skip invalid listener first in IR

[zirain]

This's seperated from #8361

Invalid listeners should probably be skipped before check confilict.
Otherwise an invalid-first listener can still win hostname/protocol precedence and cause a later valid listener on the same hostname/port to be marked HostnameConflict.

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 ready!

Name	Link
🔨 Latest commit	47ea47e
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69f3523e8c1d3400089d6120
😎 Deploy Preview	https://deploy-preview-8577--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 79.38596% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.67%. Comparing base (8fa767a) to head (47ea47e).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/gatewayapi/validate.go	74.28%	40 Missing and 5 partials ⚠️
internal/gatewayapi/listener.go	96.15%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8577      +/-   ##
==========================================
- Coverage   74.69%   74.67%   -0.02%     
==========================================
  Files         251      251              
  Lines       40257    40398     +141     
==========================================
+ Hits        30068    30166      +98     
- Misses       8123     8160      +37     
- Partials     2066     2072       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zirain]

this's because tcp-80 is invalid and skipped now.

[zirain]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

gateway/internal/gatewayapi/validate.go

Lines 659 to 660 in 46b11c4

	if listener.tls.frontendTLSValidation != nil &&
	listener.tls.frontendTLSValidation.ValidateError != nil {

Mark frontend TLS validation failures as spec-invalid

validateListenerSpec now depends on validateTLSConfiguration’s boolean to decide whether a listener should be excluded from conflict resolution, but the frontendTLSValidation.ValidateError path only sets conditions and never flips specValid to false. That means listeners with invalid frontend CA refs can still participate in conflict checks and block otherwise valid listeners on the same port/hostname, which defeats the intended invalid-first skip behavior in this change.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cnvergence]

This might solve #8519, wdyt @zirain?

[zirain]

This might solve #8519, wdyt @zirain?

possible not

xref: https://kubernetes.slack.com/archives/CR0H13KGA/p1776730527700729?thread_ts=1776560870.202129&cid=CR0H13KGA

The thing is, we always have to treat an object update like a new object, because otherwise we are implicitly forcing controllers to track state between reconciliations, which is fragile across controller reboots.In Kubernetes, it's vital that we always only consider the current state of objects, not previous states, because if we do track state, then that state will be lost when the controller restarts.

So, an update to a Gateway must be treated the same as a new Gateway with the same Listeners.

And yes, Mike and Zac are correct, the reason for the different behavior is that Gateway Listeners are all in the same object, so we have no way to choose one over the other - and even more, we can be confident that having two identical Listeners is user error, so we need to drop both. It's user error because, for the user, the whole object is visible, so if you're adding two entries with the same Port and different Protocol, then that's a mistake on your part.

[arkodg]

why is existing logic for Gateway listeners changing ?

[zirain]

- attachedRoutes: 1
      conditions:
      - lastTransitionTime: null
        message: Listener must have TLS set when protocol is HTTPS.
        reason: Invalid
        status: "False"
        type: Programmed
      - lastTransitionTime: null
        message: Listener references have been resolved
        reason: ResolvedRefs
        status: "True"
        type: ResolvedRefs
      name: https
      supportedKinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
      - group: gateway.networking.k8s.io
        kind: GRPCRoute

[jukie]

LGTM thanks!

[rudrakhp]

A few questions on the new listener validation flow.

[rudrakhp]

The multi-UDP conflict branch looks unreachable in practice (gated by len(nonUDPProtocols) > 1 earlier), and validateConflictedLayer4Listeners(UDP) already flags the same condition. Can we drop UDP handling from this function and let validateConflictedLayer4Listeners own UDP port conflicts?

[rudrakhp]

isSpecValidForConflictChecks falls back to hasInvalidCondition so unit tests that skip Phase 1 keep working. Doesn't this mean real-flow regressions in Phase 1 to Phase 2 ordering would be masked by the fallback? Could we update direct-call tests to run validateListenerSpec first and then rely solely on listener.specValid? If the fallback stays, can we add a comment noting it exists only for tests that skip Phase 1?

[zirain]

A few questions on the new listener validation flow.

updated

[kkk777-7]

LGTM, thanks!