Cli 54049/add gateway api spec resources

CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## [1.7.2] - 2026-05-18
+
+### Fixed
+- **GRPCRoute & TLSRoute hostname inheritance**: Both now inherit hostnames from `global.ingress.hosts` when `hostnames` is not explicitly set per-route, matching HTTPRoute behavior. Previously these routes only emitted `spec.hostnames` when explicitly set per-route, requiring duplicate hostname configuration.
+- Bare `*` filtering also applied to GRPCRoute and TLSRoute hostname sources for consistency with HTTPRoute (Gateway API CRD validation rejects bare `*`).
+- Per-route `additionalHostnames` and global `gatewayAPI.grpcRoute.additionalHostnames` / `gatewayAPI.tlsRoute.additionalHostnames` are now supported as additive sources, mirroring the HTTPRoute pattern.
+
+## [1.7.1] - 2026-05-15
+
+### Fixed
+- HTTPRoute hostname validation error when `global.ingress.disableHostInIngress: true` or when `global.ingress.hosts` contains bare `"*"`. Gateway API CRD validation rejects bare `*` (regex requires `*.<domain>` or specific hostname). The template now filters bare `*` entries from all hostname sources (`hosts`, `additionalHostnames` global and per-route) and omits the `hostnames` field entirely when the resulting list is empty, so the HTTPRoute inherits from the parent Gateway listener.
+
+## [1.7.0] - 2026-05-14
+
+### Added
+- **GRPCRoute**: Native gRPC routing with service/method-level matching (`ingress.grpcRoutes`)
+- **TCPRoute**: Raw TCP traffic routing for databases, Redis, custom protocols (`ingress.tcpRoutes`)
+- **TLSRoute**: TLS passthrough routing based on SNI hostname (`ingress.tlsRoutes`)
+- **UDPRoute**: UDP traffic routing for DNS, game servers, etc. (`ingress.udpRoutes`)
+- **BackendTLSPolicy**: TLS configuration for gateway-to-backend connections (`ingress.backendTLSPolicies`)
+- All new route types support per-route `parentRef` override of global gateway reference
+- All new route types support weighted backend traffic splitting
+
+### Fixed
+- Nil pointer safety: all 10 gateway templates now use `dig` instead of direct nested map access for `global.gatewayAPI.enabled` guard
+
 ## [1.6.3] - 2026-05-14
 
 ### Added

ci/test-chart/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: harness-common
   repository: file://../../src/common
-  version: 1.6.3
-digest: sha256:b5bf10bcf60184437a0b08ff170b4c7d67630c7239571f18af13824a64250253
-generated: "2026-05-14T13:46:18.921158-06:00"
+  version: 1.7.1
+digest: sha256:d52254d3aae6648b3d1d7a4c1c0e44660a4898a3af182bb9710d00bebe2933ff
+generated: "2026-05-15T17:47:13.81928-06:00"

ci/test-chart/ci-values/gateway-backendtlspolicy.yaml

@@ -0,0 +1,31 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - api.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  backendTLSPolicies:
+    - name: api-backend-tls
+      targetRef:
+        name: api-service
+        port: 8443
+      validation:
+        hostname: api-service.default.svc.cluster.local
+        caCertificateRefs:
+          - name: backend-ca-cert
+    - name: system-trust-tls
+      targetRef:
+        name: external-service
+      validation:
+        hostname: external.example.com
+        wellKnownCACertificates: "System"
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-disable-host.yaml

@@ -0,0 +1,25 @@
+global:
+  ingress:
+    enabled: true
+    disableHostInIngress: true
+    hosts:
+      - api.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  objects:
+    - name: api-routes
+      paths:
+        - path: /api/.*
+          backend:
+            service:
+              name: test-service
+              port: 8080
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-example-host.yaml

@@ -0,0 +1,26 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - example.com
+      - "*.example.com"
+    disableHostInIngress: false
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  objects:
+    - name: api-routes
+      paths:
+        - path: /api/.*
+          backend:
+            service:
+              name: test-service
+              port: 8080
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-grpcroute.yaml

@@ -0,0 +1,36 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - grpc.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+      sectionName: grpc
+
+ingress:
+  grpcRoutes:
+    - name: grpc-api
+      hostnames:
+        - grpc.example.com
+      rules:
+        - matches:
+            - method:
+                service: mycompany.UserService
+                method: GetUser
+                type: Exact
+          backendRefs:
+            - name: user-grpc-svc
+              port: 9090
+        - matches:
+            - method:
+                service: mycompany.OrderService
+          backendRefs:
+            - name: order-grpc-svc
+              port: 9090
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-tcproute.yaml

@@ -0,0 +1,37 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - api.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  tcpRoutes:
+    - name: postgres-route
+      parentRef:
+        sectionName: tcp-5432
+        port: 5432
+      rules:
+        - backendRefs:
+            - name: postgres-svc
+              port: 5432
+    - name: redis-route
+      parentRef:
+        sectionName: tcp-6379
+        port: 6379
+      rules:
+        - backendRefs:
+            - name: redis-svc
+              port: 6379
+              weight: 80
+            - name: redis-replica-svc
+              port: 6379
+              weight: 20
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-tlsroute.yaml

@@ -0,0 +1,27 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - api.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  tlsRoutes:
+    - name: db-passthrough
+      hostnames:
+        - db.example.com
+        - db-replica.example.com
+      parentRef:
+        sectionName: tls-passthrough
+      rules:
+        - backendRefs:
+            - name: db-svc
+              port: 5432
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-udproute.yaml

@@ -0,0 +1,25 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - api.example.com
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  udpRoutes:
+    - name: dns-route
+      parentRef:
+        sectionName: udp-53
+        port: 53
+      rules:
+        - backendRefs:
+            - name: dns-svc
+              port: 53
+
+service:
+  port: 8080

ci/test-chart/ci-values/gateway-wildcard-host.yaml

@@ -0,0 +1,25 @@
+global:
+  ingress:
+    enabled: true
+    hosts:
+      - "*"
+    disableHostInIngress: false
+
+  gatewayAPI:
+    enabled: true
+    parentRef:
+      name: test-gateway
+      namespace: gateway-system
+
+ingress:
+  objects:
+    - name: api-routes
+      paths:
+        - path: /api/.*
+          backend:
+            service:
+              name: test-service
+              port: 8080
+
+service:
+  port: 8080

ci/test-chart/tests/gateway_backendtlspolicy_test.yaml

@@ -0,0 +1,82 @@
+suite: Gateway API BackendTLSPolicy (harnesscommon.v2.renderBackendTLSPolicy)
+values:
+  - ../values.yaml
+  - ../ci-values/gateway-backendtlspolicy.yaml
+templates:
+  - ingress.yaml
+release:
+  name: harness-common-test
+  namespace: default
+tests:
+  - it: should render BackendTLSPolicy with correct kind and apiVersion
+    documentSelector:
+      path: spec.targetRefs[0].name
+      value: api-service
+    asserts:
+      - isKind:
+          of: BackendTLSPolicy
+      - equal:
+          path: apiVersion
+          value: gateway.networking.k8s.io/v1alpha3
+
+  - it: should have correct metadata for CA cert policy
+    documentSelector:
+      path: spec.targetRefs[0].name
+      value: api-service
+    asserts:
+      - equal:
+          path: metadata.name
+          value: api-backend-tls
+      - equal:
+          path: metadata.namespace
+          value: default
+
+  - it: should target correct service with sectionName for port
+    documentSelector:
+      path: spec.targetRefs[0].name
+      value: api-service
+    asserts:
+      - equal:
+          path: spec.targetRefs[0].group
+          value: ""
+      - equal:
+          path: spec.targetRefs[0].kind
+          value: Service
+      - equal:
+          path: spec.targetRefs[0].name
+          value: api-service
+      - equal:
+          path: spec.targetRefs[0].sectionName
+          value: "8443"
+
+  - it: should have correct validation with CA certificate ref
+    documentSelector:
+      path: spec.targetRefs[0].name
+      value: api-service
+    asserts:
+      - equal:
+          path: spec.validation.hostname
+          value: api-service.default.svc.cluster.local
+      - equal:
+          path: spec.validation.caCertificateRefs[0].name
+          value: backend-ca-cert
+      - equal:
+          path: spec.validation.caCertificateRefs[0].kind
+          value: Secret
+
+  - it: should render policy with system trust store
+    documentSelector:
+      path: spec.targetRefs[0].name
+      value: external-service
+    asserts:
+      - isKind:
+          of: BackendTLSPolicy
+      - equal:
+          path: metadata.name
+          value: system-trust-tls
+      - equal:
+          path: spec.validation.hostname
+          value: external.example.com
+      - equal:
+          path: spec.validation.wellKnownCACertificates
+          value: System

ci/test-chart/tests/gateway_disable_host_test.yaml

@@ -0,0 +1,19 @@
+suite: Gateway API HTTPRoute disableHostInIngress (harnesscommon.v2.renderHTTPRoute)
+values:
+  - ../values.yaml
+  - ../ci-values/gateway-disable-host.yaml
+templates:
+  - ingress.yaml
+release:
+  name: harness-common-test
+  namespace: default
+tests:
+  - it: HTTPRoute should omit hostnames field when disableHostInIngress is true
+    documentSelector:
+      path: spec.rules[0].backendRefs[0].name
+      value: test-service
+    asserts:
+      - isKind:
+          of: HTTPRoute
+      - notExists:
+          path: spec.hostnames