fix: more robust HTTPRoute validation

Author: programmer04

CHANGELOG.md

@@ -134,6 +134,9 @@ Adding a new version? You'll need three changes:
   - For `HTTPRoute`, protocol now matches the attached Gateway listener protocol (and when `parentRef.sectionName` is set, it must match that specific listener). When `parentRef.sectionName` is not specified it binds to all `Gateway`s listeners.
   - For `Ingress`, default protocol relies on Kong Gateway, can be set explicitly via `konghq.com/protocols: "http"` (or `https`)
     annotation on particular `Ingress`.
+    [#7901](https://github.com/Kong/kubernetes-ingress-controller/pull/7901)
+- More robust validation for `HTTPRoute`, when unsupported feature is used and route refers existing and non-existing `Gateway`, it will be rejected.
+  [#7913](https://github.com/Kong/kubernetes-ingress-controller/pull/7913)
 
 ## [3.5.6]
 

internal/admission/validation/gateway/httproute.go

@@ -105,7 +105,7 @@ func ensureHTTPRouteIsManagedByController(ctx context.Context, httproute *gatewa
 			Name:      string(parentRef.Name),
 		}, &gateway); err != nil {
 			if apierrors.IsNotFound(err) {
-				return false, nil
+				continue
 			}
 			return false, fmt.Errorf("failed to get Gateway: %w", err)
 		}

internal/admission/validation/gateway/httproute_test.go

@@ -1015,6 +1015,47 @@ func TestValidateHTTPRoute(t *testing.T) {
 			},
 			valid: true,
 		},
+		{
+			msg: "HTTPRoute with unsupported filter when reference both existing and non-existing gateway should be rejected",
+			cachedObjects: []client.Object{
+				gatewayClass,
+				&gatewayapi.Gateway{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: corev1.NamespaceDefault,
+						Name:      "existing-managed-gateway",
+					},
+					Spec: gatewayapi.GatewaySpec{GatewayClassName: gatewayClassName},
+				},
+			},
+			route: &gatewayapi.HTTPRoute{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: corev1.NamespaceDefault,
+					Name:      "example-route",
+				},
+				Spec: gatewayapi.HTTPRouteSpec{
+					CommonRouteSpec: gatewayapi.CommonRouteSpec{
+						ParentRefs: []gatewayapi.ParentReference{
+							{
+								Name:      "non-existent-gateway",
+								Namespace: lo.ToPtr(gatewayapi.Namespace(corev1.NamespaceDefault)),
+							},
+							{
+								Name:      "existing-managed-gateway",
+								Namespace: lo.ToPtr(gatewayapi.Namespace(corev1.NamespaceDefault)),
+							},
+						},
+					},
+					Rules: []gatewayapi.HTTPRouteRule{{
+						Filters: []gatewayapi.HTTPRouteFilter{{
+							// RequestMirror is explicitly unsupported — should be rejected.
+							Type: gatewayapi.HTTPRouteFilterRequestMirror,
+						}},
+					}},
+				},
+			},
+			valid:         false,
+			validationMsg: "HTTPRoute spec did not pass validation: rules[0].filters[0]: filter type RequestMirror is unsupported",
+		},
 	} {
 		t.Run(tt.msg, func(t *testing.T) {
 			fakeClient := fakeclient.