Promoting XListenerSet to ListenerSet

[hjoshi123]

Pull Request Motivation

GatewayAPI plans to promote XListenerSet to ListenerSet as part of v1.5. We would like to do this promotion on our end so that the shift when 1.5 is out is pretty easy. Currently we use release 1.5 RC (v1.5.0-0.rc1)

Kind

Release Note

promoting xlistenerset feature gate to listenerset

[Copilot]

Pull request overview

This PR updates cert-manager’s Gateway API integration to use the promoted ListenerSet (v1) API instead of the experimental XListenerSet (apisx/v1alpha1), aligning with upcoming Gateway API v1.5 changes and simplifying future upgrades.

Changes:

• Migrate certificate-shim ListenerSet controller and e2e tests from XListenerSet (apisx) to ListenerSet (gateway.networking.k8s.io/v1).
• Rename related feature gate/config/flags from XListenerSets / enable-gateway-api-xlistenerset to ListenerSets / enable-gateway-api-listenerset.
• Update Gateway API dependency and regenerate generated artifacts (OpenAPI) accordingly.

Reviewed changes

Copilot reviewed 24 out of 33 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
test/integration/go.sum	Module checksum updates for Gateway API + indirect deps.
test/integration/go.mod	Bump Gateway API/k8s.io/utils and indirect deps for integration tests.
test/e2e/util/util.go	Switch helper constructors from XListenerSet types to ListenerSet v1.
test/e2e/suite/conformance/certificates/tests.go	Use ListenerSets feature gate + v1 client for ListenerSet creation.
test/e2e/go.sum	Module checksum updates for e2e module.
test/e2e/go.mod	Bump Gateway API/k8s.io/utils and indirect deps for e2e module.
pkg/controller/context.go	Update client/CRD availability checks for ListenerSet CRD under new gate/flag.
pkg/controller/certificate-shim/sync.go	Treat ListenerSet as an ingress-like source for cert issuance logic.
pkg/controller/certificate-shim/listenerset/controller_test.go	Update controller tests to create/listen for ListenerSet resources.
pkg/controller/certificate-shim/listenerset/controller.go	Update listers/informers to GatewayV1().ListenerSets() and v1 types.
pkg/controller/certificate-shim/helper.go	Adjust listener translation helper to use v1 ListenerEntry.
pkg/apis/config/controller/v1alpha1/zz_generated.deepcopy.go	Regenerate deepcopy for renamed config field.
pkg/apis/config/controller/v1alpha1/types.go	Rename controller config field to EnableGatewayAPIListenerSet.
make/e2e.sh	Update default feature gates to ListenerSets=true.
make/e2e-setup.mk	Update feature gate plumbing and controller args to listenerset naming.
internal/generated/openapi/zz_generated.openapi.go	Regenerated OpenAPI to include ListenerSet and related schemas.
internal/controller/feature/features.go	Rename feature gate key to ListenerSets.
internal/apis/config/controller/v1alpha1/zz_generated.conversion.go	Update conversions for renamed config field.
internal/apis/config/controller/types.go	Rename internal config field to EnableGatewayAPIListenerSet.
go.sum	Root module checksum updates (Gateway API, k8s.io/utils, testing libs, etc.).
go.mod	Root module bumps for Gateway API + related deps.
cmd/webhook/go.sum	Webhook module checksum updates for aligned deps.
cmd/webhook/go.mod	Webhook module bumps (indirect Gateway API/k8s.io/utils, etc.).
cmd/startupapicheck/go.sum	Startup API check module checksum updates.
cmd/startupapicheck/go.mod	Startup API check module bumps for aligned deps.
cmd/controller/go.sum	Controller module checksum updates.
cmd/controller/go.mod	Controller module bumps for aligned deps.
cmd/controller/app/options/options.go	Rename CLI flag to --enable-gateway-api-listenerset and wire new config field.
cmd/controller/app/controller.go	Wire new EnableGatewayAPIListenerSet option into controller context factory.
cmd/cainjector/go.sum	CA injector module checksum updates.
cmd/cainjector/go.mod	CA injector module bumps for aligned deps.
cmd/acmesolver/go.sum	ACME solver module checksum updates.
cmd/acmesolver/go.mod	ACME solver module bumps for aligned deps.

Comments suppressed due to low confidence (4)

pkg/controller/certificate-shim/listenerset/controller.go:208

• The certificate event handler still filters on controllerRef.Kind == "XListenerSet". With the migration to Gateway API v1 ListenerSet, Certificates created/owned by a ListenerSet will have Kind "ListenerSet", so this handler will stop re-queuing ListenerSets on Certificate changes. Update the kind check (and ideally the handler name) to use "ListenerSet".

func xListenerSetCertificateHandler(queue workqueue.TypedRateLimitingInterface[types.NamespacedName]) func(crt *cmapi.Certificate) {
	return func(crt *cmapi.Certificate) {
		ref := metav1.GetControllerOf(crt)
		if ref == nil {
			// No controller should care about orphans being deleted or
			// updated.
			return
		}

		if ref.Kind != "XListenerSet" {
			return
		}

pkg/controller/certificate-shim/listenerset/controller.go:86

• Several comments/error strings in this controller still refer to "xlistenerset"/"XListenerSet" (indexer setup and error messages). Since the controller now exclusively handles ListenerSet, please update these strings to avoid confusion in logs and future maintenance.

	xlsInf := ctx.GWShared.Gateway().V1().ListenerSets().Informer()

	// Adding an indexer for easier queries on xlistenerset
	if err := xlsInf.AddIndexers(cache.Indexers{
		indexByParentGateway: func(obj any) ([]string, error) {
			xls, ok := obj.(*gwapi.ListenerSet)
			if !ok {
				return nil, nil
			}

			ns := xls.GetNamespace()
			if xls.Spec.ParentRef.Namespace != nil && string(*xls.Spec.ParentRef.Namespace) != "" {
				ns = string(*xls.Spec.ParentRef.Namespace)
			}
			if xls.Spec.ParentRef.Name == "" {
				return nil, nil
			}

			return []string{fmt.Sprintf("%s/%s", ns, xls.Spec.ParentRef.Name)}, nil
		},
	}); err != nil {
		return nil, nil, fmt.Errorf("error adding indexer for xlistenerset %v", err)
	}

	if _, err := xlsInf.AddEventHandler(controllerpkg.QueuingEventHandler(c.queue)); err != nil {
		return nil, nil, fmt.Errorf("error setting up event handler for xlistenerset %v", err)
	}

pkg/controller/certificate-shim/sync.go:211

• The panic message in validateIngressLike is now outdated: the switch handles *gwapi.ListenerSet, but the panic still says it expects only Ingress or Gateway. Please update the message so it matches the supported types (Ingress/Gateway/ListenerSet).

func validateIngressLike(ingLike metav1.Object) field.ErrorList {
	switch o := ingLike.(type) {
	case *networkingv1.Ingress:
		return checkForDuplicateSecretNames(field.NewPath("spec", "tls"), o.Spec.TLS)
	case *gwapi.Gateway:
		return nil
	case *gwapi.ListenerSet:
		return nil
	default:
		panic(fmt.Errorf("programmer mistake: validateIngressLike can't handle %T, expected Ingress or Gateway", ingLike))
	}

pkg/controller/certificate-shim/helper.go:317

• The function name and comment still refer to an "experimental XListener" conversion, but the parameter type is now gwapi.ListenerEntry (ListenerSet v1). Renaming this helper (and its call sites) to reflect ListenerEntry/ListenerSet will reduce confusion as the XListenerSet API is removed.

// translateXListenerToGWAPIV1Listener converts the experimental listener to v1 gateway listener.
// Both listeners have the same fields for now but due to being in different versions,
// we need to convert them for having a unified validation. If these types diverge, then this function
// would need to account for that.
func translateXListenerToGWAPIV1Listener(l gwapi.ListenerEntry) gwapi.Listener {
	return gwapi.Listener{
		Hostname:      l.Hostname,
		Port:          gwapi.PortNumber(l.Port),
		Protocol:      l.Protocol,
		TLS:           l.TLS,
		Name:          l.Name,
		AllowedRoutes: l.AllowedRoutes,
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ThatsMrTalbot]

Should we be replacing xlistenersets, or should we be supporting both?

[hjoshi123]

@ThatsMrTalbot that's one of the questions I wanted to post 😅
I think supporting both is kinda not so trivial here since we would have to maintain two versions of gateway API.. because the release 1.5 removed it from apisx altogether. But if people are actually consuming it then it might be worth it.

[Copilot]

Pull request overview

Copilot reviewed 25 out of 34 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[erikgb]

Thanks for moving this forward @hjoshi123! A few minor nits, but in general this LGTM.

[hjoshi123]

@erikgb thank you for reviewing it quickly.. do you think this looks good?

[erikgb]

Do you think this looks good?

@hjoshi123, I think it looks good, even if your IDE appears to introduce some unrelated changes. 😅

[Copilot]

Pull request overview

Copilot reviewed 25 out of 34 changed files in this pull request and generated 3 comments.

Comments suppressed due to low confidence (2)

pkg/controller/certificate-shim/sync.go:210

• The panic message in validateIngressLike still says it only expects Ingress or Gateway, but the function now explicitly supports *gwapi.ListenerSet too. Please update the message to include ListenerSet so debugging unexpected types is accurate.

	case *gwapi.ListenerSet:
		return nil
	default:
		panic(fmt.Errorf("programmer mistake: validateIngressLike can't handle %T, expected Ingress or Gateway", ingLike))
	}

pkg/controller/certificate-shim/listenerset/controller.go:208

• The certificate event handler is still filtering on controllerRef.Kind == "XListenerSet". After switching to GatewayV1 ListenerSet, Certificates created by the shim will have Kind "ListenerSet", so this handler will never enqueue and updates/deletes to Certificates won’t trigger ListenerSet reconciliation. Update the Kind check (and consider temporarily accepting both kinds for upgrade compatibility).

func xListenerSetCertificateHandler(queue workqueue.TypedRateLimitingInterface[types.NamespacedName]) func(crt *cmapi.Certificate) {
	return func(crt *cmapi.Certificate) {
		ref := metav1.GetControllerOf(crt)
		if ref == nil {
			// No controller should care about orphans being deleted or
			// updated.
			return
		}

		if ref.Kind != "XListenerSet" {
			return
		}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This test is gated on s.HTTP01TestType == "ListenerSet", but the certificates Suite currently only sets HTTP01TestType to "Ingress" or "Gateway" (see test/e2e/suite/conformance/certificates/acme/acme.go and suite.go). As written, this test will always be skipped and never exercised. Consider gating on an existing mode (e.g., "Gateway") plus a provider capability flag, or add a Suite variant that sets HTTP01TestType to "ListenerSet" when supported.

[erikgb]

Good catch! This looks like a bug in the test gate, @hjoshi123. WDYT?

[hjoshi123]

I added that check because that would allow the LS tests to skip.. we can remove them once we have the support.. when we do have the support I think we can add a ListenerSet suite as copilot is saying

[erikgb]

But we cannot disable other gateway-api e2e-tests. Only the ones that require ListenerSet should be disabled. If we have to disable ALL gateway-api e2e-tests, I am not in favor of this PR.

[hjoshi123]

No it is not disabling all gateway api tests.. the check is inside the listener set's tests.. so other gateway suites should run fine
https://storage.googleapis.com/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cert-manager/8501/pull-cert-manager-master-e2e-v1-35/2022703521786236928/build-log.txt
Double checked here to confirm that Gateway tests are running

[Copilot]

Pull request overview

Copilot reviewed 25 out of 34 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hjoshi123]

/cc @maelvls for visibility regarding this upgrade path

[cert-manager-prow]

@hjoshi123: GitHub didn't allow me to request PR reviews from the following users: upgrade, path, for, visibility, regarding, this.

Note that only cert-manager members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @maelvls for visibility regarding this upgrade path

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[erikgb]

/cc @maelvls

[maelvls]

Upgrade path

The upgrade path proposed in your PR makes sense. This Slack thread explains that implementations should do a clear-cut migration to the standard ListenerSet CRD (i.e., without supporting both X and standard CRDs). If we had wanted to offer a clean upgrade path, we would have had to let Rob and team know, and since we haven't, we will go ahead and do it "clear cut". 😅

To summarize, the tens of people who tried the XListenerSet certificate-shim and HTTP-01 solver in v1.20.0-alpha.1 will have to be aware of four changes:

• The flag --enable-gateway-api-xlistenerset disappears and is replaced with --enable-gateway-api-listenerset,
• The config field enableGatewayAPIXListenerSet disappears and is replaced with enableGatewayAPIListenerSet,
• The feature gate --feature-gates=EnableGatewayAPIXListenerSet=true disappears and is replaced with --feature-gates=EnableGatewayAPIListenerSet=true,
• cert-manager no longers reconciles XListenerSet resources.

I'm OK with this plan, and the PR LGTM.

[hjoshi123]

Upgrade path

The upgrade path propose with this PR makes sense. This Slack thread explains that implementations should do a clear-cut migration to the standard ListenerSet CRD (i.e., without supporting both X and standard CRDs). If we had wanted to offer a clean upgrade path, we would have had to let Rob and team know...

To summarize, the tens of people who tried the XListenerSet certificate-shim and HTTP-01 solver in v1.20.0-alpha.1 will have to be aware of four changes:

• The flag --enable-gateway-api-xlistenerset disappears and is replaced with --enable-gateway-api-listenerset,
• The config field enableGatewayAPIXListenerSet disappears and is replaced with enableGatewayAPIListenerSet,
• The feature gate --feature-gates=EnableGatewayAPIXListenerSet=true disappears and is replaced with --feature-gates=EnableGatewayAPIListenerSet=true,
• cert-manager no longers reconciles XListenerSet resources.

I'm OK with this plan, and the PR LGTM.

That's a really good summary of changes.. thank you @maelvls :).. I think one thing we probably need to put in the next release is that we had to disable e2e tests for LS as there are no implementations of LS yet.

[maelvls]

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maelvls

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [maelvls]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hjoshi123]

/test pull-cert-manager-master-e2e-v1-35