NE-1871: Promote GatewayAPI to Tech Preview

[rfredette]

Enhancement: Gateway API with Cluster Ingress Operator

[openshift-ci]

Hello @rfredette! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@rfredette: This pull request references NE-1871 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rfredette]

test failures seem unrelated
/retest

[openshift-ci-robot]

@rfredette: This pull request references NE-1871 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

Enhancement: Gateway API with Cluster Ingress Operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rfredette]

/jira refresh

[openshift-ci-robot]

@rfredette: This pull request references NE-1871 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rfredette]

Until the Gateway API feature is ready to be considered tech preview:
/hold

[candita]

/assign @gcs278
/assign @Thealisyed

[candita]

@gcs278 @rfredette based on our team meeting this morning, we would like to pursue merging this so Gateway API integration can get the CI exercise that a TechPreview cluster gets, on all platforms. Can you please unhold and review so we can make that happen?

[gcs278]

@gcs278 @rfredette based on our team meeting this morning, we would like to pursue merging this so Gateway API integration can get the CI exercise that a TechPreview cluster gets, on all platforms. Can you please unhold and review so we can make that happen?

@candita maybe I misunderstood, but I thought the decision was to wait until 4.19 branch opens to bump the feature gate to Tech Preview. In 4.19, we'd would do Dev Preview --> Tech Preview --> GA, all in the same development cycle.

[candita]

@gcs278 @rfredette based on our team meeting this morning, we would like to pursue merging this so Gateway API integration can get the CI exercise that a TechPreview cluster gets, on all platforms. Can you please unhold and review so we can make that happen?

@candita maybe I misunderstood, but I thought the decision was to wait until 4.19 branch opens to bump the feature gate to Tech Preview. In 4.19, we'd would do Dev Preview --> Tech Preview --> GA, all in the same development cycle.

No, it's better for us to do this without having to backport it after branch cut if possible.

[gcs278]

@candita @rfredette I think we are ready to proceed with this PR now that 4.18 branch cut has happened based on our conversation in slack. We'll have to wait until after the holidays to merge, but following up here before I forget.

[rfredette]

/unhold

[gcs278]

@rfredette LGTM, but the one thing you should consider is that the e2e-aws-gatewayapi presubmit job will become redundant after this PR merging since e2e-aws-operator-techpreview should automatically start running the GWAPI tests. Might be good to raise another PR that removes it, or consult with the team about removing it.

/lgtm

[candita]

Are the gateway API components deployed automatically or lazily once some CR is created?

@JoelSpeed Right now they will be deployed lazily when a GatewayClass is created. Once we move to GA, that's a different story. cc @Miciah

[candita]

As a quick smoke test, do the existing tech preview jobs on this PR show that the feature is now enabled?

Yes. In e2e-aws-ovn-techpreview:

I0113 19:01:40.454720 1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-ingress-operator", Name:"ingress-operator", UID:"", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'FeatureGatesInitialized' FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{"AWSClusterHostedDNS", "AWSEFSDriverVolumeMetrics", "AdditionalRoutingCapabilities", "AdminNetworkPolicy", "AlibabaPlatform", "AutomatedEtcdBackup", "AzureWorkloadIdentity", "BareMetalLoadBalancer", "BootcNodeManagement", "BuildCSIVolumes", "CPMSMachineNamePrefix", "ChunkSizeMiB", "CloudDualStackNodeIPs", "ClusterMonitoringConfig", "ConsolePluginContentSecurityPolicy", "DNSNameResolver", "DisableKubeletCloudCredentialProviders", "DynamicResourceAllocation", "EtcdBackendQuota", "Example", "ExternalOIDC", "GCPClusterHostedDNS", "GCPLabelsTags",
"GatewayAPI", <=====================================================================================
"HardwareSpeed", "HighlyAvailableArbiter", "ImageStreamImportMode", "IngressControllerDynamicConfigurationManager", "IngressControllerLBSubnetsAWS", "InsightsConfig", "InsightsConfigAPI", "InsightsOnDemandDataGather", "InsightsRuntimeExtractor", "KMSEncryptionProvider", "KMSv1", "MachineAPIProviderOpenStack", "MachineConfigNodes", "ManagedBootImages", "ManagedBootImagesAWS", "MaxUnavailableStatefulSet", "MetricsCollectionProfiles", "MinimumKubeletVersion", "MixedCPUsAllocation", "MultiArchInstallAWS", "MultiArchInstallGCP", "NetworkDiagnosticsConfig", "NetworkLiveMigration", "NetworkSegmentation", "NewOLM", "NodeDisruptionPolicy", "NodeSwap", "NutanixMultiSubnets", "OVNObservability", "OnClusterBuild", "OpenShiftPodSecurityAdmission", "PersistentIPsForVirtualization", "PinnedImages", "PlatformOperators", "PrivateHostedZoneAWS", "ProcMountType", "RouteAdvertisements", "RouteExternalCertificate", "ServiceAccountTokenNodeBinding", "SetEIPForNLBIngressController", "SignatureStores", "SigstoreImageVerification", "TranslateStreamCloseWebsocketRequests", "UpgradeStatus", "UserNamespacesPodSecurityStandards", "UserNamespacesSupport", "VSphereControlPlaneMachineSet", "VSphereDriverConfiguration", "VSphereHostVMGroupZonal", "VSphereMultiDisk", "VSphereMultiNetworks", "VSphereMultiVCenters", "VSphereStaticIPs", "ValidatingAdmissionPolicy", "VolumeAttributesClass", "VolumeGroupSnapshot"}, Disabled:[]v1.FeatureGateName{"ClusterAPIInstall", "ClusterAPIInstallIBMCloud", "ClusterVersionOperatorConfiguration", "EventedPLEG", "MachineAPIMigration", "MachineAPIOperatorDisableMachineHealthCheckController", "MultiArchInstallAzure"}}

and in e2e-aws-serial-techpreview:

I0113 19:03:33.038269 1 event.go:377] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-ingress-operator", Name:"ingress-operator", UID:"", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'FeatureGatesInitialized' FeatureGates updated to featuregates.Features{Enabled:[]v1.FeatureGateName{"AWSClusterHostedDNS", "AWSEFSDriverVolumeMetrics", "AdditionalRoutingCapabilities", "AdminNetworkPolicy", "AlibabaPlatform", "AutomatedEtcdBackup", "AzureWorkloadIdentity", "BareMetalLoadBalancer", "BootcNodeManagement", "BuildCSIVolumes", "CPMSMachineNamePrefix", "ChunkSizeMiB", "CloudDualStackNodeIPs", "ClusterMonitoringConfig", "ConsolePluginContentSecurityPolicy", "DNSNameResolver", "DisableKubeletCloudCredentialProviders", "DynamicResourceAllocation", "EtcdBackendQuota", "Example", "ExternalOIDC", "GCPClusterHostedDNS", "GCPLabelsTags",
"GatewayAPI", <=====================================================================================
"HardwareSpeed", "HighlyAvailableArbiter", "ImageStreamImportMode", "IngressControllerDynamicConfigurationManager", "IngressControllerLBSubnetsAWS", "InsightsConfig", "InsightsConfigAPI", "InsightsOnDemandDataGather", "InsightsRuntimeExtractor", "KMSEncryptionProvider", "KMSv1", "MachineAPIProviderOpenStack", "MachineConfigNodes", "ManagedBootImages", "ManagedBootImagesAWS", "MaxUnavailableStatefulSet", "MetricsCollectionProfiles", "MinimumKubeletVersion", "MixedCPUsAllocation", "MultiArchInstallAWS", "MultiArchInstallGCP", "NetworkDiagnosticsConfig", "NetworkLiveMigration", "NetworkSegmentation", "NewOLM", "NodeDisruptionPolicy", "NodeSwap", "NutanixMultiSubnets", "OVNObservability", "OnClusterBuild", "OpenShiftPodSecurityAdmission", "PersistentIPsForVirtualization", "PinnedImages", "PlatformOperators", "PrivateHostedZoneAWS", "ProcMountType", "RouteAdvertisements", "RouteExternalCertificate", "ServiceAccountTokenNodeBinding", "SetEIPForNLBIngressController", "SignatureStores", "SigstoreImageVerification", "TranslateStreamCloseWebsocketRequests", "UpgradeStatus", "UserNamespacesPodSecurityStandards", "UserNamespacesSupport", "VSphereControlPlaneMachineSet", "VSphereDriverConfiguration", "VSphereHostVMGroupZonal", "VSphereMultiDisk", "VSphereMultiNetworks", "VSphereMultiVCenters", "VSphereStaticIPs", "ValidatingAdmissionPolicy", "VolumeAttributesClass", "VolumeGroupSnapshot"}, Disabled:[]v1.FeatureGateName{"ClusterAPIInstall", "ClusterAPIInstallIBMCloud", "ClusterVersionOperatorConfiguration", "EventedPLEG", "MachineAPIMigration", "MachineAPIOperatorDisableMachineHealthCheckController", "MultiArchInstallAzure"}}

[candita]

/lgtm

[candita]

/cancel lgtm

[JoelSpeed]

/test integration

[JoelSpeed]

I can see the gateway classes installed in the techpreview jobs
/approve

/hold @candita you cancelled the LGTM, is there something making you hesitant from merging this?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita, gcs278, JoelSpeed, rfredette

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[candita]

I can see the gateway classes installed in the techpreview jobs /approve

/hold @candita you cancelled the LGTM, is there something making you hesitant from merging this?

@JoelSpeed it was just the failing prow tests that made me withdraw my /lgtm. They are not required, so let's go ahead.

/unhold

[candita]

/retest

[lihongan]

/retest

[melvinjoseph86]

Tested using pre-merge image

mjoseph@mjoseph-mac Downloads % oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0.test-2025-02-05-073412-ci-ln-vhr5t7t-latest   True        False         31m     Cluster version is 4.19.0-0.test-2025-02-05-073412-ci-ln-vhr5t7t-latest
mjoseph@mjoseph-mac Downloads % oc get crds | grep -e gateway.networking.k8s.io -e maistra.io

mjoseph@mjoseph-mac Downloads %  oc patch featuregates cluster -p '{"spec": {"featureSet": "TechPreviewNoUpgrade"}}' --type=merge
featuregate.config.openshift.io/cluster patched
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc get featuregates cluster -oyaml | yq ".status.featureGates[0].enabled" | grep  GatewayAPI     
- name: GatewayAPI
mjoseph@mjoseph-mac Downloads % oc get featuregate/cluster -o yaml                                                              
apiVersion: config.openshift.io/v1
kind: FeatureGate
metadata:
  annotations:
    include.release.openshift.io/self-managed-high-availability: "true"
  creationTimestamp: "2025-02-05T07:48:04Z"
  generation: 2
  name: cluster
  resourceVersion: "52950"
  uid: 9d5f36db-dab7-4401-a52e-de998a14bdbf
spec:
  featureSet: TechPreviewNoUpgrade
status:
  featureGates:
  - disabled:
    - name: ClusterAPIInstall
    - name: ClusterAPIInstallIBMCloud
    - name: ClusterVersionOperatorConfiguration
    - name: EventedPLEG
    - name: Example2
    - name: MachineAPIMigration
    - name: MachineAPIOperatorDisableMachineHealthCheckController
    - name: MultiArchInstallAzure
    enabled:
    - name: AWSClusterHostedDNS
    - name: AWSEFSDriverVolumeMetrics
    - name: AdditionalRoutingCapabilities
    - name: AdminNetworkPolicy
    - name: AlibabaPlatform
    - name: AutomatedEtcdBackup
    - name: AzureWorkloadIdentity
    - name: BareMetalLoadBalancer
    - name: BootcNodeManagement
    - name: BuildCSIVolumes
    - name: CPMSMachineNamePrefix
    - name: ChunkSizeMiB
    - name: CloudDualStackNodeIPs
    - name: ClusterMonitoringConfig
    - name: ConsolePluginContentSecurityPolicy
    - name: DNSNameResolver
    - name: DisableKubeletCloudCredentialProviders
    - name: DynamicResourceAllocation
    - name: EtcdBackendQuota
    - name: Example
    - name: ExternalOIDC
    - name: GCPClusterHostedDNS
    - name: GCPLabelsTags
    - name: GatewayAPI
    - name: HardwareSpeed
    - name: HighlyAvailableArbiter
    - name: ImageStreamImportMode
    - name: IngressControllerDynamicConfigurationManager
    - name: IngressControllerLBSubnetsAWS
    - name: InsightsConfig
    - name: InsightsConfigAPI
    - name: InsightsOnDemandDataGather
    - name: InsightsRuntimeExtractor
    - name: KMSEncryptionProvider
    - name: KMSv1
    - name: MachineAPIProviderOpenStack
    - name: MachineConfigNodes
    - name: ManagedBootImages
    - name: ManagedBootImagesAWS
    - name: MaxUnavailableStatefulSet
    - name: MetricsCollectionProfiles
    - name: MinimumKubeletVersion
    - name: MixedCPUsAllocation
    - name: MultiArchInstallAWS
    - name: MultiArchInstallGCP
    - name: NetworkDiagnosticsConfig
    - name: NetworkLiveMigration
    - name: NetworkSegmentation
    - name: NewOLM
    - name: NodeDisruptionPolicy
    - name: NodeSwap
    - name: NutanixMultiSubnets
    - name: OVNObservability
    - name: OnClusterBuild
    - name: OpenShiftPodSecurityAdmission
    - name: PersistentIPsForVirtualization
    - name: PinnedImages
    - name: PlatformOperators
    - name: PrivateHostedZoneAWS
    - name: ProcMountType
    - name: RouteAdvertisements
    - name: RouteExternalCertificate
    - name: ServiceAccountTokenNodeBinding
    - name: SetEIPForNLBIngressController
    - name: SignatureStores
    - name: SigstoreImageVerification
    - name: TranslateStreamCloseWebsocketRequests
    - name: UpgradeStatus
    - name: UserNamespacesPodSecurityStandards
    - name: UserNamespacesSupport
    - name: VSphereControlPlaneMachineSet
    - name: VSphereDriverConfiguration
    - name: VSphereHostVMGroupZonal
    - name: VSphereMultiDisk
    - name: VSphereMultiNetworks
    - name: VSphereMultiVCenters
    - name: VSphereStaticIPs
    - name: ValidatingAdmissionPolicy
    - name: VolumeAttributesClass
    - name: VolumeGroupSnapshot
    version: 4.19.0-0.test-2025-02-05-073412-ci-ln-vhr5t7t-latest

mjoseph@mjoseph-mac Downloads % oc get nodes
NAME                                        STATUS                     ROLES                  AGE   VERSION
ip-10-0-29-241.us-west-1.compute.internal   Ready                      worker                 86m   v1.32.1
ip-10-0-33-106.us-west-1.compute.internal   Ready                      control-plane,master   92m   v1.32.1
ip-10-0-65-9.us-west-1.compute.internal     Ready                      worker                 86m   v1.32.1
ip-10-0-77-212.us-west-1.compute.internal   Ready,SchedulingDisabled   control-plane,master   92m   v1.32.1
ip-10-0-86-77.us-west-1.compute.internal    Ready                      control-plane,master   92m   v1.32.1
ip-10-0-89-219.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 86m   v1.32.1

mjoseph@mjoseph-mac Downloads % oc get nodes
NAME                                        STATUS   ROLES                  AGE    VERSION
ip-10-0-29-241.us-west-1.compute.internal   Ready    worker                 101m   v1.32.1
ip-10-0-33-106.us-west-1.compute.internal   Ready    control-plane,master   107m   v1.32.1
ip-10-0-65-9.us-west-1.compute.internal     Ready    worker                 101m   v1.32.1
ip-10-0-77-212.us-west-1.compute.internal   Ready    control-plane,master   107m   v1.32.1
ip-10-0-86-77.us-west-1.compute.internal    Ready    control-plane,master   107m   v1.32.1
ip-10-0-89-219.us-west-1.compute.internal   Ready    worker                 101m   v1.32.1
mjoseph@mjoseph-mac Downloads % oc get gatewayclass                      
NAME                CONTROLLER                        ACCEPTED   AGE
istio-remote        istio.io/unmanaged-gateway        True       13m
openshift-default   openshift.io/gateway-controller   True       14m

mjoseph@mjoseph-mac Downloads % oc -n openshift-operators get sub,csv,pod
NAME                                                    PACKAGE               SOURCE             CHANNEL
subscription.operators.coreos.com/servicemeshoperator   servicemeshoperator   redhat-operators   stable

NAME                                                                    DISPLAY                          VERSION   REPLACES                     PHASE
clusterserviceversion.operators.coreos.com/servicemeshoperator.v2.6.4   Red Hat OpenShift Service Mesh   2.6.4-0   servicemeshoperator.v2.6.3   Succeeded

NAME                                 READY   STATUS    RESTARTS   AGE
pod/istio-cni-node-v2-6-4nkvj        1/1     Running   1          29m
pod/istio-cni-node-v2-6-5fvnl        1/1     Running   1          29m
pod/istio-cni-node-v2-6-5hwsm        1/1     Running   1          29m
pod/istio-cni-node-v2-6-gv29b        1/1     Running   1          29m
pod/istio-cni-node-v2-6-qnlbr        1/1     Running   1          29m
pod/istio-cni-node-v2-6-trxbj        1/1     Running   1          29m
pod/istio-operator-b697c4c8c-9bwzk   1/1     Running   0          24m
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get pod
NAME                                        READY   STATUS    RESTARTS   AGE
istiod-openshift-gateway-6f68c846bb-j79gd   1/1     Running   0          25m
router-default-cf4995fd8-59mkg              1/1     Running   0          24m
router-default-cf4995fd8-qklgt              1/1     Running   0          14m
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads %  oc -n openshift-ingress get servicemeshcontrolplanes
NAME                READY   STATUS            PROFILES      VERSION   AGE
openshift-gateway   5/5     ComponentsReady   ["default"]   2.6.4     29m

mjoseph@mjoseph-mac Downloads % oc get crds | grep -e gateway.networking.k8s.io -e maistra.io
exportedservicesets.federation.maistra.io                         2025-02-05T09:08:36Z
gatewayclasses.gateway.networking.k8s.io                          2025-02-05T09:06:19Z
gateways.gateway.networking.k8s.io                                2025-02-05T09:06:19Z
httproutes.gateway.networking.k8s.io                              2025-02-05T09:06:19Z
importedservicesets.federation.maistra.io                         2025-02-05T09:08:36Z
referencegrants.gateway.networking.k8s.io                         2025-02-05T09:06:20Z
servicemeshcontrolplanes.maistra.io                               2025-02-05T09:08:12Z
servicemeshmemberrolls.maistra.io                                 2025-02-05T09:08:12Z
servicemeshmembers.maistra.io                                     2025-02-05T09:08:12Z
servicemeshpeers.federation.maistra.io                            2025-02-05T09:08:36Z
servicemeshpolicies.authentication.maistra.io                     2025-02-05T09:08:36Z
servicemeshrbacconfigs.rbac.maistra.io                            2025-02-05T09:08:36Z

mjoseph@mjoseph-mac Downloads % base_domain="$(oc get dnses.config/cluster -o jsonpath='{.spec.baseDomain}')"
mjoseph@mjoseph-mac Downloads % gwapi_domain="gwapi.${base_domain}"
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % mkdir /tmp/gwapi
mjoseph@mjoseph-mac Downloads % openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -keyout /tmp/gwapi/ca.key -out /tmp/gwapi/ca.crt -nodes -subj '/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=gwapi-ca' && openssl req -newkey rsa:4096 -nodes -sha256 -keyout /tmp/gwapi/wildcard.key -out /tmp/gwapi/wildcard.csr -subj "/C=US/ST=NC/L=Chocowinity/O=OS3/OU=Eng/CN=*.$gwapi_domain" && openssl x509 -req -days 365 -in /tmp/gwapi/wildcard.csr -CA /tmp/gwapi/ca.crt -CAcreateserial -CAkey /tmp/gwapi/ca.key -out /tmp/gwapi/wildcard.crt
..+....+..+.........+....+++++++++++++++++++++++++++++++++++++++++++++*........+..+.+..+....+.....+++++++++++++++++++++++++++++++++++++++++++++*............+......+.+.....+......................+.....+.+..............+...............+...+...+.+...+......+......+......+..+...+...+......+......+...+.+.........+.........+..+.+.........+..........................+....+.................................+..+...+............+......+.......+...+...+......+...+.....+...+...+....+...+.....+.......+...+...............+...+......+.....+.+..+.......+......+..............+..........+.....+......+...+.+...+............+.....+...+......+.+...........+.......+..+.+.........+.....+.............+..+..................+.+.....+...............+.........+..................+...............+.......+..+.........+............+............+.+......+...............+.........+............+..+......+....+..+.............+........+...+......+...+..........+.....+..................+....+....................+...+.......+...+...+.....+....+..............+....+............+...+......+.........+...........+......+.+..+......+......+.+..+..........+...+.........+...+..+....+.........+...+.....+....+.....+.........+............+.......+...+....................+....+..................+......+...........+......+....+.........+..+.......+........+....+........+.......+.....+...+............+.+.....+....+..............+............+...............+.......+......+.........+..+..........+..............+............+.........+.+.....+...+...................+........+...+.........+.......+...+............+......+++++
........+....................+.+..+...+......+....+.....+...............+....+..+.+............+......+..............+.......+.....+....+..+...+++++++++++++++++++++++++++++++++++++++++++++*....+....+..+.+.....+.......+.....+.+++++++++++++++++++++++++++++++++++++++++++++*.+..+...+.....................+...+......+.........+...............................+..+.......+..+...+.+..............+...+..........+...+......+......+.........+........+...+...+.......+........+....+........+.......+..................+..+.......+..............+.........+.+..+....+......+........+......+......+.......+..+..........+.....+..........+...+...........................+...........+...+.......+..+...+.........+....+...........+.+..............+...+.+........................+...........+......................+........+.......+............+........+....+.....+...................+..+.............+............+........+.+........+...+...............+.......+..+...+.+......+.....................+..+...+..........+..+.+......+.....+.+..+.+............+............+...+...+...........+....+......+...+..+......+...+................+.....+.+..+......+..........+..+............+..........+...+........+....+.......................+.......+...+.....+...........................+.......+.....+...............+......+.......+...+.....+.........+...+.+..+....+...+.....+.+............+.................+............+.........+.+...+...........+....+...+...+..+............+................+..............+++++
-----
.....+............+......................+.........+.....+............+...+.+...........+...+....+.....+..........+.....+...+....+......+.........+.....+.+........+.......+..+.+.....+.+........+................+...........+...+.+......+.....+...+++++++++++++++++++++++++++++++++++++++++++++*..+.+..+...+.......+...........+....+......+...........+.+..+..........+......+..+.......+...+++++++++++++++++++++++++++++++++++++++++++++*.........+............+.+......+..............+.+.........+...........+.+..............+......+....+.....+......+....+...+...+.................+.......+.........+.................+....+........+...............+.+.....+............+...+....+...+...+.........+...+.........+...+..+......+...+................+...+..........................+.+...+........+.......+...+.....+...+..........+......+...+..+...+...+.......+........+...+.+........+.+....................+......+......+.....................................+...........+.+..............+...............+.........+...+...+................+.....+................+.....+.......+..+...+.+.........+.....+.......+...............+.............................+.......+.....+.......+...+.....+.......+......+..+...+....+...............+...+..................+..+.........+.+........+.......+.....+..........+..+.+......+...+......+..............+...+.......+.................+.............+.....+...+...+.+......+.....+...................+.........+..+...+.......+........+..........+......+.....+.+...............+........+......+................+..+.+..............+................+..+....+......+..+.......+.....+....+..+...+....+...............+..+....+.....+.........+.+..+.........+....+..+.............+.........+..+................+.....+.........+.........+............+...+......+......+....+.....+......+.............+..............+................+.....+...................+..+....+.........+..+...+.+...........+...+...+...+....+............+...+...+..+.............+..+......+....+...+.....+............................+......+........+...+............................+..............+...+...+....+..+..........+.....+.........+...................+...........+.+...............+...+..+...+.+.....................+.....+.+.........+......+...+..+.............+......+...+..+........................+.........+......+.+......+...+.....+.+...+...........+......+.+++++
..+.+........+....+...+..............+......+.......+...+..+.+..............+...+..........+.......................+.+........+.+++++++++++++++++++++++++++++++++++++++++++++*.....+.+...+..+...+......+....+..+....+.........+...+.....+............+.+..+...+.+......+...+.........+......+...............+.........+...........+....+..+....+..+..........+...+..+.......+..+..................+...+...+....+..+...+.+...........+.+........+.+...+.....+......+.+...+++++++++++++++++++++++++++++++++++++++++++++*.+...+...........+..........+.....+.+.....+...+.+...........+.......+...+.....+....+...+........+.......+...+...............+..+......+.........+......+.......+.............................+...+...............+......+.+...........+....+...............+......+..+...+...............+.........+....+..+.......+.....................+..+......................+..+.+.........+......+............+...+..+......+....+..+.+........+.......+.....+...................+.........+.........+..+..................+...+..............................+...+....+...+..................+..............+..........+...+..+.+.....+......+...+..........+........+...+.+...+......+............+.........+.....+...+...............+.+..+...+.........+......+.......+...+..+............+..........+......+...............+........................+......+................................+..................+......................+.....+...................+........+...+.........+..........+........+.+......+........+..........+..+.............+.....+.......+...+.....+......+.+......+.....+.......+......+.....+.+.........+......+....................+...............+.+...+.........+.....+...+...+.........................+...............+...........+...+......+......+.........+...................+..................+.....+...+.......+...+.....+.......+...+.....+.+......+.........+..........................+.............+..+....+........+.+.....................+........+......+....+............+.....+.+...+.....+.........+...............+.......+...+.....+......+.+.....+....+...........+.+.....+.......+...........+....+..+....+.........+........+....+...+...............+........+.......+...........+......+.+..+......+....+.................+.+..............+....+.........+.....+.+...............+..+....+......+.........+......+..+.............+.....+....+.........+........................+......+.....+....+.....+......+....+..+.+...+......+.....+....+...........+.....................+...+....+......+..+...............+....+...........+..........+..+.+.....+.+.....+.+....................+.............+...........+...+...+++++
-----
Certificate request self-signature ok
subject=C=US, ST=NC, L=Chocowinity, O=OS3, OU=Eng, CN=*.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc -n openshift-ingress create secret tls gwapi-wildcard --cert=/tmp/gwapi/wildcard.crt --key=/tmp/gwapi/wildcard.key
secret/gwapi-wildcard created
mjoseph@mjoseph-mac Downloads % oc create -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: gateway
  namespace: openshift-ingress
spec:
  gatewayClassName: openshift-default
  listeners:
  - name: http
    hostname: "*.$gwapi_domain"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: https
    hostname: "*.$gwapi_domain"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - name: gwapi-wildcard
    allowedRoutes:
      namespaces:
        from: All
EOF
gateway.gateway.networking.k8s.io/gateway created


mjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get svc,pod
NAME                                TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)                                          AGE
service/gateway-openshift-default   LoadBalancer   172.30.199.104   a7a288b44896b4205b8a8efaa51f029f-1050173848.us-west-1.elb.amazonaws.com   15021:30091/TCP,80:32745/TCP,443:32053/TCP       11s
service/istiod-openshift-gateway    ClusterIP      172.30.134.94    <none>                                                                    15010/TCP,15012/TCP,443/TCP,15014/TCP,8188/TCP   31m
service/router-default              LoadBalancer   172.30.14.184    a405da9d8c93b472ba7edd8858668812-1942401445.us-west-1.elb.amazonaws.com   80:31448/TCP,443:31249/TCP                       108m
service/router-internal-default     ClusterIP      172.30.142.237   <none>                                                                    80/TCP,443/TCP,1936/TCP                          108m

NAME                                            READY   STATUS    RESTARTS   AGE
pod/gateway-openshift-default-c97c44584-cl9db   1/1     Running   0          12s
pod/istiod-openshift-gateway-6f68c846bb-j79gd   1/1     Running   0          26m
pod/router-default-cf4995fd8-59mkg              1/1     Running   0          26m
pod/router-default-cf4995fd8-qklgt              1/1     Running   0          16m
mjoseph@mjoseph-mac Downloads % oc -n openshift-ingress get gateway
NAME      CLASS               ADDRESS                                                                   PROGRAMMED   AGE
gateway   openshift-default   a7a288b44896b4205b8a8efaa51f029f-1050173848.us-west-1.elb.amazonaws.com   True         14s

mjoseph@mjoseph-mac Downloads % oc new-project gwapi-test
Now using project "gwapi-test" on server "https://api.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org:6443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app rails-postgresql-example

to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:

    kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname

mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc create -f https://raw.githubusercontent.com/lihongan/test-scripts/refs/heads/master/GatewayAPI/web-server-deploy.yaml
deployment.apps/web-server created
service/service-unsecure created
service/service-secure created
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc create -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: myroute
spec:
  parentRefs:
  - name: gateway
    namespace: openshift-ingress
  hostnames: ["test.$gwapi_domain"]
  rules:
  - backendRefs:
    - name: service-unsecure
      port: 27017
EOF

httproute.gateway.networking.k8s.io/myroute created
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % 
mjoseph@mjoseph-mac Downloads % oc get httproute
NAME      HOSTNAMES                                                   AGE
myroute   ["test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org"]   4s


mjoseph@mjoseph-mac Downloads % curl http://test.$gwapi_domain/
curl: (6) Could not resolve host: test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
mjoseph@mjoseph-mac Downloads % curl http://test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
mjoseph@mjoseph-mac Downloads %  curl --cacert /tmp/gwapi/ca.crt "https://test.$gwapi_domain/" -v
* Could not resolve host: test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
* Closing connection
curl: (6) Could not resolve host: test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org

mjoseph@mjoseph-mac Downloads % curl -Ik http://a7a288b44896b4205b8a8efaa51f029f-1050173848.us-west-1.elb.amazonaws.com
HTTP/1.1 404 Not Found
date: Wed, 05 Feb 2025 09:50:43 GMT
server: istio-envoy
transfer-encoding: chunked


mjoseph@mjoseph-mac Downloads % curl http://test.$gwapi_domain/
Hello-OpenShift web-server-57c5b9c87b-pqdpw http-8080
mjoseph@mjoseph-mac Downloads % curl --cacert /tmp/gwapi/ca.crt "https://test.$gwapi_domain/" -v
* Host test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org:443 was resolved.
* IPv6: (none)
* IPv4: 54.183.38.218, 52.52.240.209
*   Trying 54.183.38.218:443...
* Connected to test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org (54.183.38.218) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /tmp/gwapi/ca.crt
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=NC; L=Chocowinity; O=OS3; OU=Eng; CN=*.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
*  start date: Feb  5 09:39:10 2025 GMT
*  expire date: Feb  5 09:39:10 2026 GMT
*  common name: *.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org (matched)
*  issuer: C=US; ST=NC; L=Chocowinity; O=OS3; OU=Eng; CN=gwapi-ca
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/2 200 
< server: istio-envoy
< date: Wed, 05 Feb 2025 09:52:41 GMT
< content-type: text/html
< content-length: 54
< last-modified: Wed, 05 Feb 2025 09:40:03 GMT
< etag: "67a331f3-36"
< accept-ranges: bytes
< x-envoy-upstream-service-time: 0
< 
Hello-OpenShift web-server-57c5b9c87b-pqdpw http-8080
* Connection #0 to host test.gwapi.ci-ln-vhr5t7t-76ef8.aws-2.ci.openshift.org left intact

It take some time after the route creation to get curl to that route.
/label qe-approved

[openshift-ci-robot]

@rfredette: This pull request references NE-1871 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.19." or "openshift-4.19.", but it targets "4.18.0" instead.

In response to this:

Enhancement: Gateway API with Cluster Ingress Operator

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

This is a critical dependency for Gateway API feature work.

/label acknowledge-critical-fixes-only

[candita]

/jira refresh

[openshift-ci-robot]

@candita: This pull request references NE-1871 which is a valid jira issue.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@rfredette: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-cluster-config-api
This PR has been included in build ose-cluster-config-api-container-v4.19.0-202502180408.p0.g913eae8.assembly.stream.el9.
All builds following this will include this PR.