Skip to content

feat: support allowed gateways in tenant namespace rules#1890

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/feature-1885-implementation
Draft

feat: support allowed gateways in tenant namespace rules#1890
Copilot wants to merge 2 commits intomainfrom
copilot/feature-1885-implementation

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 20, 2026
edited
Loading

Capsule previously only restricted GatewayClass usage at the tenant level. This adds per-namespace enforcement of which Gateway objects HTTPRoute resources may reference, plus optional default Gateway injection.

New types (pkg/api/gateway_rule.go)

  • GatewayNamespacedName — namespaced ref to a Gateway
  • AllowedGatewaySpec — explicit allow list, label selector, and optional default Gateway
  • GatewayRuleSpec — top-level gateway enforcement rule for a namespace

API extension

  • NamespaceRuleEnforceBody gains a gateways *GatewayRuleSpec field; gateway rules use last-wins merge semantics across matching namespace rules (consistent with how a single constraint is applied, vs. registries which aggregate)

HTTPRoute validation webhook (internal/webhook/httproute/)

  • Validates HTTPRoute.spec.parentRefs against the resolved namespace rule; denies routes referencing Gateways not in the allow list or label selector
  • Follows the TypedTenantWithRulesetHandler pattern used by pod/registry validation

HTTPRoute default mutation (internal/webhook/defaults/httproute.go)

  • Injects the configured default Gateway parentRef when an HTTPRoute has no parentRefs

Helm chart

  • Added httproutes validating and mutating webhook configs (mirroring the gateways structure)
  • Added missing reinvocationPolicy to existing gateways mutating webhook values
  • Updated CRD schemas for tenants and rulestatuses

Example

spec:
  rules:
    - enforce:
        gateways:
          gateway:
            default:
              name: tenant-default
              namespace: tenant-system-ns
            matchLabels:
              env: production
            allowed:
              - name: my-gateway
                namespace: gateway-ns

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

@oliverbaehler
feat: support allowed gateways in tenant namespace rules (issue #1885)
700838e 
- Add GatewayNamespacedName, AllowedGatewaySpec, GatewayRuleSpec types to pkg/api/
- Add Gateways field to NamespaceRuleEnforceBody for per-namespace gateway rules
- Add HTTPRoute validation webhook to enforce allowed gateways
- Add HTTPRoute default mutation webhook to inject default Gateway parentRef
- Update Helm chart with validating/mutating webhook configurations for httproutes
- Update CRD schemas for tenants and rulestatuses
- Add GatewayForbiddenError and ReasonForbiddenGateway event reason

Co-authored-by: oliverbaehler <26610571+oliverbaehler@users.noreply.github.com>
Copilot AI changed the title [WIP] Implement feature from issue #1885 feat: support allowed gateways in tenant namespace rules Mar 20, 2026
Copilot AI requested a review from oliverbaehler March 20, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oliverbaehler oliverbaehler Awaiting requested review from oliverbaehler

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@oliverbaehler oliverbaehler

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@oliverbaehler