fix: remove check of parentRef group and kind in validating HTTPRoutes (#5919) (#5939)

* fix: remove check of parentRef group and kind in validating HTTPRoutes

* add CHANGELOG

(cherry picked from commit 14e51ab)

Co-authored-by: Tao Yi <tao.yi@konghq.com>

Author: czeslavo

CHANGELOG.md

@@ -98,6 +98,12 @@ Adding a new version? You'll need three changes:
 - Bump `golang.org/x/net` to `0.23.0` and `google.golang.org/protobuf` to `1.33.0`
   To fix [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) and [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611).
   [#5938](https://github.com/Kong/kubernetes-ingress-controller/pull/5938)
+- Remove the constraint of items of `parentRefs` can only be empty or
+  `gateway.network.k8s.io/Gateway` in validating `HTTPRoute`s. If an item in
+  `parentRefs`'s group/kind is not `gateway.network.k8s.io/Gateway`, the item
+  is seen as a parent other than the controller and ignored in parentRef check.
+  [#5919](https://github.com/Kong/kubernetes-ingress-controller/pull/5919)
+
 
 ## [3.1.2]
 

internal/admission/validation/gateway/httproute.go

@@ -36,11 +36,6 @@ func ValidateHTTPRoute(
 	httproute *gatewayapi.HTTPRoute,
 	managerClient client.Client,
 ) (bool, string, error) {
-	// Validate that the route has valid parentRefs.
-	if err := ValidateHTTPRouteParentRefs(httproute); err != nil {
-		return false, fmt.Sprintf("HTTPRoute has invalid parentRefs: %s", err), nil
-	}
-
 	// Check if route is managed by this controller. If not, we don't need to validate it.
 	routeIsManaged, err := ensureHTTPRouteIsManagedByController(ctx, httproute, managerClient)
 	if err != nil {
@@ -74,30 +69,25 @@ func ValidateHTTPRoute(
 // Validation - HTTPRoute - Private Functions
 // -----------------------------------------------------------------------------
 
-// ValidateHTTPRouteParentRefs checks the group/kind of each parentRef in spec and allows only
-// empty or `gateway.networking.k8s.io.Gateway`.
-func ValidateHTTPRouteParentRefs(httproute *gatewayapi.HTTPRoute) error {
+// parentRefIsGateway returns true if the group/kind of ParentReference is empty or gateway.networking.k8s.io/Gateway.
+func parentRefIsGateway(parentRef gatewayapi.ParentReference) bool {
 	const KindGateway = gatewayapi.Kind("Gateway")
 
-	for parentRefIndex, parentRef := range httproute.Spec.ParentRefs {
-		if parentRef.Group != nil && *parentRef.Group != "" && *parentRef.Group != gatewayapi.V1Group {
-			return fmt.Errorf("parentRefs[%d]: %s is not a supported group for httproute parentRefs, only %s is supported",
-				parentRefIndex, *parentRef.Group, gatewayapi.V1Group)
-		}
-		if parentRef.Kind != nil && *parentRef.Kind != "" && *parentRef.Kind != KindGateway {
-			return fmt.Errorf("parentRefs[%d]: %s is not a supported kind for httproute parentRefs, only kind %s is supported",
-				parentRefIndex, *parentRef.Kind, KindGateway)
-		}
-	}
-
-	return nil
+	return (parentRef.Group == nil || (*parentRef.Group == "" || *parentRef.Group == gatewayapi.V1Group)) &&
+		(parentRef.Kind == nil || (*parentRef.Kind == "" || *parentRef.Kind == KindGateway))
 }
 
 // ensureHTTPRouteIsManagedByController checks whether the provided HTTPRoute is managed by this controller implementation.
 func ensureHTTPRouteIsManagedByController(ctx context.Context, httproute *gatewayapi.HTTPRoute, managerClient client.Client) (bool, error) {
 	// In order to be sure whether an HTTPRoute resource is managed by this
 	// controller we ignore references to Gateway resources that do not exist.
 	for _, parentRef := range httproute.Spec.ParentRefs {
+		// Skip the parentRefs that are not Gateways because they cannot refer to the controller.
+		// https://github.com/Kong/kubernetes-ingress-controller/issues/5912
+		if !parentRefIsGateway(parentRef) {
+			continue
+		}
+
 		// Determine the namespace of the gateway referenced via parentRef. If no
 		// explicit namespace is provided, assume the namespace of the route.
 		namespace := httproute.Namespace

internal/admission/validation/gateway/httproute_test.go

@@ -77,6 +77,50 @@ func TestValidateHTTPRoute(t *testing.T) {
 			},
 			valid: true,
 		},
+		{
+			msg: "route with parentRef to non-gateway object is accepted with no vlaidation",
+			route: &gatewayapi.HTTPRoute{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: corev1.NamespaceDefault,
+					Name:      "testing-httproute",
+				},
+				Spec: gatewayapi.HTTPRouteSpec{
+					CommonRouteSpec: gatewayapi.CommonRouteSpec{
+						ParentRefs: []gatewayapi.ParentReference{
+							{
+								Kind:      lo.ToPtr(gatewayapi.Kind("Service")),
+								Namespace: lo.ToPtr(gatewayapi.Namespace(corev1.NamespaceDefault)),
+								Name:      gatewayapi.ObjectName("kuma-cp"),
+							},
+						},
+					},
+				},
+			}, // parentRef to a Service
+			cachedObjects: []client.Object{
+				gatewayClass,
+				&gatewayapi.Gateway{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: corev1.NamespaceDefault,
+						Name:      "testing-gateway",
+					},
+					Spec: gatewayapi.GatewaySpec{
+						GatewayClassName: gatewayClassName,
+						Listeners: []gatewayapi.Listener{{
+							Name:     "http",
+							Port:     80,
+							Protocol: (gatewayapi.HTTPProtocolType),
+							AllowedRoutes: &gatewayapi.AllowedRoutes{
+								Kinds: []gatewayapi.RouteGroupKind{{
+									Group: &group,
+									Kind:  "HTTPRoute",
+								}},
+							},
+						}},
+					},
+				},
+			},
+			valid: true,
+		},
 		{
 			msg: "parentRefs which omit the namespace pass validation in the same namespace",
 			route: &gatewayapi.HTTPRoute{