Skip to content

feat: add listenerset#24993

Open
0xmeyer wants to merge 3 commits into
coder:mainfrom
0xmeyer:main
Open

feat: add listenerset#24993
0xmeyer wants to merge 3 commits into
coder:mainfrom
0xmeyer:main

Conversation

@0xmeyer

@0xmeyer 0xmeyer commented May 6, 2026

Copy link
Copy Markdown

Adds support for Gateway API ListenerSet.

This PR was validated using kgateway-v2.3.0-main using the following values:

coder:
  image:
    tag: v2.31.11
  listenerset:
    enable: true
    annotations:
      cert-manager.io/cluster-issuer: my-cluster-issuer
      cert-manager.io/private-key-algorithm: ECDSA
      cert-manager.io/private-key-size: "384"
    parentRef:
      name: shared-internal-gateway
      namespace: kgateway-system
    listeners:
    - name: http
      hostname: "chart-example.local"
      port: 80
      protocol: HTTP
    - name: http-wildcard
      hostname: "*.chart-example.local"
      port: 80
      protocol: HTTP
    - name: https
      hostname: "*.chart-example.local"
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: chart-example-tls
    - name: https-wildcard
      hostname: "chart-example.local"
      port: 443
      protocol: HTTPS
      tls:
        mode: Terminate
        certificateRefs:
          - name: chart-example-tls
  httproute:
    enable: true
    parentRefs:
    - kind: ListenerSet
      name: coder
      port: 443
    host: "chart-example.local"
    wildcardHost: "*.chart-example.local"
    httpsRedirect:
      enable: true
      parentRefs:
      - kind: ListenerSet
        name: coder
        port: 80

Validate:

$ GW_ADDR=$(kubectl get svc -n kgateway-system shared-internal-gateway -o=jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")

$ curl -so /dev/null -w "%{http_code}" --resolve chart-example.local:80:${GW_ADDR} http://chart-example.local
308

$ curl -L --resolve chart-example.local:80:${GW_ADDR} http://chart-example.local/api/v2/buildinfo
{"external_url":"https://github.com/coder/coder/commit/49be5f31d35ff8beac0c0f489bdcf7a2e4d24872","version":"v2.31.11+49be5f3","dashboard_url":"http://coder.dev-ome.svc.cluster.local","telemetry":true,"workspace_proxy":false,"agent_api_version":"1.0","provisioner_api_version":"1.15","upgrade_message":"","deployment_id":"8e5917d5-7fea-4658-b7d9-0f3b3e99b861"}

$ curl --resolve chart-example.local:443:${GW_ADDR} https://chart-example.local/api/v2/buildinfo
{"external_url":"https://github.com/coder/coder/commit/49be5f31d35ff8beac0c0f489bdcf7a2e4d24872","version":"v2.31.11+49be5f3","dashboard_url":"http://coder.dev-ome.svc.cluster.local","telemetry":true,"workspace_proxy":false,"agent_api_version":"1.0","provisioner_api_version":"1.15","upgrade_message":"","deployment_id":"8e5917d5-7fea-4658-b7d9-0f3b3e99b861"}

@github-actions github-actions Bot added the community Pull Requests and issues created by the community. label May 6, 2026
@github-actions

github-actions Bot commented May 6, 2026
edited
Loading

Copy link
Copy Markdown

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@0xmeyer

0xmeyer commented May 6, 2026

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

cdrci2 added a commit to coder/cla that referenced this pull request May 6, 2026
@cdrci2
@0xmeyer has signed the CLA in coder/coder#24993
6f1ceea
@0xmeyer 0xmeyer marked this pull request as ready for review May 6, 2026 10:44
@bpmct Coder

bpmct commented May 6, 2026

Copy link
Copy Markdown
Member

thanks for putting this together — nice that you validated end-to-end against kgateway in the description. a few things i'd want addressed before this merges:

bugs

  • httproute.yaml: the --- separator is outside the redirect's if block, so when httpsRedirect.enable: false the rendered output still has a trailing empty doc. it should be inside the conditional
  • listenerset.yaml: parentRef is required by the gateway api spec but nothing enforces it. if someone sets listenerset.enable: true and forgets parentRef, you'll render parentRef: with no content and only catch it at apply time. same goes for httpsRedirect.parentRefs. a fail with a friendly message would be nicer
  • values.yaml: the helm-doc tag says coder.listenerset.parentRefs (plural), but the actual key below is parentRef (singular). the commented example also isn't indented under parentRef:, so copy-pasting it won't work
  • minor: 3-space indent on the labels line in listenerset.yaml vs 4 everywhere else. nindent masks it at runtime but the source is inconsistent

gaps

  • no tests. there's a thorough golden-file suite in helm/coder/tests/ with cases for every other feature (tls, sa, ingress variants, etc.), and this PR adds 100+ lines of new template with zero coverage. should add at least a listenerset and httproute_redirect test case + golden
  • worth a note in the values.yaml comments about gateway api version requirements. ListenerSet only graduated to standard gateway.networking.k8s.io/v1 in gateway api v1.5 (april 2026). anyone on v1.4 or earlier is still on XListenerSet under gateway.networking.x-k8s.io/v1alpha1, plus the parent gateway needs allowedListeners set. people on older clusters will hit confusing failures otherwise
  • nit: i'd split the redirect into its own httproute_redirect.yaml rather than mixing it into httproute.yaml. easier to reason about and consistent with how ingress.yaml is its own file

Comment posted by Coder Agents on behalf of @bpmct

@0xmeyer

0xmeyer commented May 7, 2026

Copy link
Copy Markdown
Author

Hi @bpmct,

thanks for the review.

the --- separator is outside the redirect's if block ...

fixed.

parentRef is required by the gateway api spec but nothing enforces it ...

Added parentRef / parentRefs validation for both HTTPRoute objects and the ListenerSet object.

the helm-doc tag says coder.listenerset.parentRefs (plural), but the actual key below is parentRef (singular)

fixed.

minor: 3-space indent on the labels line in listenerset.yaml

fixed.

no tests.

I've never written Helm tests before. If they're needed, I'll take a closer look.

worth a note in the values.yaml comments about gateway api version requirements.

done.

nit: i'd split the redirect into its own httproute_redirect.yaml rather than mixing it into httproute.yaml.

I don't agree with that, since these two resources belong together. However, if you'd still like me to, I can put the redirect route in a separate file.

@bpmct

bpmct commented May 7, 2026

Copy link
Copy Markdown
Member

Thanks! Giving this a shot on my machine now, then will likely flag for someone else on the dev team to review too!

@github-actions github-actions Bot added the stale This issue is like stale bread. label May 17, 2026
@0xmeyer

0xmeyer commented May 19, 2026

Copy link
Copy Markdown
Author

Hi @bpmct, any updates?

@github-actions github-actions Bot removed the stale This issue is like stale bread. label May 20, 2026
@matifali matifali requested review from bpmct and rowansmithau May 26, 2026 10:51
rowansmithau
rowansmithau requested changes May 28, 2026
View reviewed changes

@rowansmithau rowansmithau left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @0xmeyer thanks for the contribution. I've added some review notes if you could take a look at those please.

on the tests, if you take a look at https://github.com/coder/coder/blob/main/helm/coder/tests/testdata/host_aliases.yaml (and the others in that directory) you will get an idea of the required structure. those test files are used to generate the .golden files which are used across version/code changes for comparison.

Comment thread helm/coder/templates/httproute.yaml
@@ -1,3 +1,11 @@
{{- if and .Values.coder.httproute.enable (empty .Values.coder.httproute.parentRefs) -}}
{{- fail "coder.httproute.parentRefs is required when coder.httproute.enable=true" -}}

@rowansmithau rowansmithau May 28, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason why parentRefs are now being enforced? this would be a potentially breaking change for existing users from the way it was previously implemented by @bpmct and according to https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/shared_types.go#L179-L259, parentRefs are optional.

➜  coder git:(0xmeyer/main) ✗ helm template coder . --set coder.httproute.enable=true 
Error: execution error at (coder/templates/httproute.yaml:2:4): coder.httproute.parentRefs is required when coder.httproute.enable=true

Use --debug flag to render out invalid YAML

➜  coder git:(0xmeyer/main) ✗ helm template coder coder-v2/coder --set coder.httproute.enable=true | head -n5
---
# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:

Comment thread helm/coder/templates/listenerset.yaml
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.coder.listenerset.listeners }}
listeners:

@rowansmithau rowansmithau May 28, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks to be the inverse of httproute.parentRefs in that a populated listeners block is required per the spec with the +required notation. You can render a chart without it, i.e,

helm template coder . --set coder.image.tag=v2.34.0 --set coder.httproute.enable=true --set "coder.httproute.parentRefs[0].name=fake-gateway"  --set "coder.httproute.parentRefs[0].namespace=fake-ns" --set coder.listenerset.enable=true --set "coder.listenerset.parentRef.name=fake-gateway" --set "coder.listenerset.parentRef.namespace=fake-ns"

but it may cause issues at apply/install time, so should have a safeguard like httproute does.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rowansmithau rowansmithau rowansmithau requested changes

@bpmct bpmct Awaiting requested review from bpmct

Requested changes must be addressed to merge this pull request.

Assignees

@0xmeyer 0xmeyer

Labels

community Pull Requests and issues created by the community.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0xmeyer @bpmct @rowansmithau