Skip to content

feat(gateway) add support for gateway api experimental ListenerSet #5972

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bmhughes wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(gateway) add support for gateway api experimental ListenerSet #5972

bmhughes wants to merge 1 commit into from
+421 −31

Conversation

@bmhughes
Copy link

@bmhughes bmhughes commented Nov 21, 2025

What does it do ?

Support the use of ListenerSetswith Gateway API.

Motivation

Using Gateway API and TLS without ListenerSets requires either wildcard certs or all hosts to be known when creating the gateway, ListenerSets removes with requirement but external-dns does not support them currently.

More

  • Yes, this PR title follows Conventional Commits
  • Yes, I added unit tests
  • Yes, I updated end user documentation accordingly

@k8s-ci-robot k8s-ci-robot added the apis Issues or PRs related to API change label Nov 21, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 21, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mloiseleur for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Nov 21, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: bmhughes / name: Ben Hughes (588fb12)

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 21, 2025

Welcome @bmhughes!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 21, 2025

Hi @bmhughes. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. source cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Nov 21, 2025
mloiseleur
mloiseleur reviewed Nov 22, 2025
View reviewed changes
mloiseleur
mloiseleur reviewed Nov 22, 2025
View reviewed changes
docs/sources/gateway.md
Comment on lines +55 to +57
- When [experimental](#gateway-experimental-support) support is enabled the Gateway is expanded from
the `parentRef` of the `XListenerSet`.

Copy link
Collaborator

@mloiseleur mloiseleur Nov 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would you please also complete the example just below accordingly?

@mloiseleur
Copy link
Collaborator

mloiseleur commented Dec 7, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 7, 2025
@coveralls
Copy link

coveralls commented Dec 7, 2025
edited
Loading

Pull Request Test Coverage Report for Build 20622387398

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 165 unchanged lines in 3 files lost coverage.
  • Overall coverage decreased (-0.1%) to 78.722%
Files with Coverage Reduction New Missed Lines %
apis/externaldns/types.go 1 99.62%
store.go 58 39.85%
gateway.go 106 79.39%
Totals Coverage Status
Change from base Build 20617539960: -0.1%
Covered Lines: 15890
Relevant Lines: 20185
💛 - Coveralls

@bmhughes bmhughes force-pushed the feature/gateway-api-experimental branch from 3c418fb to 40b93de Compare December 9, 2025 09:55
@szuecs
Copy link
Contributor

szuecs commented Dec 9, 2025
edited
Loading

Until gateway-api people have defined what to do for DNS we should stop changing. ListenerSet is likely the right thing to do, but not sure about the x-api. Likely gateway-api should stabilize the API before we change the DNS configuration sources.

@szuecs
Copy link
Contributor

szuecs commented Dec 9, 2025

/hold likely we will not integrate HTTPRoute in the future , but ListenerSet as told by gateway-api. We should wait until they finalized the API and what external-dns should do to integrate.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 9, 2025
@sfqzlm sfqzlm mentioned this pull request Dec 30, 2025
Open
@sfqzlm
Copy link

sfqzlm commented Dec 30, 2025

Hi Team,

With ingress-nginx reaching EOL and no further updates expected beyond March, many of us are actively migrating off the Ingress API and toward Gateway API as the long-term path.

In practice, Gateway API today still lacks a viable multi-tenancy story using only standard CRDs. The experimental ListenerSet (a.k.a. XListenerSet) is currently the only workable solution we’ve found for shared gateways with delegated ownership, especially when TLS and hostname isolation are required. We’ve successfully validated this model using Istio’s Gateway API implementation.

While ListenerSet is experimental, it’s rapidly becoming a de-facto building block. cert-manager has publicly acknowledged the gap and committed to adding ListenerSet support (targeting Feb):
https://cert-manager.io/announcements/2025/11/26/ingress-nginx-eol-and-gateway-api/#listenerset-the-missing-building-block

Without ExternalDNS support, ListenerSet-based Gateway API deployments remain incomplete for production use, forcing teams either to maintain custom DNS automation or to delay migration away from Ingress altogether.

Given the Ingress deprecation timeline and the ecosystem momentum around ListenerSet, I’d strongly encourage reconsidering the /hold. Even guarded or experimental support in ExternalDNS would meaningfully unblock real-world Gateway API adoption and align with the direction other core tooling (e.g., cert-manager) is already taking.

Happy to help test or validate behavior against Istio Gateway API if that’s useful.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 30, 2025
@bmhughes bmhughes force-pushed the feature/gateway-api-experimental branch from 40b93de to 4cf3a64 Compare December 30, 2025 14:46
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 30, 2025
sfqzlm
sfqzlm reviewed Dec 31, 2025
View reviewed changes
sfqzlm
sfqzlm reviewed Dec 31, 2025
View reviewed changes
@bmhughes bmhughes force-pushed the feature/gateway-api-experimental branch from 4cf3a64 to 588fb12 Compare December 31, 2025 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mloiseleur mloiseleur mloiseleur left review comments

@ivankatliarchuk ivankatliarchuk Awaiting requested review from ivankatliarchuk

@stevehipwell stevehipwell Awaiting requested review from stevehipwell

+1 more reviewer

@sfqzlm sfqzlm sfqzlm left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

apis Issues or PRs related to API change chart cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. docs ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. source

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bmhughes @k8s-ci-robot @mloiseleur @coveralls @szuecs @sfqzlm