Engnode 568 (#3997)

* feat: use latest gateway api versions only

Pin ReferenceGrant, TLSRoute, and BackendTLSPolicy syncing to the v1
Gateway API versions instead of negotiating older served versions
against the host. Hosts whose Gateway API CRDs do not serve v1 fail
fast at startup with an actionable error.

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

* fix: install tenant referencegrant crd whenever route sync is enabled

  - route controllers watch virtual ReferenceGrants regardless of
    sync.toHost.gatewayApi.referenceGrants.enabled; with the flag "false"
    the CRD was never installed and the watch failed forever, silently
    blocking all HTTPRoute/TLSRoute sync
  - extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
    TLSRoute mappers, keeping "false" semantics: grants never sync to the
    host and virtual grants stay authoritative for cross-namespace refs
  - add gatewayapi-grants-disabled e2e suite plus a unit test asserting
    route mappers ensure the grant CRD when grant sync is disabled

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

* fix: install tenant referencegrant crd whenever route sync is enabled

  - route controllers watch virtual ReferenceGrants for cross-namespace
    authorization regardless of sync.toHost.gatewayApi.referenceGrants.enabled;
    with the flag "false" the CRD was never installed and the watch failed
    forever (no matches for kind "ReferenceGrant"), silently blocking all
    HTTPRoute/TLSRoute sync
  - extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
    TLSRoute mappers, independent of grant sync
  - keep "false" semantics: no host discovery check, no mapper, no syncer,
    grants never sync to the host; virtual grants stay authoritative for
    cross-namespace refs in single-namespace mode
  - add gatewayapi-grants-disabled e2e suite: same-namespace route syncs,
    cross-namespace backendRef denied until a virtual ReferenceGrant permits
    it, grant itself never syncs to the host
  - add unit test asserting route mappers ensure the grant CRD when grant
    sync is disabled

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

# Conflicts:
#	e2e-next/test_gatewayapi/test_gatewayapi_grants_disabled.go
#	pkg/mappings/resources/register_gateway_test.go
#	pkg/mappings/resources/tlsroutes.go

* fix: enable tenant gateway sync via the gatewayapi umbrella switch

The umbrella sync.toHost.gatewayApi.enabled only enabled HTTPRoute sync:
the tenant gateways CRD was never installed, host RBAC for gateways was
never granted, and route controllers logged watch errors for the missing
Gateway kind.

- honor the umbrella in GatewaysEnabled and the chart gateways RBAC rule
- install the tenant Gateway CRD whenever route sync is enabled
- sync ReferenceGrants to the host only with namespace sync or an
  explicit referenceGrants toggle, matching the read-only RBAC the chart
  grants in single-namespace mode; tenant-side validation is unchanged
- document umbrella and referenceGrants auto semantics in the schema
- add umbrella-only e2e suite plus unit and chart test coverage

Closes ENGNODE-568

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

---------

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

Author: zerbitx

chart/templates/clusterrole.yaml

@@ -83,7 +83,7 @@ rules:
     resources: ["ingressclasses"]
     verbs: ["get", "watch", "list"]
   {{- end }}
-  {{- if or .Values.sync.fromHost.gatewayClasses.enabled .Values.sync.fromHost.gateways.enabled }}
+  {{- if or .Values.sync.fromHost.gatewayClasses.enabled .Values.sync.fromHost.gateways.enabled .Values.sync.toHost.gatewayApi.enabled }}
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gatewayclasses"]
     verbs: ["get", "watch", "list"]

chart/templates/role.yaml

@@ -86,7 +86,7 @@ rules:
   # Gateway API /status subresources are intentionally omitted for this block:
   # vCluster only mirrors host status to virtual resources.
   {{- end }}
-  {{- if .Values.sync.toHost.gatewayApi.gateways.enabled }}
+  {{- if or .Values.sync.toHost.gatewayApi.enabled .Values.sync.toHost.gatewayApi.gateways.enabled }}
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["gateways"]
     verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]

chart/tests/clusterrole_test.yaml

@@ -922,3 +922,67 @@ tests:
             apiGroups: ["resource.k8s.io"]
             resources: ["deviceclasses"]
             verbs: ["get", "watch", "list"]
+
+  - it: gateway api umbrella enables gatewayclasses rule
+    set:
+      sync:
+        toHost:
+          gatewayApi:
+            enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: ClusterRole
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["gatewayclasses"]
+            verbs: ["get", "watch", "list"]
+
+  - it: gateway api explicit gateways toggle does not enable gatewayclasses rule
+    set:
+      sync:
+        toHost:
+          gatewayApi:
+            gateways:
+              enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - notContains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["gatewayclasses"]
+            verbs: ["get", "watch", "list"]
+
+  - it: fromHost gateways enables gatewayclasses rule
+    set:
+      sync:
+        fromHost:
+          gateways:
+            enabled: true
+            mappings:
+              byName:
+                "default/my-gateway": "default/my-gateway"
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["gatewayclasses"]
+            verbs: ["get", "watch", "list"]

chart/tests/role_test.yaml

@@ -397,6 +397,57 @@ tests:
             verbs:
               ["create", "delete", "patch", "update", "get", "list", "watch"]
 
+  - it: gateway api umbrella enables gateways and httproutes rules
+    set:
+      sync:
+        toHost:
+          gatewayApi:
+            enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: Role
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["gateways"]
+            verbs:
+              ["create", "delete", "patch", "update", "get", "list", "watch"]
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["httproutes"]
+            verbs:
+              ["create", "delete", "patch", "update", "get", "list", "watch"]
+
+  - it: gateway api explicit gateways toggle enables gateways rule
+    set:
+      sync:
+        toHost:
+          gatewayApi:
+            gateways:
+              enabled: true
+    release:
+      name: my-release
+      namespace: my-namespace
+    asserts:
+      - hasDocuments:
+          count: 1
+      - contains:
+          path: rules
+          content:
+            apiGroups: ["gateway.networking.k8s.io"]
+            resources: ["gateways"]
+            verbs:
+              ["create", "delete", "patch", "update", "get", "list", "watch"]
+
   - it: private nodes
     set:
       privateNodes:

chart/values.schema.json

@@ -2598,7 +2598,7 @@
         },
         "referenceGrants": {
           "$ref": "#/$defs/EnableAutoSwitchWithPatches",
-          "description": "ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be \"auto\", \"true\", or \"false\"."
+          "description": "ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be \"auto\", \"true\", or \"false\".\nIn auto mode grants follow route sync and are validated within the tenant cluster; they sync to the control plane cluster only when namespace sync is also enabled."
         }
       },
       "additionalProperties": false,
@@ -5306,7 +5306,7 @@
         },
         "gatewayApi": {
           "$ref": "#/$defs/GatewayAPIEnableSwitchWithPatches",
-          "description": "GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster."
+          "description": "GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.\nSetting enabled: true turns on Gateway and HTTPRoute sync, imports control plane cluster GatewayClasses so tenant Gateways can resolve them, and serves tenant ReferenceGrants for validation; TLSRoutes and BackendTLSPolicies must be enabled individually."
         },
         "services": {
           "$ref": "#/$defs/EnableSwitchWithPatches",

chart/values.yaml

@@ -82,6 +82,7 @@ sync:
       # Enabled defines if this option should be enabled.
       enabled: false
     # GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
+    # Setting enabled: true turns on Gateway and HTTPRoute sync, imports control plane cluster GatewayClasses so tenant Gateways can resolve them, and serves tenant ReferenceGrants for validation; TLSRoutes and BackendTLSPolicies must be enabled individually.
     gatewayApi:
       # Enabled defines if this option should be enabled.
       enabled: false
@@ -102,6 +103,7 @@ sync:
         # Enabled defines if this option should be enabled.
         enabled: false
       # ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
+      # In auto mode grants follow route sync and are validated within the tenant cluster; they sync to the control plane cluster only when namespace sync is also enabled.
       referenceGrants:
         # Enabled defines if this option should be enabled.
         enabled: auto

config/config.go

@@ -1234,6 +1234,7 @@ type SyncToHost struct {
 	Ingresses EnableSwitchWithPatches `json:"ingresses,omitempty"`
 
 	// GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
+	// Setting enabled: true turns on Gateway and HTTPRoute sync, imports control plane cluster GatewayClasses so tenant Gateways can resolve them, and serves tenant ReferenceGrants for validation; TLSRoutes and BackendTLSPolicies must be enabled individually.
 	GatewayAPI GatewayAPIEnableSwitchWithPatches `json:"gatewayApi,omitempty"`
 
 	// Services defines if services created within the virtual cluster should get synced to the host cluster.
@@ -1310,6 +1311,7 @@ type GatewayAPIEnableSwitchWithPatches struct {
 	BackendTLSPolicies EnableSwitchWithPatches `json:"backendTLSPolicies,omitempty"`
 
 	// ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
+	// In auto mode grants follow route sync and are validated within the tenant cluster; they sync to the control plane cluster only when namespace sync is also enabled.
 	ReferenceGrants EnableAutoSwitchWithPatches `json:"referenceGrants,omitempty"`
 }
 

e2e-next/suite_gatewayapi_umbrella_test.go

@@ -0,0 +1,43 @@
+// Suite: gatewayapi-umbrella-vcluster
+// vCluster: Gateway API enabled via the sync.toHost.gatewayApi umbrella switch
+// only, covering Gateway + HTTPRoute + ReferenceGrant CRD installation and sync.
+// Run:      just run-e2e 'pr && gatewayapi'
+package e2e_next
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/loft-sh/e2e-framework/pkg/setup/cluster"
+	"github.com/loft-sh/vcluster/e2e-next/clusters"
+	"github.com/loft-sh/vcluster/e2e-next/labels"
+	"github.com/loft-sh/vcluster/e2e-next/setup"
+	"github.com/loft-sh/vcluster/e2e-next/setup/lazyvcluster"
+	"github.com/loft-sh/vcluster/e2e-next/test_gatewayapi"
+	. "github.com/onsi/ginkgo/v2"
+)
+
+//go:embed vcluster-gatewayapi-umbrella.yaml
+var gatewayAPIUmbrellaVClusterYAML string
+
+const gatewayAPIUmbrellaVClusterName = "gatewayapi-umbrella-vcluster"
+
+func init() { suiteGatewayAPIUmbrellaVCluster() }
+
+func suiteGatewayAPIUmbrellaVCluster() {
+	// Ordered so all specs share one lazyvcluster bring-up; specs are independent.
+	Describe("gatewayapi-umbrella-vcluster", labels.PR, labels.GatewayAPI, labels.GatewayClasses, Ordered,
+		cluster.Use(clusters.HostCluster),
+		func() {
+			BeforeAll(func(ctx context.Context) context.Context {
+				return lazyvcluster.LazyVCluster(ctx,
+					gatewayAPIUmbrellaVClusterName,
+					gatewayAPIUmbrellaVClusterYAML,
+					lazyvcluster.WithPreSetup(setup.GatewayAPIPreSetup()),
+				)
+			})
+
+			test_gatewayapi.GatewayAPIUmbrellaSpec()
+		},
+	)
+}