githedgehog · Frostman · Feb 26, 2026 · Feb 25, 2026 · Feb 25, 2026
@@ -163,7 +163,7 @@ jobs:
             matrix.upgradefrom == '' || contains(github.event.pull_request.labels.*.name, 'ci:-upgrade')
           )
         }}
-      fabricatorref: master
+      fabricatorref: ema/gw-validate-signature
       prebuild: "just bump gateway ${{ needs.test-build.outputs.version }} ${{ needs.test-build.outputs.ref }}"
       fabricmode: ${{ matrix.fabricmode }}
       mesh: ${{ matrix.mesh }}

@@ -14,6 +14,7 @@ import (
 	"strconv"
 	"strings"
 
+	"go.githedgehog.com/gateway/api/meta"
 	kmetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -169,7 +170,7 @@ func (gw *Gateway) Default() {
 
 var linuxIfaceNameRegex = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9_.-]{0,8}[a-zA-Z0-9]$`)
 
-func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader) error {
+func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader, gwCfg *meta.GatewayCtrlConfig) error {
 	if gw.Namespace != kmetav1.NamespaceDefault {
 		return fmt.Errorf("gateway namespace must be %s: %w", kmetav1.NamespaceDefault, ErrInvalidGW)
 	}
@@ -357,6 +358,7 @@ func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader) error {
 	if kube != nil {
 		protocolIPs := map[netip.Addr]bool{}
 		vtepIPs := map[netip.Addr]bool{}
+		gwGroupMembers := map[string]int{}
 		gateways := &GatewayList{}
 		if err := kube.List(ctx, gateways); err != nil {
 			return fmt.Errorf("listing gateways: %w", err)
@@ -376,6 +378,9 @@ func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader) error {
 					vtepIPs[ip.Addr()] = true
 				}
 			}
+			for _, group := range other.Spec.Groups {
+				gwGroupMembers[group.Name]++
+			}
 		}
 		if _, exist := protocolIPs[protoIP.Addr()]; exist {
 			return fmt.Errorf("gateway %s protocol IP %s is already in use: %w", gw.Name, protoIP, ErrInvalidGW)
@@ -396,6 +401,9 @@ func (gw *Gateway) Validate(ctx context.Context, kube kclient.Reader) error {
 			if !gwGroups[gwGroup.Name] {
 				return fmt.Errorf("gateway group %s not found: %w", gwGroup.Name, ErrInvalidGW)
 			}
+			if gwCfg != nil && len(gwCfg.Communities) > 0 && gwGroupMembers[gwGroup.Name] >= len(gwCfg.Communities) {
+				return fmt.Errorf("gateway group %s already has too many members (%d), max is %d: %w", gwGroup.Name, gwGroupMembers[gwGroup.Name], len(gwCfg.Communities), ErrInvalidGW)
+			}
 		}
 	}
 

@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.githedgehog.com/gateway/api/gateway/v1alpha1"
+	"go.githedgehog.com/gateway/api/meta"
 	kmetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -212,10 +213,50 @@ func TestGatewayValidate(t *testing.T) {
 			objs: base,
 			err:  v1alpha1.ErrInvalidGW,
 		},
+		{
+			name: "test-too-many-gws-in-group",
+			gw: *gwa("gw-1", func(gw *v1alpha1.Gateway) {
+				gw.Spec.Groups = []v1alpha1.GatewayGroupMembership{{Name: "gr1", Priority: 0}}
+			}),
+			objs: withObjs(base,
+				withName("gr1", &v1alpha1.GatewayGroup{}),
+				withName("gw-3", &v1alpha1.Gateway{
+					Spec: v1alpha1.GatewaySpec{
+						Groups: []v1alpha1.GatewayGroupMembership{{Name: "gr1", Priority: 1}},
+					},
+				}),
+				withName("gw-4", &v1alpha1.Gateway{
+					Spec: v1alpha1.GatewaySpec{
+						Groups: []v1alpha1.GatewayGroupMembership{{Name: "gr1", Priority: 2}},
+					},
+				}),
+			),
+			err: v1alpha1.ErrInvalidGW,
+		},
+		{
+			name: "test-fits-in-gw-group",
+			gw: *gwa("gw-1", func(gw *v1alpha1.Gateway) {
+				gw.Spec.Groups = []v1alpha1.GatewayGroupMembership{{Name: "gr1", Priority: 0}}
+			}),
+			objs: withObjs(base,
+				withName("gr1", &v1alpha1.GatewayGroup{}),
+				withName("gw-3", &v1alpha1.Gateway{
+					Spec: v1alpha1.GatewaySpec{
+						Groups: []v1alpha1.GatewayGroupMembership{{Name: "gr1", Priority: 1}},
+					},
+				}),
+			),
+		},
 	}
 
 	scheme := runtime.NewScheme()
 	require.NoError(t, v1alpha1.AddToScheme(scheme), "should add gateway API to scheme")
+	cfg := &meta.GatewayCtrlConfig{
+		Communities: map[uint32]string{
+			0: "50000:1000",
+			1: "50000:1001",
+		},
+	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -227,7 +268,7 @@ func TestGatewayValidate(t *testing.T) {
 				Build()
 
 			tt.gw.Default()
-			actual := tt.gw.Validate(ctx, kube)
+			actual := tt.gw.Validate(ctx, kube, cfg)
 			assert.ErrorIs(t, actual, tt.err, "validate should return expected error")
 		})
 	}

@@ -143,7 +143,7 @@ func run() error {
 	}
 
 	// Webhooks
-	if err := ctrl.SetupGatewayWebhookWith(mgr); err != nil {
+	if err := ctrl.SetupGatewayWebhookWith(mgr, cfg); err != nil {
 		return fmt.Errorf("setting up gateway webhook: %w", err)
 	}
 	if err := ctrl.SetupGatewayGroupWebhookWith(mgr); err != nil {

@@ -12,18 +12,21 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
 	gwapi "go.githedgehog.com/gateway/api/gateway/v1alpha1"
+	"go.githedgehog.com/gateway/api/meta"
 )
 
 // +kubebuilder:webhook:path=/mutate-gateway-githedgehog-com-v1alpha1-gateway,mutating=true,failurePolicy=fail,sideEffects=None,groups=gateway.githedgehog.com,resources=gateways,verbs=create;update;delete,versions=v1alpha1,name=mgateway.kb.io,admissionReviewVersions=v1
 // +kubebuilder:webhook:path=/validate-gateway-githedgehog-com-v1alpha1-gateway,mutating=false,failurePolicy=fail,sideEffects=None,groups=gateway.githedgehog.com,resources=gateways,verbs=create;update;delete,versions=v1alpha1,name=vgateway.kb.io,admissionReviewVersions=v1
 
 type GatewayWebhook struct {
 	kclient.Reader
+	Cfg *meta.GatewayCtrlConfig
 }
 
-func SetupGatewayWebhookWith(mgr kctrl.Manager) error {
+func SetupGatewayWebhookWith(mgr kctrl.Manager, cfg *meta.GatewayCtrlConfig) error {
 	w := &GatewayWebhook{
 		Reader: mgr.GetClient(),
+		Cfg:    cfg,
 	}
 
 	if err := kctrl.NewWebhookManagedBy(mgr, &gwapi.Gateway{}).
@@ -43,12 +46,12 @@ func (w *GatewayWebhook) Default(_ context.Context, obj *gwapi.Gateway) error {
 }
 
 func (w *GatewayWebhook) ValidateCreate(ctx context.Context, gw *gwapi.Gateway) (admission.Warnings, error) {
-	return nil, gw.Validate(ctx, w.Reader) //nolint:wrapcheck
+	return nil, gw.Validate(ctx, w.Reader, w.Cfg) //nolint:wrapcheck
 }
 
 func (w *GatewayWebhook) ValidateUpdate(ctx context.Context, _ *gwapi.Gateway, newGw *gwapi.Gateway) (admission.Warnings, error) {
 	// TODO validate diff between oldObj and newObj if needed
-	return nil, newGw.Validate(ctx, w.Reader) //nolint:wrapcheck
+	return nil, newGw.Validate(ctx, w.Reader, w.Cfg) //nolint:wrapcheck
 }
 
 func (w *GatewayWebhook) ValidateDelete(_ context.Context, _ *gwapi.Gateway) (admission.Warnings, error) {