OCPBUGS-55050: Remove resources limits from Gateway API proxy containers

[rikatz]

When a Gateway is deployed, Istio will create a deployment containing resources limits set, which is not expected on Openshift components. These resource limits are added as part of the default helm template used by Istio controller when creating the deployments and Pods.

An attempt to make Istio/Sail Library to have a default configuration on resource limits is not possible, given the Kubernetes resources struct has omitempty, which means when something is null omit, and when it ommits it considers that a user passing null has 'no opinion' as opposed to 'I want to set it null'.

This way, the only way of fixing it is by telling the Gateway customization, via the Gateway Class that we want to enforce the resource to be null, and then when Istio deploys this Gateway instance it will remove the resources.limits field from the proxy pods

The majority of this PR was originally copied from #1428

[openshift-ci-robot]

@rikatz: This pull request references Jira Issue OCPBUGS-55050, which is invalid:

• expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

When a Gateway is deployed, Istio will create a deployment containing resources limits set, which is not expected on Openshift components. These resource limits are added as part of the default helm template used by Istio controller when creating the deployments and Pods.

An attempt to make Istio/Sail Library to have a default configuration on resource limits is not possible, given the Kubernetes resources struct has omitempty, which means when something is null omit, and when it ommits it considers that a user passing null has 'no opinion' as opposed to 'I want to set it null'.

This way, the only way of fixing it is by telling the Gateway customization, via the Gateway Class that we want to enforce the resource to be null, and then when Istio deploys this Gateway instance it will remove the resources.limits field from the proxy pods

The majority of this PR was originally copied from #1428

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Warning

Rate limit exceeded

@rikatz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 9 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e269a3b2-b0dd-4e9b-af51-2df685e3967f

📥 Commits

Reviewing files that changed from the base of the PR and between 3cf04dd and 0dafbd5.

📒 Files selected for processing (6)

• pkg/operator/controller/gatewayclass/controller.go
• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

📝 Walkthrough

Walkthrough

This pull request replaces the horizontal pod autoscaler-focused gateway class configuration approach with a new gateway class-specific configuration builder. Changes include introducing a new constant for the Istio proxy container name, updating the Istio CR spec construction in both OLM and Sail installer controllers to use buildGatewayClassesConfig instead of buildHorizontalPodAutoscalerConfig, adding a new function that constructs per-gateway-class Istio configuration with deployment container resource limit overrides, and updating test expectations and e2e validation helpers accordingly.

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Test code has unresolved assertion bugs: Line 835 uses len()>0 instead of !=nil (fails to catch empty maps), line 850 has wrong error message field name.	Fix line 835: use c.Resources.Limits != nil. Fix line 850: change error message from "terminationMessagePolicy" to "proxy container resource limits".

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing resource limits from Gateway API proxy containers, which matches the core objective of the PR.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem (Istio adds resource limits via default Helm templates), why standard approaches don't work (omitempty behavior), and the solution (enforce null via GatewayClass customization).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in modified test files are static, hardcoded strings with no dynamic content. No Ginkgo tests found (uses standard Go testing package). Test names are stable and deterministic.
Microshift Test Compatibility	✅ Passed	No new Ginkgo test blocks (It(), Describe(), Context(), When()) are added. The tests use standard Go testing, not Ginkgo. Only a helper function was added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	Test helper verifies container resource limits on a single Deployment without multi-node assumptions and is SNO-compatible.
Topology-Aware Scheduling Compatibility	✅ Passed	Change removes resource limits from istio-proxy containers. Includes topology-aware minReplicas logic (1 for SNO, 2 for HA). No anti-affinity, topology spread, or problematic scheduling constraints.
Ote Binary Stdout Contract	✅ Passed	No OTE Binary Stdout Contract violations detected. All modified files comply with stdout restrictions for process-level code. Test helpers use t.Log/t.Logf appropriately within test contexts.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo tests added. The helper function contains no IPv4 assumptions or external connectivity requirements—only cluster-internal Kubernetes API calls.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign candita for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e/util_gatewayapi_test.go`:
- Around line 835-850: Replace the loose length check with an explicit nil check
for container resources limits (use c.Resources.Limits != nil rather than
len(c.Resources.Limits) > 0) in the retry loop that inspects the 'istio-proxy'
container (the block referencing variable c and foundIstioProxy), and update the
final error message that references deploymentName to correctly state the
failing field (e.g., "Failed to verify resources.limits on deployment %s: %v"
instead of mentioning terminationMessagePolicy).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2d2d7df3-74bd-4dda-b240-cf79fe5c4920

📥 Commits

Reviewing files that changed from the base of the PR and between b2e0220 and 3cf04dd.

📒 Files selected for processing (6)

• pkg/operator/controller/gatewayclass/controller.go
• pkg/operator/controller/gatewayclass/controller_test.go
• pkg/operator/controller/gatewayclass/istio_olm.go
• pkg/operator/controller/gatewayclass/istio_sail_installer.go
• test/e2e/gateway_api_test.go
• test/e2e/util_gatewayapi_test.go

[rikatz]

/jira refresh

[openshift-ci-robot]

@rikatz: This pull request references Jira Issue OCPBUGS-55050, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (iamin@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rikatz]

/test e2e-vsphere-static-metallb-operator-gwapi
/retest-required

[openshift-ci]

@rikatz: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-vsphere-static-metallb-operator-gwapi-techpreview	0dafbd5	link	false	/test e2e-vsphere-static-metallb-operator-gwapi-techpreview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.