MCPGatewayExtension controller does not create HTTPRoute for HTTPS listeners

[jaideepr97]

Generated with Claude Code

Description

The MCPGatewayExtension controller creates an HTTPRoute (mcp-gateway-route) targeting only the listener specified in spec.targetRef.sectionName. When a Gateway has both HTTP and HTTPS listeners for the same hostname, the HTTPS listener gets 0 attached routes and TLS traffic cannot reach the broker.

Steps to Reproduce

1. Create a Gateway with both HTTP and HTTPS listeners on the same hostname:

   listeners:
     - name: mcp
       hostname: team-a.mcp.example.com
       port: 8080
       protocol: HTTP
     - name: mcp-https
       hostname: team-a.mcp.example.com
       port: 8443
       protocol: HTTPS
       tls:
         mode: Terminate
         certificateRefs:
           - name: gateway-tls-cert

2. Create an MCPGatewayExtension targeting the HTTP listener:

   spec:
     targetRef:
       sectionName: mcp
       name: team-a-gateway

3. The controller creates mcp-gateway-route with parentRefs[0].sectionName: mcp only.

4. Verify:

   $ kubectl get gateway -n team-a -o jsonpath='{range .status.listeners[*]}{.name}: {.attachedRoutes}{"\n"}{end}'
   mcp: 1
   mcp-https: 0
   

5. MCP requests over HTTPS fail — the HTTPS listener has no route to the broker.

Expected Behavior

The controller should create HTTPRoute(s) that attach to all listeners serving the same hostname, or at minimum allow specifying multiple sectionName targets. This would allow TLS traffic to reach the broker without manually creating a second HTTPRoute.

Current Workaround

Manually create a second HTTPRoute targeting the HTTPS listener:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: mcp-gateway-route-tls
  namespace: team-a
spec:
  hostnames:
    - team-a.mcp.example.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: team-a-gateway
      sectionName: mcp-https
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /mcp
      backendRefs:
        - name: mcp-gateway
          port: 8080

Notes

• The auto-managed HTTPRoute has an ownerReference to the MCPGatewayExtension, so patching it to add a second parentRef gets reverted on the next reconciliation.
• Related: MCPVirtualServer controller writes to hardcoded mcp-system namespace instead of per-namespace config secret #722 (MCPVirtualServer controller also has single-namespace targeting issues)

[trepel]

Yes, creating a custom HTTPRoute is the way to go. You can disable creation of the auto-managed HTTPRoute, see https://github.com/Kuadrant/mcp-gateway/blob/main/docs/guides/configure-mcp-gateway-listener-and-router.md#custom-httproute-optional