Skip to content

api: experimental ResolvedRefs condition for Gateway #4195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 3 commits into from
Nov 19, 2025
Merged

api: experimental ResolvedRefs condition for Gateway #4195

k8s-ci-robot merged 3 commits into from
Nov 19, 2025

Conversation

@snorwin
Copy link
Member

@snorwin snorwin commented Oct 22, 2025

What type of PR is this?

/kind documentation
/kind feature

What this PR does / why we need it:
This PR follows up on #4123 to update the GoDoc comments and introduce a new GatewayConditionType constant of ResolvedRefs, with associated Reason as its own GatewayConditionReason.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

Add experimental ResolvedRefs condition for Gateway

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 22, 2025
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 22, 2025
@snorwin
Copy link
Member Author

snorwin commented Oct 22, 2025

/cc @kl52752 @rikatz

snorwin
snorwin commented Oct 22, 2025
View reviewed changes
@snorwin snorwin force-pushed the gateway-backend-tls-api branch from 11ba606 to bc1e880 Compare October 23, 2025 06:36
@youngnick
Copy link
Contributor

youngnick commented Nov 6, 2025

Nice work, thanks @snorwin.

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 6, 2025
@snorwin snorwin force-pushed the gateway-backend-tls-api branch 2 times, most recently from 4856b7f to 0818f34 Compare November 8, 2025 08:46
@snorwin
add reason ListenersNotResolved
425d501 
Signed-off-by: Norwin Schnyder <[email protected]>
@snorwin snorwin force-pushed the gateway-backend-tls-api branch from 0818f34 to 425d501 Compare November 8, 2025 09:06
kl52752
kl52752 reviewed Nov 14, 2025
View reviewed changes
apis/v1/gateway_types.go
// * It refers to a resource that cannot be resolved (e.g., the referenced resource
// does not exist) or is misconfigured (e.g., a Secret does not contain the keys
// named `tls.crt` and `tls.key`). In this case, the `ResolvedRefs` condition
// on the Gateway MUST be set to False with the Reason `InvalidClientCertificateRef`
Copy link
Contributor

@kl52752 kl52752 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm worried that Cx might confused this error with other TLS based features like ClientCertValidation, can we be more specifica about the certificate?
InvalidClientCertificateRef -> InvalidGatewayClientCertificateRef

Copy link
Member Author

@snorwin snorwin Nov 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't InvalidBackendClientCertificateRef be more accurate?

However, it is quite long, and since a Gateway only has one clientCertificateRef field, it should be clear which one is meant.

Copy link
Contributor

@kl52752 kl52752 Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

InvalidBackendClientCertificateRef is not accurate because this is Gateway's certificate to communicate with Backends.

Copy link
Member Author

@snorwin snorwin Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For simplicity, I’d prefer to keep the reason as InvalidClientCertificateRef. Since it’s already set on the Gateway, adding Gateway to the reason feels redundant. But if there are better alternatives, I’m happy to adjust.

@kflynn kflynn mentioned this pull request Nov 18, 2025
Open
3 tasks
@snorwin
apply PR feedback
9fa426c 
Signed-off-by: Norwin Schnyder <[email protected]>
kl52752
kl52752 approved these changes Nov 19, 2025
View reviewed changes
Copy link
Contributor

@kl52752 kl52752 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM!

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 19, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kl52752, snorwin, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kl52752
Copy link
Contributor

kl52752 commented Nov 19, 2025

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 19, 2025
@k8s-ci-robot k8s-ci-robot merged commit af107cf into kubernetes-sigs:main Nov 19, 2025
20 checks passed
tylerauerbeck pushed a commit to tylerauerbeck/gateway-api that referenced this pull request Nov 27, 2025
@snorwin @tylerauerbeck
api: experimental ResolvedRefs condition for Gateway (kubernetes-sigs…
595c41f 
…#4195)

* api: experimental ResolvedRefs condition for Gateway

Signed-off-by: Norwin Schnyder <[email protected]>

* add reason ListenersNotResolved

Signed-off-by: Norwin Schnyder <[email protected]>

* apply PR feedback

Signed-off-by: Norwin Schnyder <[email protected]>

---------

Signed-off-by: Norwin Schnyder <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robscott robscott Awaiting requested review from robscott

@youngnick youngnick Awaiting requested review from youngnick

@rikatz rikatz Awaiting requested review from rikatz

1 more reviewer

@kl52752 kl52752 kl52752 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kl52752 kl52752

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@snorwin @youngnick @k8s-ci-robot @kl52752