Engnode 568#3997
Merged
Merged
Conversation
3 tasks
Contributor
Author
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1ff87191c9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Pin ReferenceGrant, TLSRoute, and BackendTLSPolicy syncing to the v1 Gateway API versions instead of negotiating older served versions against the host. Hosts whose Gateway API CRDs do not serve v1 fail fast at startup with an actionable error. Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
- route controllers watch virtual ReferenceGrants regardless of
sync.toHost.gatewayApi.referenceGrants.enabled; with the flag "false"
the CRD was never installed and the watch failed forever, silently
blocking all HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, keeping "false" semantics: grants never sync to the
host and virtual grants stay authoritative for cross-namespace refs
- add gatewayapi-grants-disabled e2e suite plus a unit test asserting
route mappers ensure the grant CRD when grant sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
- route controllers watch virtual ReferenceGrants for cross-namespace
authorization regardless of sync.toHost.gatewayApi.referenceGrants.enabled;
with the flag "false" the CRD was never installed and the watch failed
forever (no matches for kind "ReferenceGrant"), silently blocking all
HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, independent of grant sync
- keep "false" semantics: no host discovery check, no mapper, no syncer,
grants never sync to the host; virtual grants stay authoritative for
cross-namespace refs in single-namespace mode
- add gatewayapi-grants-disabled e2e suite: same-namespace route syncs,
cross-namespace backendRef denied until a virtual ReferenceGrant permits
it, grant itself never syncs to the host
- add unit test asserting route mappers ensure the grant CRD when grant
sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# e2e-next/test_gatewayapi/test_gatewayapi_grants_disabled.go
# pkg/mappings/resources/register_gateway_test.go
# pkg/mappings/resources/tlsroutes.go
The umbrella sync.toHost.gatewayApi.enabled only enabled HTTPRoute sync: the tenant gateways CRD was never installed, host RBAC for gateways was never granted, and route controllers logged watch errors for the missing Gateway kind. - honor the umbrella in GatewaysEnabled and the chart gateways RBAC rule - install the tenant Gateway CRD whenever route sync is enabled - sync ReferenceGrants to the host only with namespace sync or an explicit referenceGrants toggle, matching the read-only RBAC the chart grants in single-namespace mode; tenant-side validation is unchanged - document umbrella and referenceGrants auto semantics in the schema - add umbrella-only e2e suite plus unit and chart test coverage Closes ENGNODE-568 Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
janekbaraniewski
previously approved these changes
Jun 12, 2026
janekbaraniewski
approved these changes
Jun 12, 2026
sowmyav27
approved these changes
Jun 12, 2026
sowmyav27
left a comment
sowmyav27
left a comment
Contributor
There was a problem hiding this comment.
I have some comments for the tests, but they are non-blocking, will log a separate issue for those.
Contributor
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation and see the Github Action logs for details |
zerbitx
added a commit
that referenced
this pull request
Jun 12, 2026
* feat: use latest gateway api versions only
Pin ReferenceGrant, TLSRoute, and BackendTLSPolicy syncing to the v1
Gateway API versions instead of negotiating older served versions
against the host. Hosts whose Gateway API CRDs do not serve v1 fail
fast at startup with an actionable error.
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants regardless of
sync.toHost.gatewayApi.referenceGrants.enabled; with the flag "false"
the CRD was never installed and the watch failed forever, silently
blocking all HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, keeping "false" semantics: grants never sync to the
host and virtual grants stay authoritative for cross-namespace refs
- add gatewayapi-grants-disabled e2e suite plus a unit test asserting
route mappers ensure the grant CRD when grant sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants for cross-namespace
authorization regardless of sync.toHost.gatewayApi.referenceGrants.enabled;
with the flag "false" the CRD was never installed and the watch failed
forever (no matches for kind "ReferenceGrant"), silently blocking all
HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, independent of grant sync
- keep "false" semantics: no host discovery check, no mapper, no syncer,
grants never sync to the host; virtual grants stay authoritative for
cross-namespace refs in single-namespace mode
- add gatewayapi-grants-disabled e2e suite: same-namespace route syncs,
cross-namespace backendRef denied until a virtual ReferenceGrant permits
it, grant itself never syncs to the host
- add unit test asserting route mappers ensure the grant CRD when grant
sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# e2e-next/test_gatewayapi/test_gatewayapi_grants_disabled.go
# pkg/mappings/resources/register_gateway_test.go
# pkg/mappings/resources/tlsroutes.go
* fix: enable tenant gateway sync via the gatewayapi umbrella switch
The umbrella sync.toHost.gatewayApi.enabled only enabled HTTPRoute sync:
the tenant gateways CRD was never installed, host RBAC for gateways was
never granted, and route controllers logged watch errors for the missing
Gateway kind.
- honor the umbrella in GatewaysEnabled and the chart gateways RBAC rule
- install the tenant Gateway CRD whenever route sync is enabled
- sync ReferenceGrants to the host only with namespace sync or an
explicit referenceGrants toggle, matching the read-only RBAC the chart
grants in single-namespace mode; tenant-side validation is unchanged
- document umbrella and referenceGrants auto semantics in the schema
- add umbrella-only e2e suite plus unit and chart test coverage
Closes ENGNODE-568
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
---------
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
(cherry picked from commit edbb688)
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
zerbitx
added a commit
that referenced
this pull request
Jun 12, 2026
* feat: use latest gateway api versions only
Pin ReferenceGrant, TLSRoute, and BackendTLSPolicy syncing to the v1
Gateway API versions instead of negotiating older served versions
against the host. Hosts whose Gateway API CRDs do not serve v1 fail
fast at startup with an actionable error.
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants regardless of
sync.toHost.gatewayApi.referenceGrants.enabled; with the flag "false"
the CRD was never installed and the watch failed forever, silently
blocking all HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, keeping "false" semantics: grants never sync to the
host and virtual grants stay authoritative for cross-namespace refs
- add gatewayapi-grants-disabled e2e suite plus a unit test asserting
route mappers ensure the grant CRD when grant sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants for cross-namespace
authorization regardless of sync.toHost.gatewayApi.referenceGrants.enabled;
with the flag "false" the CRD was never installed and the watch failed
forever (no matches for kind "ReferenceGrant"), silently blocking all
HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, independent of grant sync
- keep "false" semantics: no host discovery check, no mapper, no syncer,
grants never sync to the host; virtual grants stay authoritative for
cross-namespace refs in single-namespace mode
- add gatewayapi-grants-disabled e2e suite: same-namespace route syncs,
cross-namespace backendRef denied until a virtual ReferenceGrant permits
it, grant itself never syncs to the host
- add unit test asserting route mappers ensure the grant CRD when grant
sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# e2e-next/test_gatewayapi/test_gatewayapi_grants_disabled.go
# pkg/mappings/resources/register_gateway_test.go
# pkg/mappings/resources/tlsroutes.go
* fix: enable tenant gateway sync via the gatewayapi umbrella switch
The umbrella sync.toHost.gatewayApi.enabled only enabled HTTPRoute sync:
the tenant gateways CRD was never installed, host RBAC for gateways was
never granted, and route controllers logged watch errors for the missing
Gateway kind.
- honor the umbrella in GatewaysEnabled and the chart gateways RBAC rule
- install the tenant Gateway CRD whenever route sync is enabled
- sync ReferenceGrants to the host only with namespace sync or an
explicit referenceGrants toggle, matching the read-only RBAC the chart
grants in single-namespace mode; tenant-side validation is unchanged
- document umbrella and referenceGrants auto semantics in the schema
- add umbrella-only e2e suite plus unit and chart test coverage
Closes ENGNODE-568
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
---------
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
(cherry picked from commit edbb688)
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
zerbitx
added a commit
that referenced
this pull request
Jun 12, 2026
* feat: use latest gateway api versions only
Pin ReferenceGrant, TLSRoute, and BackendTLSPolicy syncing to the v1
Gateway API versions instead of negotiating older served versions
against the host. Hosts whose Gateway API CRDs do not serve v1 fail
fast at startup with an actionable error.
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants regardless of
sync.toHost.gatewayApi.referenceGrants.enabled; with the flag "false"
the CRD was never installed and the watch failed forever, silently
blocking all HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, keeping "false" semantics: grants never sync to the
host and virtual grants stay authoritative for cross-namespace refs
- add gatewayapi-grants-disabled e2e suite plus a unit test asserting
route mappers ensure the grant CRD when grant sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
* fix: install tenant referencegrant crd whenever route sync is enabled
- route controllers watch virtual ReferenceGrants for cross-namespace
authorization regardless of sync.toHost.gatewayApi.referenceGrants.enabled;
with the flag "false" the CRD was never installed and the watch failed
forever (no matches for kind "ReferenceGrant"), silently blocking all
HTTPRoute/TLSRoute sync
- extract EnsureReferenceGrantCRD and call it from the HTTPRoute and
TLSRoute mappers, independent of grant sync
- keep "false" semantics: no host discovery check, no mapper, no syncer,
grants never sync to the host; virtual grants stay authoritative for
cross-namespace refs in single-namespace mode
- add gatewayapi-grants-disabled e2e suite: same-namespace route syncs,
cross-namespace backendRef denied until a virtual ReferenceGrant permits
it, grant itself never syncs to the host
- add unit test asserting route mappers ensure the grant CRD when grant
sync is disabled
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# e2e-next/test_gatewayapi/test_gatewayapi_grants_disabled.go
# pkg/mappings/resources/register_gateway_test.go
# pkg/mappings/resources/tlsroutes.go
* fix: enable tenant gateway sync via the gatewayapi umbrella switch
The umbrella sync.toHost.gatewayApi.enabled only enabled HTTPRoute sync:
the tenant gateways CRD was never installed, host RBAC for gateways was
never granted, and route controllers logged watch errors for the missing
Gateway kind.
- honor the umbrella in GatewaysEnabled and the chart gateways RBAC rule
- install the tenant Gateway CRD whenever route sync is enabled
- sync ReferenceGrants to the host only with namespace sync or an
explicit referenceGrants toggle, matching the read-only RBAC the chart
grants in single-namespace mode; tenant-side validation is unchanged
- document umbrella and referenceGrants auto semantics in the schema
- add umbrella-only e2e suite plus unit and chart test coverage
Closes ENGNODE-568
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
---------
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
(cherry picked from commit edbb688)
Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
# Conflicts:
# pkg/mappings/resources/httproutes.go
# pkg/mappings/resources/referencegrants.go
# pkg/mappings/resources/register_gateway_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What issue type does this pull request address? (keep at least one, remove the others)
/kind bugfix
What does this pull request do? Which issues does it resolve? (use
resolves #<issue_number>if possible)resolves #ENGNODE-568
Please provide a short message that should be published in the vcluster release notes
Fixed an issue where vcluster ...
What else do we need to know?
E2E Tests
Default Test Execution
The mandatory PR suite runs automatically. Only specify additional test suites below if needed.
Adding New Test Suites
When adding a new ginkgo test suite:
Additional test suites
Additional test suite(s) that will be executed before the mandatory PR suite: