feat: Kubernetes Gateway API backend (experimental)#65
Merged
danieloliveira079 merged 7 commits intomainfrom Mar 27, 2026
Merged
feat: Kubernetes Gateway API backend (experimental)#65danieloliveira079 merged 7 commits intomainfrom
danieloliveira079 merged 7 commits intomainfrom
Conversation
Adds octops.io/router-backend: gateway as an opt-in alternative to the default Ingress backend. When set, the controller creates one HTTPRoute per GameServer instead of an Ingress, attaching it to a pre-provisioned shared Gateway. TLS is terminated at the Gateway listener, avoiding per-server cert-manager certificates and Let's Encrypt rate limits. - pkg/gameserver: RouterBackend type, GetRouterBackend(), and new gateway-related annotation constants - pkg/record: HTTPRouteKind constant and RecordWarning for no-op annotation warnings in gateway mode - pkg/reconcilers: GatewayReconciler + functional options (WithHTTPRouteParentRef, WithHTTPRouteRules for domain/path modes, WithCustomHTTPRouteAnnotations*) - pkg/stores: gatewayStore wrapping gateway-api client + informer; wired into composite Store via rest.Config - pkg/handlers: dispatch to GatewayReconciler when router-backend=gateway - go.mod: add sigs.k8s.io/gateway-api v1.5.1 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The gateway backend requires list/get/create/delete/watch on gateway.networking.k8s.io/httproutes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- examples/gateway/fleet-{domain,path}.yaml: opt-in gateway backend
with octops/gameserver-http:latest (containerPort 8088) and http
section name for HTTP-only Gateway listeners
- examples/gateway/gateway.yaml: shared Gateway resource with http and
https listeners; gatewayClassName updated to contour (provisioner)
- examples/fleet-{domain,path}.yaml: switch default image to
octops/gameserver-http:latest
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
setup-infra.sh: - cert-manager v1.17.1 → v1.20.0 - install Gateway API CRDs (experimental channel, server-side apply) - patch TLSRoute/v1alpha2 and BackendTLSPolicy/v1alpha3 for Contour v1.32.1 compatibility - install Contour Gateway Provisioner alongside standard Contour - apply GatewayClass and an HTTP Gateway in the default namespace teardown-infra.sh: - delete Gateway resources and HTTPRoutes before namespace teardown - remove Gateway Provisioner and Gateway API CRDs - force-finalize stuck Terminating namespaces (load-balancer finalizer on Docker Desktop causes hangs without this) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
README.md: - Gateway API section with prerequisites, Contour setup (ingress vs gateway, side-by-side operation), annotation reference, HTTPRoute output examples, and experimental status notice - cert-manager version updated to v1.20.0 - Contour install section split by backend with explicit commands AGENTS.md: - Gateway API Backend section: design decisions, known CRD compatibility workarounds for Contour v1.32.1 + Gateway API v1.5.1, full install steps with required flags - Local Development section: make run workflow, hack script overview - Gateway API Experimental Status section: sharp edges for future agents (containerPort 8088, Docker Desktop port-forward, CRD patches) - deploy/ layout updated to show gateway/ and cert-manager/ split docs/gateway-api-support-plan.md: updated plan reflecting final design Makefile: fix make run to mount config.yml (was k3s.yaml) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The Contour Gateway Provisioner creates Contour+Envoy pods in the same
namespace as the Gateway resource. Placing the Gateway in `default`
pollutes the application namespace with infrastructure pods.
- hack/setup-infra.sh: create octops-gateway namespace; deploy Gateway
there with allowedRoutes.namespaces.from: All so HTTPRoutes in default
can still attach
- hack/teardown-infra.sh: include octops-gateway in namespace cleanup
- examples/gateway/gateway.yaml: namespace octops-gateway, allowedRoutes
from: All on both listeners
- examples/gateway/fleet-{domain,path}.yaml: add
octops.io/gateway-namespace: octops-gateway annotation so the
controller sets the correct parentRef namespace in each HTTPRoute
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
octops.io/router-backend: gatewayas an opt-in alternative to the default Ingress backendHTTPRouteperGameServer(instead ofIngress), attaching it to a pre-provisioned sharedGatewayGatewaylistener using a single wildcard/hostname certificate — no per-server cert-manager requests, no Let's Encrypt rate limitsdomainandpathrouting modes are supported, matching the existing Ingress behaviourChanges
pkg/:GatewayReconciler,gatewayStore, functional options,GetRouterBackend()helper,RecordWarningevent methoddeploy/install.yaml: addedhttproutesRBAC to the controllerClusterRoledeploy/gateway/gatewayclass.yaml:GatewayClassfor Contour Gateway Provisionerexamples/gateway/:gateway.yaml,certificate.yaml,fleet-domain.yaml,fleet-path.yamlhack/:setup-infra.shandteardown-infra.shupdated to install Gateway API CRDs, Contour Gateway Provisioner, and apply the required CRD patches for Contour v1.32.1 compatibilityREADME.md: new Gateway API section with prerequisites, setup, annotation reference, and experimental noticeAGENTS.md: local dev workflow, gateway sharp edges, updated deploy layoutValidation
Tested end-to-end on a local Docker Desktop cluster:
Gateway status:
PROGRAMMED: True. AllHTTPRoutes:Accepted=True,ResolvedRefs=True. Envoy routes each request to the correct game server.Test plan
hack/setup-infra.shruns clean on a fresh clusterexamples/gateway/fleet-domain.yaml— verify oneHTTPRouteperGameServer,Accepted=Trueexamples/gateway/fleet-path.yaml— verify path-basedHTTPRouteperGameServercurlwith correctHostheader reaches the right game server in both modesGameServercascades toHTTPRouteandServicecleanup via owner references🤖 Generated with Claude Code