feat(certificate-shim): implementing XListenerSet

[hjoshi123]

Pull Request Motivation

This PR introduces support for XListenerSet and allows the self-service model of TLS in ingress to be brought to Gateways. On a high level it uses this design https://github.com/cert-manager/cert-manager/blob/3a268f0720e1d34a495e7e73ba6ebfada8e8cb14/design/20250703.gatewayapi-listenerset.md.
Fixes #8252

/kind feature

Release Note

added experimental `XListenerSet` feature gate

Test it yourself

You can try out the certificate-shim support for XListenerSet using v1.20.0-alpha.1:

helm upgrade --install cert-manager oci://quay.io/jetstack/charts/cert-manager \
  --version v1.20.0-alpha.1 \
  --namespace cert-manager \
  --set config.apiVersion="controller.config.cert-manager.io/v1alpha1" \
  --set config.kind="ControllerConfiguration" \
  --set config.enableGatewayAPI=true \
  --set config.enableGatewayAPIXListenerSet=true

[maelvls]

I've asked Codex to review the PR. It left a couple of comments.

[hjoshi123]

/label tide/merge-method-squash

[thomaslochet]

there is a typo issue in cmd/controller/app/options/options.go at line 179: "enabeld".

[Copilot]

Pull request overview

This PR implements support for XListenerSet resources in cert-manager, enabling self-service TLS configuration for Gateway API users. XListenerSet is an experimental Gateway API feature that allows teams to manage their own listeners on a shared Gateway without requiring cluster-admin privileges.

Changes:

• Added experimental XListenerSets feature gate (alpha in v1.20.1)
• Implemented listenerset controller that watches XListenerSets and creates Certificate resources
• Extended certificate-shim sync logic to handle XListenerSet resources alongside Ingress and Gateway resources
• Added annotation inheritance from parent Gateway to XListenerSet for issuer configuration

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
internal/controller/feature/features.go	Adds XListenerSets feature gate definition as an alpha feature
pkg/apis/config/controller/v1alpha1/types.go	Adds EnableGatewayAPIXListenerSets configuration field
internal/apis/config/controller/types.go	Adds internal EnableGatewayAPIXListenerSets configuration field
pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go	Generated deepcopy code for new configuration field
internal/apis/config/controller/v1alpha1/zz_generated.conversion.go	Generated conversion code for new configuration field
pkg/controller/certificate-shim/listenerset/controller.go	Implements the listenerset controller with parent Gateway indexing and annotation inheritance
pkg/controller/certificate-shim/listenerset/controller_test.go	Unit tests for controller registration and event handling
pkg/controller/certificate-shim/sync.go	Extends buildCertificates, validateIngressLike, and secretNameUsedIn to support XListenerSet
pkg/controller/certificate-shim/helper.go	Adds translateXListenerToGWAPIV1Listener helper for validation
pkg/controller/context.go	Adds validation to ensure experimental Gateway API CRDs are installed when feature is enabled
cmd/controller/app/controller.go	Wires EnableGatewayAPIXListenerSets config option into controller context
cmd/controller/app/options/options.go	Adds --enable-gateway-api-xlistenersets command-line flag and enables controller conditionally
deploy/charts/cert-manager/templates/rbac.yaml	Adds RBAC permissions for XListenerSet resources
test/e2e/util/util.go	Adds NewListenerSet test helper function
test/e2e/suite/conformance/certificates/tests.go	Adds E2E test for XListenerSet certificate creation with annotations
make/e2e.sh	Enables XListenerSets feature gate in E2E tests
make/e2e-setup.mk	Adds XListenerSets to feature gates and controller extraArgs for E2E setup

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[maelvls]

I was able to manually test the PR using kgateway. I haven't tested the ACME integration with XListenerSet yet, though.

I found that it is not possible to have 0 listener on the Gateway resource as discussed in kubernetes-sigs/gateway-api#4425, so I had to keep a dummy listener.

I spent hours figuring out why I was getting "connection refused" from Envoy: turns out the HTTPRoute's conditions were telling me that the service wasn't found... which wasn't obvious as no error was showing with kubectl get httproute. I've hit lots of weird UX problems related to conditions and what's shown by kubectl get... I've compiled a list in https://hackmd.io/@maelvls/kgateway-rough-edges.

Also, I had to upgrade kgateway to v2.2.0-rc2 as v2.1.2 doesn't have arm64 images as detailed in #8426.

Details

make make kind-cluster e2e-setup-gatewayapi e2e-setup-gwapi-provider e2e-setup-certmanager e2e-setup-bind

Then, apply this:

kind: Gateway
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: example-gw
  namespace: kgateway-system
  labels:
    app: example
spec:
  gatewayClassName: kgateway
  infrastructure:
    parametersRef:
      name: custom-gw-params
      kind: GatewayParameters
      group: gateway.kgateway.dev
  allowedListeners:
    namespaces:
      from: All
  listeners:
    - name: dummy
      hostname: dummy.example.com
      protocol: HTTP
      port: 12345
---
kind: XListenerSet
apiVersion: gateway.networking.x-k8s.io/v1alpha1
metadata:
  name: example-xls
  labels:
    app: example
  annotations:
    cert-manager.io/cluster-issuer: caissuer
spec:
  parentRef:
    name: example-gw
    namespace: kgateway-system
  listeners:
    - hostname: whoami.gateway.http01.example.com
      name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: example
      allowedRoutes:
        namespaces:
          from: All
---
kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
metadata:
  name: example-route
  labels:
    app: example
spec:
  parentRefs:
    - name: example-xls
      kind: XListenerSet
      group: gateway.networking.x-k8s.io
  hostnames:
    - whoami.gateway.http01.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: example
          port: 80
---
kind: Pod
apiVersion: v1
metadata:
  name: example
  labels:
    app: example
spec:
  containers:
    - name: example
      image: traefik/whoami
      ports:
        - name: http
          containerPort: 80
      resources:
        limits:
          cpu: 100m
          memory: 64Mi
        requests:
          cpu: 100m
          memory: 64Mi
---
apiVersion: v1
kind: Service
metadata:
  name: example
  labels:
    app: example
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
  selector:
    app: example
---
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
metadata:
  name: caissuer
  labels:
    app: example
spec:
  ca:
    secretName: ca-key-pair
---
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
metadata:
  name: selfsigned-issuer
  labels:
    app: example
spec:
  selfSigned: {}
---
kind: Certificate
apiVersion: cert-manager.io/v1
metadata:
  name: ca-key-pair
  namespace: cert-manager
  labels:
    app: example
spec:
  isCA: true
  commonName: my-ca
  secretName: ca-key-pair
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer

It worked:

$ k get -A -l app=example all,gateway-api,cert-manager                            
NAMESPACE   NAME          READY   STATUS    RESTARTS   AGE
default     pod/example   1/1     Running   0          25m

NAMESPACE   NAME              TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)   AGE
default     service/example   ClusterIP   10.0.252.22   <none>        80/TCP    25m

NAMESPACE         NAME                                           CLASS      ADDRESS   PROGRAMMED   AGE
kgateway-system   gateway.gateway.networking.k8s.io/example-gw   kgateway             True         3m34s

NAMESPACE   NAME                                                HOSTNAMES                               AGE
default     httproute.gateway.networking.k8s.io/example-route   ["whoami.gateway.http01.example.com"]   3m34s

NAMESPACE   NAME                                                  ACCEPTED   PROGRAMMED   AGE
default     xlistenerset.gateway.networking.x-k8s.io/example-ls   True       True         3m34s

NAMESPACE      NAME                                      READY   SECRET        AGE
cert-manager   certificate.cert-manager.io/ca-key-pair   True    ca-key-pair   25m

NAMESPACE   NAME                                              READY   AGE
            clusterissuer.cert-manager.io/caissuer            True    25m
            clusterissuer.cert-manager.io/selfsigned-issuer   True    25m

and run:

$ k run dummy -it --rm --restart=Never -q --image=nicolaka/netshoot -- curl -sS --fail-with-body -k https://whoami.gateway.http01.example.com
Hostname: example
IP: 127.0.0.1
IP: ::1
IP: 10.244.0.27
IP: fe80::b808:81ff:fe6b:5ec3
RemoteAddr: 10.244.0.28:54646
GET / HTTP/1.1
Host: whoami.gateway.http01.example.com
User-Agent: curl/8.18.0
Accept: */*
X-Envoy-Expected-Rq-Timeout-Ms: 15000
X-Envoy-External-Address: 10.244.0.29
X-Forwarded-For: 10.244.0.29
X-Forwarded-Proto: https
X-Request-Id: abd94ebe-38f3-40b0-9b18-e36c222796bd

[maelvls]

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment