fix(ingress): NGF stale-config follow-ups — Gateway API v1.5.1 + legacy CP min_replicas=1

[sanmesh-kakade]

Consolidates the facets-modules changes for the NGF 2.6.3 stale-config fix (#4697). Supersedes #553.

Companion (separate repo): the NGF chart/image 2.6.3 upgrade is in Facets-cloud/facets-utility-modules#39. These legacy modules source that module by git ref (unpinned), so they inherit the chart/image bump automatically once #39 merges.

Changes

1. gateway_api_crd → Gateway API v1.5.1 (modules/gateway_api_crd/k8s/1.0) — default version v1.4.1→v1.5.1, enum extended; channel stays experimental; install still kubectl apply --server-side. NGF 2.5.0+ requires GW API v1.5.x.
   📋 Full Gateway API v1.4.1→v1.5.1 changelog + per-item impact + pre-flight checks are in a separate comment below.
2. legacy NGF ingress modules → raise control-plane resource defaults (nginx_gateway_fabric_legacy_{aws,azure,gcp}) — CP requests 200m/256Mi → 250m/512Mi, limits 500m/512Mi → 1/1Gi (schema defaults + sample), matching facets-utility-modules#39. Data-plane unchanged; min_replicas left at 2 (HA).

Notes

• Targets develop; cherry-pick to master after merge per the release flow.
• CRDs must be applied before the NGF 2.6.3 controller upgrade (Es fix for version #39).

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

🗂️ Base branches to auto review (1)

• facets-saas

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f4c48c54-52ca-48d2-980a-e6d725b80c7c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ngf-gw-api-1.5.1-legacy

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sanmesh-kakade]

📋 Gateway API CRD changelog v1.4.1 → v1.5.1 — verified against the real manifests, with impact

v1.5.1 is a conformance/docs patch over v1.5.0 (zero CRD schema change) — all API deltas are from v1.5.0.

Legend: ✅ affects us · ⚠️ pre-check · — no impact

• ReferenceGrant: v1 added; v1beta1 still served + storage — — safe/additive. Existing v1beta1 ReferenceGrants stay valid, no migration.
• Gateway / GatewayClass / HTTPRoute / GRPCRoute — schemas grew (CORS GEP-1767, client-cert validation GEP-91/3567, cert selection GEP-3155) — — all additive optional fields on the existing v1 storage; existing CRs not rejected.
• TLSRoute promoted to standard as v1; experimental storage v1alpha3→v1 — ⚠️ only matters if TLSRoutes exist. Pre-check kubectl get tlsroutes -A (expect empty).
• XListenerSet → ListenerSet (v1); xlistenersets removed — ⚠️ breaking rename, only matters if XListenerSet CRs exist. Pre-check kubectl get xlistenersets -A (expect empty).
• New safe-upgrades ValidatingAdmissionPolicy (failurePolicy: Fail, action Deny) — ✅ affects rollback: blocks applying CRDs below v1.5.0 and standard↔experimental mixing. Forward upgrade is fine; to roll back to ≤1.4.x first kubectl delete validatingadmissionpolicy safe-upgrades.gateway.networking.k8s.io + its binding.
• --server-side apply is mandatory — the httproutes CRD alone is ~533 KB (> the 262 KB client-side annotation limit) — ✅ module already uses --server-side; keep it.
• Min Kubernetes ≥ 1.31 (TLSRoute CEL) — ✅ satisfied (CP v1.33, nodes ≥ v1.31.3).

Pre-flight before apply

kubectl get tlsroutes,xlistenersets -A     # expect empty
kubectl get crd httproutes.gateway.networking.k8s.io \
  -o jsonpath='{range .metadata.managedFields[*]}{.manager}{"\n"}{end}'

If managedFields show kubectl-client-side-apply (or another conflicting manager), the install Job's server-side apply will conflict → needs --force-conflicts (module sets backoff_limit=3, no --force-conflicts today).

Apply these CRDs before the NGF 2.6.3 controller (facets-utility-modules#39).

Net: additive + safe for our Gateway/HTTPRoute/ReferenceGrant usage. Only real watch-items: the rollback VAP and a possible server-side-apply field-manager conflict — both operational, neither a schema break.