From 6e5ab7023f82f91669fc6b45c8c971193839eb5e Mon Sep 17 00:00:00 2001
From: lukzhang <l_zhang18@hotmail.com>
Date: Wed, 5 Nov 2025 23:35:14 -0500
Subject: [PATCH] Fix: enforce Gateway allowedRoutes namespace constraints in
 HTTPRoute reconciliation

---
 pkg/controllers/route_controller.go | 30 +++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/pkg/controllers/route_controller.go b/pkg/controllers/route_controller.go
index 56b65d03..b477473b 100644
--- a/pkg/controllers/route_controller.go
+++ b/pkg/controllers/route_controller.go
@@ -28,6 +28,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
@@ -291,6 +292,35 @@ func (r *routeReconciler) findControlledParentRef(ctx context.Context, route cor
 	return gwv1.ParentReference{}, fmt.Errorf("parentRef not found for route %s", route.Name())
 }
 
+// --- helper function ---
+func isNamespaceAllowed(ctx context.Context, k8sClient client.Client, routeNamespace string, allowedNamespaces *gwv1.RouteNamespaces) (bool, error) {
+    if allowedNamespaces == nil || allowedNamespaces.From == nil {
+        return false, nil
+    }
+
+    switch *allowedNamespaces.From {
+    case gwv1.NamespacesFromAll:
+        return true, nil
+    case gwv1.NamespacesFromSame:
+        return false, nil // caller should handle same-namespace logic
+    case gwv1.NamespacesFromSelector:
+        selector, err := metav1.LabelSelectorAsSelector(allowedNamespaces.Selector)
+        if err != nil {
+            return false, fmt.Errorf("invalid label selector: %w", err)
+        }
+
+        ns := &corev1.Namespace{}
+        err = k8sClient.Get(ctx, client.ObjectKey{Name: routeNamespace}, ns)
+        if err != nil {
+            return false, fmt.Errorf("failed to get namespace: %w", err)
+        }
+
+        return selector.Matches(labels.Set(ns.Labels)), nil
+    default:
+        return false, nil
+    }
+}
+
 func (r *routeReconciler) reconcileUpsert(ctx context.Context, req ctrl.Request, route core.Route) error {
 	r.log.Infow(ctx, "reconcile, adding or updating", "name", req.Name)
 	r.eventRecorder.Event(route.K8sObject(), corev1.EventTypeNormal,