initial TLSRoute support (#10601)

Co-authored-by: Nathan Fudenberg <[email protected]>
Co-authored-by: changelog-bot <changelog-bot>

Author: puertomontt

.github/workflows/pr-kubernetes-tests.yaml

@@ -95,7 +95,7 @@ jobs:
         # 2025-02-13: 26m29s
         - cluster-name: 'cluster-seven'
           go-test-args: '-v -timeout=25m'
-          go-test-run-regex: '^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^Metrics$$|^TestGloomtlsGatewayEdgeGateway$$|^TestGloomtlsGatewayK8sGateway$$|^TestGlooGatewayEdgeGatewayClearMetrics$$|^TestWatchNamespaceSelector$$'
+          go-test-run-regex: '^TestK8sGateway$$/^CRDCategories$$|^TestK8sGateway$$/^Metrics$$|^TestGloomtlsGatewayEdgeGateway$$|^TestGloomtlsGatewayK8sGateway$$|^TestGlooGatewayEdgeGatewayClearMetrics$$|^TestWatchNamespaceSelector$$|^TestK8sGateway$$/^TLSRouteServices$$'
 
         # In our PR tests, we run the suite of tests using the upper ends of versions that we claim to support
         # The versions should mirror: https://docs.solo.io/gloo-edge/latest/reference/support/

Makefile

@@ -1243,7 +1243,7 @@ $(TEST_ASSET_DIR)/conformance/conformance_test.go:
 	cat $(shell go list -json -m sigs.k8s.io/gateway-api | jq -r '.Dir')/conformance/conformance_test.go >> $@
 	go fmt $@
 
-CONFORMANCE_SUPPORTED_FEATURES ?= -supported-features=Gateway,ReferenceGrant,HTTPRoute,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRouteResponseHeaderModification,HTTPRoutePortRedirect,HTTPRouteHostRewrite,HTTPRouteSchemeRedirect,HTTPRoutePathRedirect,HTTPRouteHostRewrite,HTTPRoutePathRewrite,HTTPRouteRequestMirror
+CONFORMANCE_SUPPORTED_FEATURES ?= -supported-features=Gateway,ReferenceGrant,HTTPRoute,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRouteResponseHeaderModification,HTTPRoutePortRedirect,HTTPRouteHostRewrite,HTTPRouteSchemeRedirect,HTTPRoutePathRedirect,HTTPRouteHostRewrite,HTTPRoutePathRewrite,HTTPRouteRequestMirror,TLSRoute
 CONFORMANCE_SUPPORTED_PROFILES ?= -conformance-profiles=GATEWAY-HTTP
 CONFORMANCE_REPORT_ARGS ?= -report-output=$(TEST_ASSET_DIR)/conformance/$(VERSION)-report.yaml -organization=solo.io -project=gloo-gateway -version=$(VERSION) -url=github.com/solo-io/gloo -contact=github.com/solo-io/gloo/issues/new/choose
 CONFORMANCE_ARGS := -gateway-class=gloo-gateway $(CONFORMANCE_SUPPORTED_FEATURES) $(CONFORMANCE_SUPPORTED_PROFILES) $(CONFORMANCE_REPORT_ARGS)

changelog/v1.19.0-beta11/tls-route.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink: https://github.com/kgateway-dev/kgateway/issues/10074
+    resolvesIssue: false
+    description: >-
+      "Add support for sig gateway's TLS Routes."

install/helm/gloo/templates/44-rbac.yaml

@@ -13,6 +13,7 @@ rules:
   - gatewayclasses
   - gateways
   - tcproutes
+  - tlsroutes
   - httproutes
   - referencegrants
   verbs: ["get", "list", "watch"]
@@ -50,6 +51,7 @@ rules:
   - gateways/status
   - httproutes/status
   - tcproutes/status
+  - tlsroutes/status
   verbs: ["update", "patch"]
 - apiGroups:
   - apiextensions.k8s.io

projects/gateway2/controller/controller.go

@@ -80,6 +80,7 @@ func NewBaseGatewayController(ctx context.Context, cfg GatewayConfig) error {
 		controllerBuilder.watchGw,
 		controllerBuilder.watchHttpRoute,
 		controllerBuilder.watchTcpRoute,
+		controllerBuilder.watchTlsRoute,
 		controllerBuilder.watchReferenceGrant,
 		controllerBuilder.watchNamespaces,
 		controllerBuilder.watchHttpListenerOptions,
@@ -140,6 +141,12 @@ func (c *controllerBuilder) addIndexes(ctx context.Context) error {
 		}
 	}
 
+	if c.cfg.CRDs.Has(wellknown.TLSRouteCRDName) {
+		if err := c.cfg.Mgr.GetFieldIndexer().IndexField(ctx, &apiv1a2.TLSRoute{}, query.TlsRouteTargetField, query.IndexerByObjType); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	return errors.Join(errs...)
 }
 
@@ -361,6 +368,19 @@ func (c *controllerBuilder) watchTcpRoute(ctx context.Context) error {
 		Complete(reconcile.Func(c.reconciler.ReconcileTcpRoutes))
 }
 
+func (c *controllerBuilder) watchTlsRoute(ctx context.Context) error {
+	if !c.cfg.CRDs.Has(wellknown.TLSRouteCRDName) {
+		log.FromContext(ctx).Info("TLSRoute type not registered in scheme; skipping TLSRoute controller setup")
+		return nil
+	}
+
+	// Proceed to set up the controller for TLSRoute
+	return ctrl.NewControllerManagedBy(c.cfg.Mgr).
+		WithEventFilter(predicate.GenerationChangedPredicate{}).
+		For(&apiv1a2.TLSRoute{}).
+		Complete(reconcile.Func(c.reconciler.ReconcileTlsRoutes))
+}
+
 func (c *controllerBuilder) watchReferenceGrant(_ context.Context) error {
 	return ctrl.NewControllerManagedBy(c.cfg.Mgr).
 		WithEventFilter(predicate.GenerationChangedPredicate{}).
@@ -551,6 +571,17 @@ func (r *controllerReconciler) ReconcileTcpRoutes(ctx context.Context, req ctrl.
 	return ctrl.Result{}, nil
 }
 
+func (r *controllerReconciler) ReconcileTlsRoutes(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	// TODO: consider finding impacted gateways and queue them
+	// TODO: consider enabling this
+	//	// reconcile this specific route:
+	//	queries := query.NewData(r.cli, r.scheme)
+	//	httproute.TranslateGatewayHTTPRouteRules(queries, hr, nil)
+
+	r.kick(ctx)
+	return ctrl.Result{}, nil
+}
+
 func (r *controllerReconciler) ReconcileReferenceGrants(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	// reconcile all things?! https://github.com/solo-io/gloo/issues/9997
 	r.kick(ctx)

projects/gateway2/controller/start.go

@@ -290,5 +290,14 @@ func getGatewayCRDs(restConfig *rest.Config) (sets.Set[string], error) {
 		crds.Insert(wellknown.TCPRouteCRDName)
 	}
 
+	tlsRouteExists, err := glooschemes.CRDExists(restConfig, gwv1a2.GroupVersion.Group, gwv1a2.GroupVersion.Version, wellknown.TLSRouteKind)
+	if err != nil {
+		return nil, err
+	}
+
+	if tlsRouteExists {
+		crds.Insert(wellknown.TLSRouteCRDName)
+	}
+
 	return crds, nil
 }

projects/gateway2/proxy_syncer/proxy_syncer.go

@@ -247,6 +247,9 @@ func (p glooProxy) Equals(in glooProxy) bool {
 	if !maps.Equal(p.reportMap.TCPRoutes, in.reportMap.TCPRoutes) {
 		return false
 	}
+	if !maps.Equal(p.reportMap.TLSRoutes, in.reportMap.TLSRoutes) {
+		return false
+	}
 	return true
 }
 
@@ -273,6 +276,9 @@ func (r report) Equals(in report) bool {
 	if !maps.Equal(r.ReportMap.TCPRoutes, in.ReportMap.TCPRoutes) {
 		return false
 	}
+	if !maps.Equal(r.ReportMap.TLSRoutes, in.ReportMap.TLSRoutes) {
+		return false
+	}
 	return true
 }
 
@@ -491,6 +497,19 @@ func (s *ProxySyncer) Init(ctx context.Context, dbg *krt.DebugHandler) error {
 				// obsGen will stay as-is...
 				maps.Copy(p.reportMap.TCPRoutes[rnn].Parents, rr.Parents)
 			}
+
+			// 4. merge tlsroute parentRefs into RouteReports
+			for rnn, rr := range p.reportMap.TLSRoutes {
+				// if we haven't encountered this route, just copy it over completely
+				old := merged.TLSRoutes[rnn]
+				if old == nil {
+					merged.TLSRoutes[rnn] = rr
+					continue
+				}
+				// else, let's merge our parentRefs into the existing map
+				// obsGen will stay as-is...
+				maps.Copy(p.reportMap.TLSRoutes[rnn].Parents, rr.Parents)
+			}
 		}
 		return &report{merged}
 	})
@@ -902,6 +921,12 @@ func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap)
 				return nil
 			}
 			r.Status.RouteStatus = *status
+		case *gwv1a2.TLSRoute:
+			status = rm.BuildRouteStatus(ctx, r, s.controllerName)
+			if status == nil || isRouteStatusEqual(&r.Status.RouteStatus, status) {
+				return nil
+			}
+			r.Status.RouteStatus = *status
 		default:
 			logger.Warnw(fmt.Sprintf("unsupported route type for %s", routeType), "route", route)
 			return nil
@@ -930,6 +955,16 @@ func (s *ProxySyncer) syncRouteStatus(ctx context.Context, rm reports.ReportMap)
 			logger.Errorw("all attempts failed at updating TCPRoute status", "error", err, "route", rnn)
 		}
 	}
+
+	// Sync TLSRoute statuses
+	for rnn := range rm.TLSRoutes {
+		err := syncStatusWithRetry(wellknown.TLSRouteKind, rnn, func() client.Object { return new(gwv1a2.TLSRoute) }, func(route client.Object) error {
+			return buildAndUpdateStatus(route, wellknown.TLSRouteKind)
+		})
+		if err != nil {
+			logger.Errorw("all attempts failed at updating TLSRoute status", "error", err, "route", rnn)
+		}
+	}
 }
 
 // syncGatewayStatus will build and update status for all Gateways in a reportMap

projects/gateway2/query/httproute.go

@@ -128,6 +128,8 @@ func (r *gatewayQueries) GetRouteChain(
 	case *gwv1a2.TCPRoute:
 		backends = r.resolveRouteBackends(ctx, typedRoute)
 		// TODO (danehans): Should TCPRoute delegation support be added in the future?
+	case *gwv1a2.TLSRoute:
+		backends = r.resolveRouteBackends(ctx, typedRoute)
 	default:
 		return nil
 	}
@@ -151,7 +153,7 @@ func (r *gatewayQueries) allowedRoutes(gw *gwv1.Gateway, l *gwv1.Listener) (func
 	case gwv1.HTTPProtocolType:
 		allowedKinds = []metav1.GroupKind{{Kind: wellknown.HTTPRouteKind, Group: gwv1.GroupName}}
 	case gwv1.TLSProtocolType:
-		fallthrough
+		allowedKinds = []metav1.GroupKind{{Kind: wellknown.TLSRouteKind, Group: gwv1a2.GroupName}}
 	case gwv1.TCPProtocolType:
 		allowedKinds = []metav1.GroupKind{{Kind: wellknown.TCPRouteKind, Group: gwv1a2.GroupName}}
 	case gwv1.UDPProtocolType:
@@ -228,6 +230,14 @@ func (r *gatewayQueries) resolveRouteBackends(ctx context.Context, obj client.Ob
 			}
 			processBackendRefs(refs)
 		}
+	case *gwv1a2.TLSRoute:
+		for _, rule := range rt.Spec.Rules {
+			var refs []gwv1.BackendObjectReference
+			for _, ref := range rule.BackendRefs {
+				refs = append(refs, ref.BackendObjectReference)
+			}
+			processBackendRefs(refs)
+		}
 	default:
 		return out
 	}
@@ -365,6 +375,16 @@ func (r *gatewayQueries) GetRoutesForGateway(ctx context.Context, gw *gwv1.Gatew
 		routeListTypes = append(routeListTypes, &gwv1a2.TCPRouteList{})
 	}
 
+	// Conditionally include TLSRouteList
+	tlsRouteGVK := schema.GroupVersionKind{
+		Group:   gwv1a2.GroupVersion.Group,
+		Version: gwv1a2.GroupVersion.Version,
+		Kind:    wellknown.TLSRouteKind,
+	}
+	if r.scheme.Recognizes(tlsRouteGVK) {
+		routeListTypes = append(routeListTypes, &gwv1a2.TLSRouteList{})
+	}
+
 	var routes []client.Object
 	for _, routeList := range routeListTypes {
 		if err := fetchRoutes(ctx, r, routeList, nns, &routes); err != nil {
@@ -406,6 +426,10 @@ func fetchRoutes(ctx context.Context, r *gatewayQueries, routeList client.Object
 		if err := listAndAppendRoutes(list, TcpRouteTargetField); err != nil {
 			return fmt.Errorf("failed to list TCPRoutes: %w", err)
 		}
+	case *gwv1a2.TLSRouteList:
+		if err := listAndAppendRoutes(list, TlsRouteTargetField); err != nil {
+			return fmt.Errorf("failed to list TLSRoutes: %w", err)
+		}
 	default:
 		return fmt.Errorf("unsupported route list type: %T", list)
 	}
@@ -452,12 +476,22 @@ func (r *gatewayQueries) processRoute(ctx context.Context, gw *gwv1.Gateway, rou
 			}
 			anyListenerMatched = true
 
-			// If the route is an HTTPRoute, check the hostname intersection
+			// If the route is an HTTPRoute or TLSRoute, check the hostname intersection
 			var hostnames []string
 			if routeKind == wellknown.HTTPRouteKind {
 				if hr, ok := route.(*gwv1.HTTPRoute); ok {
 					var ok bool
-					ok, hostnames = hostnameIntersect(&l, hr)
+					ok, hostnames = hostnameIntersect(&l, hr.Spec.Hostnames)
+					if !ok {
+						continue
+					}
+					anyHostsMatch = true
+				}
+			}
+			if routeKind == wellknown.TLSRouteKind {
+				if tr, ok := route.(*gwv1a2.TLSRoute); ok {
+					var ok bool
+					ok, hostnames = hostnameIntersect(&l, tr.Spec.Hostnames)
 					if !ok {
 						continue
 					}
@@ -532,6 +566,12 @@ func getRouteItems(list client.ObjectList) ([]client.Object, error) {
 			objs = append(objs, &routes.Items[i])
 		}
 		return objs, nil
+	case *gwv1a2.TLSRouteList:
+		var objs []client.Object
+		for i := range routes.Items {
+			objs = append(objs, &routes.Items[i])
+		}
+		return objs, nil
 	default:
 		return nil, fmt.Errorf("unsupported route type %T", list)
 	}

projects/gateway2/query/indexers.go

@@ -16,6 +16,7 @@ const (
 	HttpRouteTargetField            = "http-route-target"
 	HttpRouteDelegatedLabelSelector = "http-route-delegated-label-selector"
 	TcpRouteTargetField             = "tcp-route-target"
+	TlsRouteTargetField             = "tls-route-target"
 	ReferenceGrantFromField         = "ref-grant-from"
 )
 
@@ -25,6 +26,7 @@ func IterateIndices(f func(client.Object, string, client.IndexerFunc) error) err
 		f(&gwv1.HTTPRoute{}, HttpRouteTargetField, IndexerByObjType),
 		f(&gwv1.HTTPRoute{}, HttpRouteDelegatedLabelSelector, IndexByHTTPRouteDelegationLabelSelector),
 		f(&gwv1a2.TCPRoute{}, TcpRouteTargetField, IndexerByObjType),
+		f(&gwv1a2.TLSRoute{}, TlsRouteTargetField, IndexerByObjType),
 		f(&gwv1b1.ReferenceGrant{}, ReferenceGrantFromField, IndexerByObjType),
 	)
 }
@@ -33,6 +35,7 @@ func IterateIndices(f func(client.Object, string, client.IndexerFunc) error) err
 //
 //   - HTTPRoute
 //   - TCPRoute
+//   - TLSRoute
 //   - ReferenceGrant
 func IndexerByObjType(obj client.Object) []string {
 	var results []string
@@ -74,6 +77,24 @@ func IndexerByObjType(obj client.Object) []string {
 			}
 			results = append(results, nns.String())
 		}
+	case *gwv1a2.TLSRoute:
+		for _, pRef := range resource.Spec.ParentRefs {
+			if pRef.Group != nil && *pRef.Group != gwv1a2.GroupName {
+				continue
+			}
+			if pRef.Kind != nil && *pRef.Kind != wellknown.GatewayKind {
+				continue
+			}
+			ns := resolveNs(pRef.Namespace)
+			if ns == "" {
+				ns = resource.Namespace
+			}
+			nns := types.NamespacedName{
+				Namespace: ns,
+				Name:      string(pRef.Name),
+			}
+			results = append(results, nns.String())
+		}
 	case *gwv1b1.ReferenceGrant:
 		for _, from := range resource.Spec.From {
 			if from.Namespace != "" {