Skip to content

Improve API server HTTPRoute config based on review feedback#68552

Open
somaz94 wants to merge 4 commits into
apache:mainfrom
somaz94:feat/httproute-apiserver-followup
Open

Improve API server HTTPRoute config based on review feedback#68552
somaz94 wants to merge 4 commits into
apache:mainfrom
somaz94:feat/httproute-apiserver-followup

Conversation

@somaz94

@somaz94 somaz94 commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Follow-up to #67675 addressing post-merge review feedback from @Miretpl. The
original PR has not been released yet, so these refinements land before the
upcoming chart release as requested.

Changes:

  • Move the HTTPRoute config from top-level httpRoute.apiServer.* to
    apiServer.httpRoute.* — it is an API-server setting, not a global one
    (values.yaml, values.schema.json, template, docs, tests).
  • Fail template rendering with a clear message when apiServer.httpRoute.enabled
    is true but the Gateway API HTTPRoute CRD is not installed (via
    .Capabilities.APIVersions.Has).
  • Fail when both ingress.apiServer.enabled and apiServer.httpRoute.enabled
    are set — HTTPRoute is an alternative to the API server Ingress.
  • Strengthen tests: assert full spec.parentRefs / spec.rules structures, add
    asserts to the validation test, inline a single-use variable, and split the
    parametrized creation test into separate cases (no inner if).
  • Add an api_versions parameter to the render_chart helper so
    Capabilities-gated templates render offline.

Validation:

  • 48 apiserver helm unit tests pass (incl. new CRD-missing and ingress-conflict cases)
  • helm template renders for enabled/disabled and fails as expected for both guards
  • chart-quality (values↔schema) test passes; ruff clean

related: #67675


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code (Opus 4.8)

Generated-by: Claude Code (Opus 4.8) following the guidelines

@somaz94 somaz94 marked this pull request as ready for review June 15, 2026 05:08
@potiuk potiuk added the ready for maintainer review Set after triaging when all criteria pass. label Jun 17, 2026
Comment thread chart/values.yaml
@@ -290,50 +290,6 @@ ingress:
# The Ingress Class for the PgBouncer Ingress

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment next to the proper ingress section regarding this option too?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — added a note on ingress.apiServer.enabled pointing to apiServer.httpRoute.enabled as the mutually-exclusive alternative.

Comment thread chart/values.yaml
# Requires the Gateway API CRDs to be installed in the cluster
# (https://gateway-api.sigs.k8s.io/guides/#installing-gateway-api).
# The HTTPRoute references an externally managed Gateway via `parentRefs`.
httpRoute:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a short note regarding the ingress (exclusive options)?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — added a "mutually exclusive with ingress.apiServer.enabled" note on the apiServer.httpRoute block.

Comment thread chart/values.schema.json
}
},
"parentRefs": {
"description": "List of parent Gateway references this HTTPRoute attaches to. Required when enabled.",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If required when enabled, we could specify that minItems is 1, probably, and it should fail fast on wrong config

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point on failing fast. I looked at minItems: 1 on the schema, but parentRefs defaults to [] in values.yaml and Helm validates the merged values against the schema on every helm template/lint — so an unconditional minItems: 1 would fail the default (HTTPRoute-disabled) render for the whole chart, and this schema has no conditional (if/then) validation precedent. Instead I added a template guard that fails when httpRoute.enabled is true but parentRefs is empty (alongside the existing CRD / ingress-conflict guards), making parentRefs effectively required-when-enabled. Updated the render tests to supply a minimal parentRefs and added a negative test test_should_fail_when_parent_refs_empty. Happy to switch to a conditional schema instead if you'd prefer.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you set the default of parentRefs to ~ it work in the same way that additional logic is needed?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — I set parentRefs default to ~ (null) and added minItems: 1 to the schema. This gives a two-layer guard:

  • Schema catches the explicit-empty-list case fail-fast: with the default ~, minItems: 1 only constrains actual arrays, so enabled: true + parentRefs: [] now fails validation immediately, while the default disabled render (null) stays valid.
  • Template guard is kept for the enabled: true + parentRefs: ~ (null) case — JSON Schema minItems can't catch null, and there's no if/then conditional precedent in values.schema.json to express "non-null when enabled" purely in schema.

So the additional template logic stays minimal (just the null-while-enabled case); the empty-list case is now handled by the schema as you suggested.

Comment on lines +145 to +148

``api_versions`` is passed to ``helm template --api-versions`` so that templates
gated on ``.Capabilities.APIVersions.Has`` (e.g. Gateway API CRDs) can be rendered
offline, where Helm cannot query a live cluster for installed API groups.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
``api_versions`` is passed to ``helm template --api-versions`` so that templates
gated on ``.Capabilities.APIVersions.Has`` (e.g. Gateway API CRDs) can be rendered
offline, where Helm cannot query a live cluster for installed API groups.

It is how this flag works, so I believe that we don't need specific documentation which copies official documentation

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied — dropped the api_versions docstring paragraph.

Comment on lines +24 to +26
{{- if .Values.ingress.apiServer.enabled }}
{{- fail "`apiServer.httpRoute.enabled` and `ingress.apiServer.enabled` are both set to `true`. HTTPRoute (Gateway API) is an alternative to the API server Ingress; enable only one of them." }}
{{- end }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add similar check for the ingress side too?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — added the reciprocal guard in api-server-ingress.yaml so enabling both fails from the ingress side too. Updated the conflict test to assert on the shared "enable only one of them" phrase since either guard may fire first.

Comment thread chart/values.schema.json
}
},
"parentRefs": {
"description": "List of parent Gateway references this HTTPRoute attaches to. Required when enabled.",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you set the default of parentRefs to ~ it work in the same way that additional logic is needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:helm-chart Airflow Helm Chart kind:documentation ready for maintainer review Set after triaging when all criteria pass.

3 participants