fix: align ingress and gateway watches with HTTPRoute

ThomasK33 · ThomasK33 · commit 0a5f061be4ea · 2026-02-13T22:47:05.000Z
diff --git a/internal/controller/codercontrolplane_controller.go b/internal/controller/codercontrolplane_controller.go
@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/util/retry"
@@ -1269,9 +1270,9 @@ func (r *CoderControlPlaneReconciler) reconcileIngress(ctx context.Context, code
 	}
 
 	wildcardHost := strings.TrimSpace(ingressExpose.WildcardHost)
-	servicePort := coderControlPlane.Spec.Service.Port
-	if servicePort == 0 {
-		servicePort = defaultControlPlanePort
+	backendServicePort, backendPortErr := httpRouteBackendServicePort(coderControlPlane)
+	if backendPortErr != nil {
+		return backendPortErr
 	}
 
 	ingress := &networkingv1.Ingress{ObjectMeta: metav1.ObjectMeta{Name: coderControlPlane.Name, Namespace: coderControlPlane.Namespace}}
@@ -1293,7 +1294,7 @@ func (r *CoderControlPlaneReconciler) reconcileIngress(ctx context.Context, code
 								Backend: networkingv1.IngressBackend{
 									Service: &networkingv1.IngressServiceBackend{
 										Name: coderControlPlane.Name,
-										Port: networkingv1.ServiceBackendPort{Number: servicePort},
+										Port: networkingv1.ServiceBackendPort{Number: backendServicePort},
 									},
 								},
 							},
@@ -1314,7 +1315,7 @@ func (r *CoderControlPlaneReconciler) reconcileIngress(ctx context.Context, code
 								Backend: networkingv1.IngressBackend{
 									Service: &networkingv1.IngressServiceBackend{
 										Name: coderControlPlane.Name,
-										Port: networkingv1.ServiceBackendPort{Number: servicePort},
+										Port: networkingv1.ServiceBackendPort{Number: backendServicePort},
 									},
 								},
 							},
@@ -2925,7 +2926,7 @@ func (r *CoderControlPlaneReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return fmt.Errorf("index coder control planes by envFrom Secret name: %w", err)
 	}
 
-	return ctrl.NewControllerManagedBy(mgr).
+	builder := ctrl.NewControllerManagedBy(mgr).
 		For(&coderv1alpha1.CoderControlPlane{}).
 		Owns(&appsv1.Deployment{}).
 		Owns(&corev1.Service{}).
@@ -2941,7 +2942,17 @@ func (r *CoderControlPlaneReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(
 			&corev1.ConfigMap{},
 			handler.EnqueueRequestsFromMapFunc(r.reconcileRequestsForEnvFromConfigMap),
-		).
+		)
+
+	// Gateway API is optional; only watch HTTPRoutes when the CRD is installed.
+	httpRouteGVK := schema.GroupVersionKind{Group: gatewayv1.GroupVersion.Group, Version: gatewayv1.GroupVersion.Version, Kind: "HTTPRoute"}
+	if _, err := mgr.GetRESTMapper().RESTMapping(httpRouteGVK.GroupKind(), httpRouteGVK.Version); err == nil {
+		builder = builder.Owns(&gatewayv1.HTTPRoute{})
+	} else if !meta.IsNoMatchError(err) {
+		return fmt.Errorf("check HTTPRoute REST mapping: %w", err)
+	}
+
+	return builder.
 		Named("codercontrolplane").
 		Complete(r)
 }
diff --git a/internal/controller/codercontrolplane_controller_test.go b/internal/controller/codercontrolplane_controller_test.go
@@ -3994,6 +3994,51 @@ func TestReconcile_IngressExposure(t *testing.T) {
 		}
 	})
 
+	t.Run("IngressTLSServicePort443UsesHTTPBackend", func(t *testing.T) {
+		cp := &coderv1alpha1.CoderControlPlane{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-ingress-tls-service-port-443-backend", Namespace: "default"},
+			Spec: coderv1alpha1.CoderControlPlaneSpec{
+				Image:   "test-ingress:latest",
+				Service: coderv1alpha1.ServiceSpec{Port: 443},
+				TLS:     coderv1alpha1.TLSSpec{SecretNames: []string{"ingress-backend-tls"}},
+				Expose: &coderv1alpha1.ExposeSpec{
+					Ingress: &coderv1alpha1.IngressExposeSpec{
+						Host:         "tls-443.ingress.example.test",
+						WildcardHost: "*.tls-443.ingress.example.test",
+					},
+				},
+			},
+		}
+		if err := k8sClient.Create(ctx, cp); err != nil {
+			t.Fatalf("create control plane: %v", err)
+		}
+		t.Cleanup(func() {
+			_ = k8sClient.Delete(ctx, cp)
+		})
+
+		r := &controller.CoderControlPlaneReconciler{Client: k8sClient, Scheme: scheme}
+		if _, err := r.Reconcile(ctx, ctrl.Request{NamespacedName: types.NamespacedName{Name: cp.Name, Namespace: cp.Namespace}}); err != nil {
+			t.Fatalf("reconcile control plane: %v", err)
+		}
+
+		ingress := &networkingv1.Ingress{}
+		if err := k8sClient.Get(ctx, types.NamespacedName{Name: cp.Name, Namespace: cp.Namespace}, ingress); err != nil {
+			t.Fatalf("get ingress: %v", err)
+		}
+		for _, rule := range ingress.Spec.Rules {
+			if rule.HTTP == nil || len(rule.HTTP.Paths) != 1 {
+				t.Fatalf("expected one ingress HTTP path for host %q, got %#v", rule.Host, rule.HTTP)
+			}
+			path := rule.HTTP.Paths[0]
+			if path.Backend.Service == nil {
+				t.Fatalf("expected ingress backend service for host %q", rule.Host)
+			}
+			if got := path.Backend.Service.Port.Number; got != 80 {
+				t.Fatalf("expected ingress backend service port 80 for host %q, got %d", rule.Host, got)
+			}
+		}
+	})
+
 	t.Run("IngressTLSAndWildcardHost", func(t *testing.T) {
 		cp := &coderv1alpha1.CoderControlPlane{
 			ObjectMeta: metav1.ObjectMeta{Name: "test-ingress-tls-wildcard", Namespace: "default"},
