Namespace selector for allowedRoutes is applied to route instead of namespace

[nathancoleman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

The Gateway API spec specifies for RouteNamespaces.selector that

Selector must be specified when From is set to “Selector”. In that case, only Routes in Namespaces matching this Selector will be selected by this Gateway.

This means that the label selector must match the namespace of the route, not the route itself.

The current implementation of the controller compares the labels on the route itself where it should be comparing against the labels on the namespace containing the route:

consul-api-gateway/internal/k8s/reconciler/utils.go

Lines 99 to 105 in 0c46bf3

	case gw.NamespacesFromSelector:
	ns, err := metav1.LabelSelectorAsSelector(namespaceSelector.Selector)
	if err != nil {
	return false, fmt.Errorf("error parsing label selector: %v", err)
	}
	return ns.Matches(toNamespaceSet(route.GetNamespace(), route.GetLabels())), nil

Reproduction Steps

1. Create a Gateway in one namespace with a selector for namespaces w/ label (code)

2. Create HTTPRoute (code) in a different Namespace (code) where the labels on the Namespace match the selector on the Gateway

3. Observe that route never attaches to gateway:

   kubectl get gateway other-namespace -o yaml

Logs

2022-03-08T20:17:46.926Z [TRACE] memory/store.go:191: consul-api-gateway-server.state: detected route state change: id=http-other-namespace/other-namespace-backend-route
2022-03-08T20:17:46.926Z [TRACE] memory/gateway.go:53: consul-api-gateway-server.state: checking if route can bind to gateway: gateway.consul.namespace="" gateway.consul.service=other-namespace route=http-other-namespace/other-namespace-backend-route
2022-03-08T20:17:46.926Z [TRACE] memory/gateway.go:58: consul-api-gateway-server.state: checking if route can bind to listener: gateway.consul.namespace="" gateway.consul.service=other-namespace listener=http route=http-other-namespace/other-namespace-backend-route
2022-03-08T20:17:46.926Z [TRACE] reconciler/listener.go:320: consul-api-gateway-server.k8s.Reconciler.gateway.listener: checking route parent ref: listener=http name=other-namespace namespace=consul name=other-namespace
2022-03-08T20:17:46.926Z [TRACE] reconciler/listener.go:323: consul-api-gateway-server.k8s.Reconciler.gateway.listener: checking gateway match: listener=http name=other-namespace namespace=consul expected=consul/other-namespace found=consul/other-namespace
2022-03-08T20:17:46.926Z [TRACE] reconciler/listener.go:344: consul-api-gateway-server.k8s.Reconciler.gateway.listener: checking listener match: listener=http name=other-namespace namespace=consul expected=http found=<nil>
2022-03-08T20:17:46.926Z [TRACE] reconciler/listener.go:362: consul-api-gateway-server.k8s.Reconciler.gateway.listener: route not allowed because of listener namespace policy: listener=http name=other-namespace namespace=consul route=http-other-namespace/other-namespace-backend-route
2022-03-08T20:17:46.940Z [TRACE] reconciler/gateway.go:416: consul-api-gateway-server.k8s.Reconciler.gateway: created or updated gateway service: name=other-namespace namespace=consul

Expected behavior

HTTPRoute should successfully attach to Gateway

Environment details

Additional Context