feat(gateway): expose sectionName and port

pierrecdn · pierrecdn · commit d5724af2eaa0 · 2026-04-24T00:36:55.000+02:00
Allow KamajiControlPlane.spec.network.gateway to target a specific
listener of a multi-listener Gateway by exposing two optional fields:

  - sectionName: mapped to ParentReference.SectionName of the generated
    kube-apiserver TLSRoute;
  - port: mapped to ParentReference.Port of the generated TLSRoute.

The TCP renderer propagates them onto the ParentReference when set.
Both fields are optional, so existing KamajiControlPlane objects keep
rendering unchanged.

This should unblock Kamaji gateway access-points status publishing,
which requires ParentReference.SectionName to resolve the Gateway
listener when publishing status on multi-listener Gateways.

Signed-off-by: Pierre Cheynier &lt;p.cheynier@criteo.com&gt;
diff --git a/api/v1alpha2/kamajicontrolplane_types.go b/api/v1alpha2/kamajicontrolplane_types.go
@@ -45,6 +45,21 @@ type GatewayComponent struct {
 	// +kubebuilder:required
 	// +kubebuilder:validation:MinLength=1
 	Hostname string `json:"hostname"`
+	// SectionName selects a specific listener on the target Gateway for the
+	// kube-apiserver TLSRoute to attach to (mapped to ParentReference.SectionName
+	// of the generated TLSRoute). Required when the Gateway exposes multiple
+	// listeners: the upstream Kamaji controller needs it to resolve the
+	// Gateway listener when publishing the kube-apiserver access point status.
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	SectionName string `json:"sectionName,omitempty"`
+	// Port selects the listener port on the target Gateway (mapped to
+	// ParentReference.Port of the generated TLSRoute). When unset, the first
+	// listener of the Gateway that accepts the Route is used. When set together
+	// with SectionName, both must match the target listener.
+	// +kubebuilder:validation:Minimum=1
+	// +kubebuilder:validation:Maximum=65535
+	Port *int32 `json:"port,omitempty"`
 	// Defines the extra labels for the Gateway object.
 	ExtraLabels map[string]string `json:"extraLabels,omitempty"`
 	// Defines the extra annotations for the Gateway object.
diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_kamajicontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_kamajicontrolplanes.yaml
@@ -7455,6 +7455,26 @@ spec:
                           object.
                         minLength: 1
                         type: string
+                      port:
+                        description: |-
+                          Port selects the listener port on the target Gateway (mapped to
+                          ParentReference.Port of the generated TLSRoute). When unset, the first
+                          listener of the Gateway that accepts the Route is used. When set together
+                          with SectionName, both must match the target listener.
+                        format: int32
+                        maximum: 65535
+                        minimum: 1
+                        type: integer
+                      sectionName:
+                        description: |-
+                          SectionName selects a specific listener on the target Gateway for the
+                          kube-apiserver TLSRoute to attach to (mapped to ParentReference.SectionName
+                          of the generated TLSRoute). Required when the Gateway exposes multiple
+                          listeners: the upstream Kamaji controller needs it to resolve the
+                          Gateway listener when publishing the kube-apiserver access point status.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
                     required:
                     - hostname
                     - name
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_kamajicontrolplanetemplates.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_kamajicontrolplanetemplates.yaml
@@ -7547,6 +7547,26 @@ spec:
                                   the Gateway object.
                                 minLength: 1
                                 type: string
+                              port:
+                                description: |-
+                                  Port selects the listener port on the target Gateway (mapped to
+                                  ParentReference.Port of the generated TLSRoute). When unset, the first
+                                  listener of the Gateway that accepts the Route is used. When set together
+                                  with SectionName, both must match the target listener.
+                                format: int32
+                                maximum: 65535
+                                minimum: 1
+                                type: integer
+                              sectionName:
+                                description: |-
+                                  SectionName selects a specific listener on the target Gateway for the
+                                  kube-apiserver TLSRoute to attach to (mapped to ParentReference.SectionName
+                                  of the generated TLSRoute). Required when the Gateway exposes multiple
+                                  listeners: the upstream Kamaji controller needs it to resolve the
+                                  Gateway listener when publishing the kube-apiserver access point status.
+                                maxLength: 253
+                                minLength: 1
+                                type: string
                             required:
                             - hostname
                             - name
diff --git a/controllers/kamajicontrolplane_controller_tcp.go b/controllers/kamajicontrolplane_controller_tcp.go
@@ -173,14 +173,19 @@ func (r *KamajiControlPlaneReconciler) createOrUpdateTenantControlPlane(ctx cont
 					host = kcp.Spec.Network.Gateway.Hostname
 				}
 				tcp.Spec.NetworkProfile.CertSANs = append(tcp.Spec.NetworkProfile.CertSANs, host)
+				parentRef := gatewayv1.ParentReference{
+					Name:      gatewayv1.ObjectName(kcp.Spec.Network.Gateway.Name),
+					Namespace: ptr.To(gatewayv1.Namespace(kcp.Spec.Network.Gateway.Namespace)),
+				}
+				if sectionName := kcp.Spec.Network.Gateway.SectionName; sectionName != "" {
+					parentRef.SectionName = ptr.To(gatewayv1.SectionName(sectionName))
+				}
+				if port := kcp.Spec.Network.Gateway.Port; port != nil {
+					parentRef.Port = ptr.To(gatewayv1.PortNumber(*port))
+				}
 				tcp.Spec.ControlPlane.Gateway = &kamajiv1alpha1.GatewaySpec{
-					Hostname: gatewayv1.Hostname(host),
-					GatewayParentRefs: []gatewayv1.ParentReference{
-						{
-							Name:      gatewayv1.ObjectName(kcp.Spec.Network.Gateway.Name),
-							Namespace: ptr.To(gatewayv1.Namespace(kcp.Spec.Network.Gateway.Namespace)),
-						},
-					},
+					Hostname:          gatewayv1.Hostname(host),
+					GatewayParentRefs: []gatewayv1.ParentReference{parentRef},
 					AdditionalMetadata: kamajiv1alpha1.AdditionalMetadata{
 						Labels:      kcp.Spec.Network.Gateway.ExtraLabels,
 						Annotations: kcp.Spec.Network.Gateway.ExtraAnnotations,
