconciler) ReconcileCRDs(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := log.FromContext(ctx).WithValues("CustomResourceDefinition", req.Name)
+
+	log.Info("reconciling CustomResourceDefinition")
+
+	var gatewayClassList apiv1.GatewayClassList
+	if err := r.cli.List(ctx, &gatewayClassList); err != nil {
+		log.Error(err, "Failed to list GatewayClasses")
+		return ctrl.Result{}, err
+	}
+
+	for _, gatewayClass := range gatewayClassList.Items {
+		if gatewayClass.Spec.ControllerName == apiv1.GatewayController(r.controllerName) {
+			req := ctrl.Request{
+				NamespacedName: client.ObjectKey{
+					Name: gatewayClass.Name,
+				},
+			}
+
+			if _, err := r.ReconcileGatewayClasses(ctx, req); err != nil {
+				log.Error(err, "Failed to reconcile GatewayClass", "name", gatewayClass.Name)
+				return ctrl.Result{}, err
+			}
+		}
+	}
+
+	r.kick(ctx)
+
+	log.Info("Reconciled CustomResourceDefinition")
+
+	return ctrl.Result{}, nil
+}
+
 func (r *controllerReconciler) ReconcileGatewayClasses(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	log := log.FromContext(ctx).WithValues("gwclass", req.NamespacedName)
+	log := log.FromContext(ctx).WithValues("GatewayClass", req.Name)
 
 	gwclass := &apiv1.GatewayClass{}
 	if err := r.cli.Get(ctx, req.NamespacedName, gwclass); err != nil {
@@ -537,31 +573,74 @@ func (r *controllerReconciler) ReconcileGatewayClasses(ctx context.Context, req
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
 
-	log.Info("reconciling gateway class")
+	log.Info("Reconciling GatewayClass")
 
-	// mark it as accepted:
+	// Initialize the status conditions. No need to set LastTransitionTime since it's handled by SetStatusCondition.
+	msg := "Gateway API CRDs are a supported version"
 	acceptedCondition := metav1.Condition{
 		Type:               string(apiv1.GatewayClassConditionStatusAccepted),
 		Status:             metav1.ConditionTrue,
 		Reason:             string(apiv1.GatewayClassReasonAccepted),
+		Message:            msg,
 		ObservedGeneration: gwclass.Generation,
-		// no need to set LastTransitionTime, it will be set automatically by SetStatusCondition
 	}
-	meta.SetStatusCondition(&gwclass.Status.Conditions, acceptedCondition)
-
-	// TODO: This should actually check the version of the CRDs in the cluster to be 100% sure
-	supportedVersionCondition := metav1.Condition{
+	supportedCondition := metav1.Condition{
 		Type:               string(apiv1.GatewayClassConditionStatusSupportedVersion),
 		Status:             metav1.ConditionTrue,
-		ObservedGeneration: gwclass.Generation,
 		Reason:             string(apiv1.GatewayClassReasonSupportedVersion),
+		Message:            msg,
+		ObservedGeneration: gwclass.Generation,
+	}
+
+	// Check CRD versions
+	supported, err := r.checkCRDVersions(ctx)
+	if err != nil {
+		log.Error(err, "Failed to check CRD versions")
+		return ctrl.Result{}, err
+	}
+
+	if !supported {
+		// Update the values of status conditions
+		msg = fmt.Sprintf("Unsupported Gateway API CRDs detected. Supported versions are: %s",
+			strings.Join(wellknown.SupportedVersions, ", "))
+		acceptedCondition.Status = metav1.ConditionFalse
+		acceptedCondition.Reason = string(apiv1.GatewayClassReasonUnsupportedVersion)
+		acceptedCondition.Message = msg
+		supportedCondition.Status = metav1.ConditionFalse
+		supportedCondition.Reason = string(apiv1.GatewayClassReasonUnsupportedVersion)
+		supportedCondition.Message = msg
 	}
-	meta.SetStatusCondition(&gwclass.Status.Conditions, supportedVersionCondition)
+
+	// Set the status conditions
+	meta.SetStatusCondition(&gwclass.Status.Conditions, acceptedCondition)
+	meta.SetStatusCondition(&gwclass.Status.Conditions, supportedCondition)
 
 	if err := r.cli.Status().Update(ctx, gwclass); err != nil {
+		log.Error(err, "Failed to update GatewayClass status")
 		return ctrl.Result{}, err
 	}
-	log.Info("updated gateway class status")
+
+	log.Info("Reconciled GatewayClass")
 
 	return ctrl.Result{}, nil
 }
+
+// checkCRDVersions checks that the "gateway.networking.k8s.io/bundle-version" annotation key is set
+// to a supported version for each required Gateway API CRD.
+func (r *controllerReconciler) checkCRDVersions(ctx context.Context) (bool, error) {
+	for _, crdName := range crds.Required {
+		crd := &apiextv1.CustomResourceDefinition{}
+		if err := r.cli.Get(ctx, client.ObjectKey{Name: crdName}, crd); err != nil {
+			if kerrors.IsNotFound(err) {
+				return false, nil
+			}
+			return false, err
+		}
+
+		bundleVersion, exists := crd.Annotations[consts.BundleVersionAnnotation]
+		if !exists || !crds.IsSupportedVersion(bundleVersion) {
+			return false, nil
+		}
+	}
+	return true, nil
+}

projects/gateway2/crds/crds.go

@@ -2,7 +2,39 @@ package crds
 
 import (
 	_ "embed"
+
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	"github.com/solo-io/gloo/projects/gateway2/wellknown"
+)
+
+const (
+	// GatewayClass is the name of the GatewayClass CRD.
+	GatewayClass = "gatewayclasses.gateway.networking.k8s.io"
+	// Gateway is the name of the Gateway CRD.
+	Gateway = "gateways.gateway.networking.k8s.io"
+	// HTTPRoute is the name of the HTTPRoute CRD.
+	HTTPRoute = "httproutes.gateway.networking.k8s.io"
+	// ReferenceGrant is the name of the ReferenceGrant CRD.
+	ReferenceGrant = "referencegrants.gateway.networking.k8s.io"
 )
 
 //go:embed gateway-crds.yaml
 var GatewayCrds []byte
+
+// Required is a list of required Gateway API CRDs.
+var Required = []string{GatewayClass, Gateway, HTTPRoute, ReferenceGrant}
+
+// IsSupportedVersion checks if the CRD version is recognized and supported.
+func IsSupportedVersion(version string) bool {
+	supportedVersions := sets.NewString(wellknown.SupportedVersions...)
+	return supportedVersions.Has(version)
+}
+
+// IsSupported checks if the CRD is supported based on the provided name.
+func IsSupported(name string) bool {
+	return name == GatewayClass ||
+		name == Gateway ||
+		name == HTTPRoute ||
+		name == ReferenceGrant
+}

projects/gateway2/wellknown/gwapi.go

@@ -41,6 +41,10 @@ const (
 )
 
 var (
+	// SupportedVersions specifies the supported versions of Gateway API.
+	// [TODO] Remove "v1.0.0-rc1" when https://github.com/solo-io/gloo/issues/10115 is fixed.
+	SupportedVersions = []string{"v1.1.0", "v1.0.0", "v1.0.0-rc1"}
+
 	GatewayGVK = schema.GroupVersionKind{
 		Group:   GatewayGroup,
 		Version: apiv1.GroupVersion.Version,