Fix Gateway API combined sync coverage

- Fix Gateway API authz watches to use explicit unstructured GVKs
- Watch ReferenceGrant as gateway.networking.k8s.io/v1beta1
- List HTTPRoute and TLSRoute via explicit unstructured list objects
- Avoid scheme alias resolution selecting unsupported Gateway API versions
- Remove unused Gateway watch and route-list helper dead code
- Cover combined fromHost Gateway import with toHost tenant Gateway and HTTPRoute sync
- Reuse Gateway API e2e client/bootstrap and kubectl apply helpers
- Remove vacuous Gateway absence assertion from import-only suite
- Move Gateway API enablement helpers to pkg/util/gatewayapi
- Call Gateway API util enablement helpers directly from mappings registration

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

Author: zerbitx

e2e-next/setup/csi.go

@@ -133,8 +133,15 @@ func InstallCSIHostpath(kubeContext string) func(ctx context.Context) error {
 }
 
 func kubectlApply(ctx context.Context, kubeContext string, files ...string) error {
+	return kubectlApplyWithOptions(ctx, kubeContext, nil, files...)
+}
+
+func kubectlApplyWithOptions(ctx context.Context, kubeContext string, options []string, files ...string) error {
 	for _, f := range files {
-		cmd := exec.CommandContext(ctx, "kubectl", "apply", "-f", f, "--context", kubeContext)
+		args := []string{"apply"}
+		args = append(args, options...)
+		args = append(args, "-f", f, "--context", kubeContext)
+		cmd := exec.CommandContext(ctx, "kubectl", args...)
 		if out, err := cmd.CombinedOutput(); err != nil {
 			if !strings.Contains(string(out), "already exists") {
 				return fmt.Errorf("kubectl apply -f %s: %s: %w", f, string(out), err)

e2e-next/setup/gatewayapi.go

@@ -3,7 +3,6 @@ package setup
 import (
 	"context"
 	"fmt"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 
@@ -30,13 +29,9 @@ func GatewayAPIPreSetup() func(ctx context.Context) error {
 			"pkg/mappings/resources/tlsroutes.crd.yaml",
 			"pkg/mappings/resources/backendtlspolicies.crd.yaml",
 		}
-		for _, crd := range crds {
-			abs := filepath.Join(repoRoot, crd)
-			cmd := exec.CommandContext(ctx, "kubectl", "apply", "--server-side", "--force-conflicts", "--context", kubeContext, "-f", abs)
-			if out, err := cmd.CombinedOutput(); err != nil {
-				return fmt.Errorf("apply Gateway API CRD %s: %s: %w", crd, string(out), err)
-			}
+		for i, crd := range crds {
+			crds[i] = filepath.Join(repoRoot, crd)
 		}
-		return nil
+		return kubectlApplyWithOptions(ctx, kubeContext, []string{"--server-side", "--force-conflicts"}, crds...)
 	}
 }

e2e-next/suite_gatewayapi_combined_test.go

@@ -0,0 +1,43 @@
+// Suite: gatewayapi-combined-vcluster
+// vCluster: fromHost Gateways and toHost Gateway API Gateways enabled together.
+// Run:      just run-e2e 'pr && gatewayapi'
+package e2e_next
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/loft-sh/e2e-framework/pkg/setup/cluster"
+	"github.com/loft-sh/vcluster/e2e-next/clusters"
+	"github.com/loft-sh/vcluster/e2e-next/labels"
+	"github.com/loft-sh/vcluster/e2e-next/setup"
+	"github.com/loft-sh/vcluster/e2e-next/setup/lazyvcluster"
+	"github.com/loft-sh/vcluster/e2e-next/test_gatewayapi"
+	. "github.com/onsi/ginkgo/v2"
+)
+
+//go:embed vcluster-gatewayapi-combined.yaml
+var gatewayAPICombinedVClusterYAML string
+
+const gatewayAPICombinedVClusterName = "gatewayapi-combined-vcluster"
+
+func init() { suiteGatewayAPICombinedVCluster() }
+
+func suiteGatewayAPICombinedVCluster() {
+	// Ordered so the startup regression coverage runs against one vCluster with
+	// both Gateway import and tenant Gateway sync enabled.
+	Describe("gatewayapi-combined-vcluster", labels.PR, labels.GatewayAPI, labels.GatewayClasses, Ordered,
+		cluster.Use(clusters.HostCluster),
+		func() {
+			BeforeAll(func(ctx context.Context) context.Context {
+				return lazyvcluster.LazyVCluster(ctx,
+					gatewayAPICombinedVClusterName,
+					gatewayAPICombinedVClusterYAML,
+					lazyvcluster.WithPreSetup(setup.GatewayAPIPreSetup()),
+				)
+			})
+
+			test_gatewayapi.GatewayAPICombinedSpec()
+		},
+	)
+}

e2e-next/suite_gatewayapi_import_test.go

@@ -25,6 +25,7 @@ const gatewayAPIImportVClusterName = "gatewayapi-import-vcluster"
 func init() { suiteGatewayAPIImportVCluster() }
 
 func suiteGatewayAPIImportVCluster() {
+	// Ordered so all specs share one lazyvcluster bring-up; specs are independent.
 	Describe("gatewayapi-import-vcluster", labels.PR, labels.GatewayAPI, labels.GatewayClasses, Ordered,
 		cluster.Use(clusters.HostCluster),
 		func() {

e2e-next/suite_gatewayapi_test.go

@@ -25,6 +25,7 @@ const gatewayAPIVClusterName = "gatewayapi-vcluster"
 func init() { suiteGatewayAPIVCluster() }
 
 func suiteGatewayAPIVCluster() {
+	// Ordered so all specs share one lazyvcluster bring-up; specs are independent.
 	Describe("gatewayapi-vcluster", labels.PR, labels.GatewayAPI, labels.GatewayClasses, Ordered,
 		cluster.Use(clusters.HostCluster),
 		func() {

e2e-next/test_gatewayapi/clients.go

@@ -0,0 +1,50 @@
+package test_gatewayapi
+
+import (
+	"context"
+
+	"github.com/loft-sh/e2e-framework/pkg/setup/cluster"
+	"github.com/loft-sh/vcluster/e2e-next/constants"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+	gatewayv1alpha3 "sigs.k8s.io/gateway-api/apis/v1alpha3"
+	gatewayv1beta1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+type gatewayAPIClients struct {
+	HostClient     ctrlclient.Client
+	VClusterClient ctrlclient.Client
+	VClusterName   string
+	VClusterHostNS string
+}
+
+func newGatewayAPIClients(ctx context.Context, installExtendedGatewaySchemes bool) gatewayAPIClients {
+	GinkgoHelper()
+
+	scheme := runtime.NewScheme()
+	Expect(corev1.AddToScheme(scheme)).To(Succeed())
+	Expect(gatewayv1.Install(scheme)).To(Succeed())
+	if installExtendedGatewaySchemes {
+		Expect(gatewayv1alpha2.Install(scheme)).To(Succeed())
+		Expect(gatewayv1alpha3.Install(scheme)).To(Succeed())
+		Expect(gatewayv1beta1.Install(scheme)).To(Succeed())
+	}
+
+	hostClient, err := ctrlclient.New(cluster.From(ctx, constants.GetHostClusterName()).KubernetesRestConfig(), ctrlclient.Options{Scheme: scheme})
+	Expect(err).To(Succeed())
+	vClusterClient, err := ctrlclient.New(cluster.CurrentClusterFrom(ctx).KubernetesRestConfig(), ctrlclient.Options{Scheme: scheme})
+	Expect(err).To(Succeed())
+
+	vClusterName := cluster.CurrentClusterNameFrom(ctx)
+	return gatewayAPIClients{
+		HostClient:     hostClient,
+		VClusterClient: vClusterClient,
+		VClusterName:   vClusterName,
+		VClusterHostNS: "vcluster-" + vClusterName,
+	}
+}

e2e-next/test_gatewayapi/test_gatewayapi_combined.go

@@ -0,0 +1,104 @@
+package test_gatewayapi
+
+import (
+	"context"
+
+	"github.com/loft-sh/vcluster/e2e-next/constants"
+	"github.com/loft-sh/vcluster/e2e-next/labels"
+	"github.com/loft-sh/vcluster/pkg/controllers/resources/gateways"
+	"github.com/loft-sh/vcluster/pkg/util/random"
+	"github.com/loft-sh/vcluster/pkg/util/translate"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
+	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const combinedClassSelectorValue = "gatewayapi-combined"
+
+// GatewayAPICombinedSpec covers ENGNODE-556 / TC-33: importing host Gateways
+// and syncing tenant Gateways can be enabled together without startup loops.
+func GatewayAPICombinedSpec() {
+	Describe("Gateway API combined import and tenant Gateway sync", labels.GatewayAPI, labels.GatewayClasses, func() {
+		var (
+			hostClient     ctrlclient.Client
+			vClusterClient ctrlclient.Client
+			vClusterName   string
+			vClusterHostNS string
+		)
+
+		gatewayNamespace := "gwapi-combined-host"
+		BeforeEach(func(ctx context.Context) {
+			clients := newGatewayAPIClients(ctx, false)
+			hostClient = clients.HostClient
+			vClusterClient = clients.VClusterClient
+			vClusterName = clients.VClusterName
+			vClusterHostNS = clients.VClusterHostNS
+
+			ensureHostNamespace(ctx, hostClient, gatewayNamespace)
+			Eventually(func(g Gomega) {
+				g.Expect(vClusterClient.List(ctx, &corev1.NamespaceList{})).To(Succeed())
+				g.Expect(vClusterClient.List(ctx, &gatewayv1.GatewayClassList{})).To(Succeed())
+				g.Expect(vClusterClient.List(ctx, &gatewayv1.GatewayList{}, ctrlclient.InNamespace("default"))).To(Succeed())
+				g.Expect(vClusterClient.List(ctx, &gatewayv1.HTTPRouteList{}, ctrlclient.InNamespace("default"))).To(Succeed())
+			}).WithPolling(constants.PollingInterval).WithTimeout(constants.PollingTimeout).Should(Succeed())
+		})
+
+		It("starts with both Gateway import and tenant Gateway sync enabled", func(ctx context.Context) {
+			suffix := random.String(6)
+			class := createGatewayClass(ctx, hostClient, "gwc-combined-"+suffix, combinedClassSelectorValue, "combined class")
+			hostGW := hostGateway(gatewayNamespace, "edge-"+suffix, class.Name)
+			createHostGateway(ctx, hostClient, hostGW)
+
+			importedGatewayNamespace := "gwapi-combined-import"
+			By("verifying the imported Gateway mirror appears after vCluster startup", func() {
+				Eventually(func(g Gomega) {
+					mirror := &gatewayv1.Gateway{}
+					g.Expect(vClusterClient.Get(ctx, types.NamespacedName{Namespace: importedGatewayNamespace, Name: hostGW.Name}, mirror)).To(Succeed())
+					g.Expect(mirror.Labels).To(HaveKeyWithValue(gateways.ImportedGatewayLabel, "true"))
+				}).WithPolling(constants.PollingInterval).WithTimeout(constants.PollingTimeout).Should(Succeed())
+			})
+
+			By("verifying the combined vCluster syncs tenant-authored Gateway API resources to host", func() {
+				Eventually(func(g Gomega) {
+					g.Expect(vClusterClient.Get(ctx, types.NamespacedName{Name: class.Name}, &gatewayv1.GatewayClass{})).To(Succeed())
+				}).WithPolling(constants.PollingInterval).WithTimeout(constants.PollingTimeout).Should(Succeed())
+
+				tenantNS := createTenantNamespace(ctx, vClusterClient, "gwapi-combined-tenant-"+suffix)
+				service := &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: "backend-" + suffix, Namespace: tenantNS.Name}, Spec: corev1.ServiceSpec{Ports: []corev1.ServicePort{{Port: 80}}}}
+				Expect(vClusterClient.Create(ctx, service)).To(Succeed())
+
+				tenantGW := tenantGateway(tenantNS.Name, "tenant-gw-"+suffix, class.Name)
+				Expect(vClusterClient.Create(ctx, tenantGW)).To(Succeed())
+				DeferCleanup(func(ctx context.Context) {
+					Expect(ctrlclient.IgnoreNotFound(vClusterClient.Delete(ctx, tenantGW))).To(Succeed())
+				})
+				tenantRoute := tenantHTTPRoute(tenantNS.Name, "tenant-route-"+suffix, tenantGW.Name, service.Name)
+				Expect(vClusterClient.Create(ctx, tenantRoute)).To(Succeed())
+				DeferCleanup(func(ctx context.Context) {
+					Expect(ctrlclient.IgnoreNotFound(vClusterClient.Delete(ctx, tenantRoute))).To(Succeed())
+				})
+
+				hostGatewayName := translate.SafeConcatName(tenantGW.Name, "x", tenantNS.Name, "x", vClusterName)
+				hostRouteName := translate.SafeConcatName(tenantRoute.Name, "x", tenantNS.Name, "x", vClusterName)
+				Eventually(func(g Gomega) {
+					gotGateway := &gatewayv1.Gateway{}
+					g.Expect(hostClient.Get(ctx, types.NamespacedName{Namespace: vClusterHostNS, Name: hostGatewayName}, gotGateway)).To(Succeed())
+					g.Expect(gotGateway.Spec.GatewayClassName).To(Equal(gatewayv1.ObjectName(class.Name)))
+
+					gotRoute := &gatewayv1.HTTPRoute{}
+					g.Expect(hostClient.Get(ctx, types.NamespacedName{Namespace: vClusterHostNS, Name: hostRouteName}, gotRoute)).To(Succeed())
+					g.Expect(gotRoute.Spec.ParentRefs).To(HaveLen(1))
+					g.Expect(gotRoute.Spec.ParentRefs[0].Name).To(Equal(gatewayv1.ObjectName(hostGatewayName)))
+				}).WithPolling(constants.PollingInterval).WithTimeout(constants.PollingTimeout).Should(Succeed())
+
+				Consistently(func(g Gomega) {
+					g.Expect(vClusterClient.Get(ctx, ctrlclient.ObjectKeyFromObject(tenantGW), &gatewayv1.Gateway{})).To(Succeed())
+				}).WithPolling(constants.PollingInterval).WithTimeout(constants.PollingTimeoutShort).Should(Succeed())
+			})
+		})
+	})
+}