Add Kubernetes Gateway Provider

Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>

pkg/provider/kubernetes/crd/kubernetes.go

@@ -38,16 +38,15 @@ const (
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	Endpoint               string          `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
-	Token                  string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
-	CertAuthFilePath       string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
-	DisablePassHostHeaders bool            `description:"Kubernetes disable PassHost Headers." json:"disablePassHostHeaders,omitempty" toml:"disablePassHostHeaders,omitempty" yaml:"disablePassHostHeaders,omitempty" export:"true"`
-	Namespaces             []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	AllowCrossNamespace    *bool           `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
-	LabelSelector          string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
-	IngressClass           string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
-	ThrottleDuration       ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
-	lastConfiguration      safe.Safe
+	Endpoint            string          `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+	Token               string          `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
+	CertAuthFilePath    string          `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
+	Namespaces          []string        `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
+	AllowCrossNamespace *bool           `description:"Allow cross namespace resource reference." json:"allowCrossNamespace,omitempty" toml:"allowCrossNamespace,omitempty" yaml:"allowCrossNamespace,omitempty" export:"true"`
+	LabelSelector       string          `description:"Kubernetes label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
+	IngressClass        string          `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
+	ThrottleDuration    ptypes.Duration `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
+	lastConfiguration   safe.Safe
 }
 
 // SetDefaults sets the default values.

pkg/provider/kubernetes/gateway/client.go

@@ -0,0 +1,443 @@
+package gateway
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"time"
+
+	"github.com/traefik/traefik/v2/pkg/log"
+	corev1 "k8s.io/api/core/v1"
+	kubeerror "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"sigs.k8s.io/service-apis/apis/v1alpha1"
+	"sigs.k8s.io/service-apis/pkg/client/clientset/versioned"
+	"sigs.k8s.io/service-apis/pkg/client/informers/externalversions"
+)
+
+const resyncPeriod = 10 * time.Minute
+
+type resourceEventHandler struct {
+	ev chan<- interface{}
+}
+
+func (reh *resourceEventHandler) OnAdd(obj interface{}) {
+	eventHandlerFunc(reh.ev, obj)
+}
+
+func (reh *resourceEventHandler) OnUpdate(oldObj, newObj interface{}) {
+	switch oldObj.(type) {
+	case *v1alpha1.GatewayClass:
+		// Skip update for gateway classes. We only manage addition or deletion for this cluster-wide resource.
+		return
+	default:
+		eventHandlerFunc(reh.ev, newObj)
+	}
+}
+
+func (reh *resourceEventHandler) OnDelete(obj interface{}) {
+	eventHandlerFunc(reh.ev, obj)
+}
+
+// Client is a client for the Provider master.
+// WatchAll starts the watch of the Provider resources and updates the stores.
+// The stores can then be accessed via the Get* functions.
+type Client interface {
+	WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error)
+
+	GetGatewayClasses() ([]*v1alpha1.GatewayClass, error)
+	UpdateGatewayStatus(gateway *v1alpha1.Gateway, gatewayStatus v1alpha1.GatewayStatus) error
+	UpdateGatewayClassStatus(gatewayClass *v1alpha1.GatewayClass, condition metav1.Condition) error
+	GetGateways() []*v1alpha1.Gateway
+	GetHTTPRoutes(namespace string, selector labels.Selector) ([]*v1alpha1.HTTPRoute, error)
+
+	GetService(namespace, name string) (*corev1.Service, bool, error)
+	GetSecret(namespace, name string) (*corev1.Secret, bool, error)
+	GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error)
+}
+
+type clientWrapper struct {
+	csGateway versioned.Interface
+	csKube    kubernetes.Interface
+
+	factoryGatewayClass externalversions.SharedInformerFactory
+	factoriesGateway    map[string]externalversions.SharedInformerFactory
+	factoriesKube       map[string]informers.SharedInformerFactory
+	factoriesSecret     map[string]informers.SharedInformerFactory
+
+	isNamespaceAll    bool
+	watchedNamespaces []string
+
+	labelSelector string
+}
+
+func createClientFromConfig(c *rest.Config) (*clientWrapper, error) {
+	csGateway, err := versioned.NewForConfig(c)
+	if err != nil {
+		return nil, err
+	}
+
+	csKube, err := kubernetes.NewForConfig(c)
+	if err != nil {
+		return nil, err
+	}
+
+	return newClientImpl(csKube, csGateway), nil
+}
+
+func newClientImpl(csKube kubernetes.Interface, csGateway versioned.Interface) *clientWrapper {
+	return &clientWrapper{
+		csGateway:        csGateway,
+		csKube:           csKube,
+		factoriesGateway: make(map[string]externalversions.SharedInformerFactory),
+		factoriesKube:    make(map[string]informers.SharedInformerFactory),
+		factoriesSecret:  make(map[string]informers.SharedInformerFactory),
+	}
+}
+
+// newInClusterClient returns a new Provider client that is expected to run
+// inside the cluster.
+func newInClusterClient(endpoint string) (*clientWrapper, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create in-cluster configuration: %w", err)
+	}
+
+	if endpoint != "" {
+		config.Host = endpoint
+	}
+
+	return createClientFromConfig(config)
+}
+
+func newExternalClusterClientFromFile(file string) (*clientWrapper, error) {
+	configFromFlags, err := clientcmd.BuildConfigFromFlags("", file)
+	if err != nil {
+		return nil, err
+	}
+	return createClientFromConfig(configFromFlags)
+}
+
+// newExternalClusterClient returns a new Provider client that may run outside
+// of the cluster.
+// The endpoint parameter must not be empty.
+func newExternalClusterClient(endpoint, token, caFilePath string) (*clientWrapper, error) {
+	if endpoint == "" {
+		return nil, errors.New("endpoint missing for external cluster client")
+	}
+
+	config := &rest.Config{
+		Host:        endpoint,
+		BearerToken: token,
+	}
+
+	if caFilePath != "" {
+		caData, err := ioutil.ReadFile(caFilePath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA file %s: %w", caFilePath, err)
+		}
+
+		config.TLSClientConfig = rest.TLSClientConfig{CAData: caData}
+	}
+
+	return createClientFromConfig(config)
+}
+
+// WatchAll starts namespace-specific controllers for all relevant kinds.
+func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error) {
+	eventCh := make(chan interface{}, 1)
+	eventHandler := &resourceEventHandler{ev: eventCh}
+
+	if len(namespaces) == 0 {
+		namespaces = []string{metav1.NamespaceAll}
+		c.isNamespaceAll = true
+	}
+
+	c.watchedNamespaces = namespaces
+
+	notOwnedByHelm := func(opts *metav1.ListOptions) {
+		opts.LabelSelector = "owner!=helm"
+	}
+
+	labelSelectorOptions := func(options *metav1.ListOptions) {
+		options.LabelSelector = c.labelSelector
+	}
+
+	c.factoryGatewayClass = externalversions.NewSharedInformerFactoryWithOptions(c.csGateway, resyncPeriod, externalversions.WithTweakListOptions(labelSelectorOptions))
+	c.factoryGatewayClass.Networking().V1alpha1().GatewayClasses().Informer().AddEventHandler(eventHandler)
+
+	for _, ns := range namespaces {
+		factoryGateway := externalversions.NewSharedInformerFactoryWithOptions(c.csGateway, resyncPeriod, externalversions.WithNamespace(ns))
+		factoryGateway.Networking().V1alpha1().Gateways().Informer().AddEventHandler(eventHandler)
+		factoryGateway.Networking().V1alpha1().HTTPRoutes().Informer().AddEventHandler(eventHandler)
+
+		factoryKube := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns))
+		factoryKube.Core().V1().Services().Informer().AddEventHandler(eventHandler)
+		factoryKube.Core().V1().Endpoints().Informer().AddEventHandler(eventHandler)
+
+		factorySecret := informers.NewSharedInformerFactoryWithOptions(c.csKube, resyncPeriod, informers.WithNamespace(ns), informers.WithTweakListOptions(notOwnedByHelm))
+		factorySecret.Core().V1().Secrets().Informer().AddEventHandler(eventHandler)
+
+		c.factoriesGateway[ns] = factoryGateway
+		c.factoriesKube[ns] = factoryKube
+		c.factoriesSecret[ns] = factorySecret
+	}
+
+	c.factoryGatewayClass.Start(stopCh)
+
+	for _, ns := range namespaces {
+		c.factoriesGateway[ns].Start(stopCh)
+		c.factoriesKube[ns].Start(stopCh)
+		c.factoriesSecret[ns].Start(stopCh)
+	}
+
+	for t, ok := range c.factoryGatewayClass.WaitForCacheSync(stopCh) {
+		if !ok {
+			return nil, fmt.Errorf("timed out waiting for controller caches to sync %s", t.String())
+		}
+	}
+
+	for _, ns := range namespaces {
+		for t, ok := range c.factoriesGateway[ns].WaitForCacheSync(stopCh) {
+			if !ok {
+				return nil, fmt.Errorf("timed out waiting for controller caches to sync %s in namespace %q", t.String(), ns)
+			}
+		}
+
+		for t, ok := range c.factoriesKube[ns].WaitForCacheSync(stopCh) {
+			if !ok {
+				return nil, fmt.Errorf("timed out waiting for controller caches to sync %s in namespace %q", t.String(), ns)
+			}
+		}
+
+		for t, ok := range c.factoriesSecret[ns].WaitForCacheSync(stopCh) {
+			if !ok {
+				return nil, fmt.Errorf("timed out waiting for controller caches to sync %s in namespace %q", t.String(), ns)
+			}
+		}
+	}
+
+	return eventCh, nil
+}
+
+func (c *clientWrapper) GetHTTPRoutes(namespace string, selector labels.Selector) ([]*v1alpha1.HTTPRoute, error) {
+	if !c.isWatchedNamespace(namespace) {
+		return nil, fmt.Errorf("failed to get HTTPRoute %s with labels selector %s: namespace is not within watched namespaces", namespace, selector)
+	}
+	httpRoutes, err := c.factoriesGateway[c.lookupNamespace(namespace)].Networking().V1alpha1().HTTPRoutes().Lister().HTTPRoutes(namespace).List(selector)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(httpRoutes) == 0 {
+		return nil, fmt.Errorf("failed to get HTTPRoute %s with labels selector %s: namespace is not within watched namespaces", namespace, selector)
+	}
+
+	return httpRoutes, nil
+}
+
+func (c *clientWrapper) GetGateways() []*v1alpha1.Gateway {
+	var result []*v1alpha1.Gateway
+
+	for ns, factory := range c.factoriesGateway {
+		gateways, err := factory.Networking().V1alpha1().Gateways().Lister().List(labels.Everything())
+		if err != nil {
+			log.WithoutContext().Errorf("Failed to list Gateways in namespace %s: %v", ns, err)
+			continue
+		}
+		result = append(result, gateways...)
+	}
+
+	return result
+}
+
+func (c *clientWrapper) GetGatewayClasses() ([]*v1alpha1.GatewayClass, error) {
+	return c.factoryGatewayClass.Networking().V1alpha1().GatewayClasses().Lister().List(labels.Everything())
+}
+
+func (c *clientWrapper) UpdateGatewayClassStatus(gatewayClass *v1alpha1.GatewayClass, condition metav1.Condition) error {
+	gc := gatewayClass.DeepCopy()
+
+	var newConditions []metav1.Condition
+	for _, cond := range gc.Status.Conditions {
+		// No update for identical condition.
+		if cond.Type == condition.Type && cond.Status == condition.Status {
+			return nil
+		}
+
+		// Keep other condition types.
+		if cond.Type != condition.Type {
+			newConditions = append(newConditions, cond)
+		}
+	}
+
+	// Append the condition to update.
+	newConditions = append(newConditions, condition)
+	gc.Status.Conditions = newConditions
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := c.csGateway.NetworkingV1alpha1().GatewayClasses().UpdateStatus(ctx, gc, metav1.UpdateOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to update GatewayClass %q status: %w", gatewayClass.Name, err)
+	}
+
+	return nil
+}
+
+func (c *clientWrapper) UpdateGatewayStatus(gateway *v1alpha1.Gateway, gatewayStatus v1alpha1.GatewayStatus) error {
+	if !c.isWatchedNamespace(gateway.Namespace) {
+		return fmt.Errorf("cannot update Gateway status %s/%s: namespace is not within watched namespaces", gateway.Namespace, gateway.Name)
+	}
+
+	if statusEquals(gateway.Status, gatewayStatus) {
+		return nil
+	}
+
+	g := gateway.DeepCopy()
+	g.Status = gatewayStatus
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	_, err := c.csGateway.NetworkingV1alpha1().Gateways(gateway.Namespace).UpdateStatus(ctx, g, metav1.UpdateOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to update Gateway %q status: %w", gateway.Name, err)
+	}
+
+	return nil
+}
+
+func statusEquals(oldStatus, newStatus v1alpha1.GatewayStatus) bool {
+	if len(oldStatus.Listeners) != len(newStatus.Listeners) {
+		return false
+	}
+
+	if !conditionsEquals(oldStatus.Conditions, newStatus.Conditions) {
+		return false
+	}
+
+	listenerMatches := 0
+	for _, newListener := range newStatus.Listeners {
+		for _, oldListener := range oldStatus.Listeners {
+			if newListener.Port == oldListener.Port {
+				if !conditionsEquals(newListener.Conditions, oldListener.Conditions) {
+					return false
+				}
+
+				listenerMatches++
+			}
+		}
+	}
+
+	return listenerMatches == len(oldStatus.Listeners)
+}
+
+func conditionsEquals(conditionsA, conditionsB []metav1.Condition) bool {
+	if len(conditionsA) != len(conditionsB) {
+		return false
+	}
+
+	conditionMatches := 0
+	for _, conditionA := range conditionsA {
+		for _, conditionB := range conditionsB {
+			if conditionA.Type == conditionB.Type {
+				if conditionA.Reason != conditionB.Reason || conditionA.Status != conditionB.Status || conditionA.Message != conditionB.Message {
+					return false
+				}
+				conditionMatches++
+			}
+		}
+	}
+
+	return conditionMatches == len(conditionsA)
+}
+
+// GetService returns the named service from the given namespace.
+func (c *clientWrapper) GetService(namespace, name string) (*corev1.Service, bool, error) {
+	if !c.isWatchedNamespace(namespace) {
+		return nil, false, fmt.Errorf("failed to get service %s/%s: namespace is not within watched namespaces", namespace, name)
+	}
+
+	service, err := c.factoriesKube[c.lookupNamespace(namespace)].Core().V1().Services().Lister().Services(namespace).Get(name)
+	exist, err := translateNotFoundError(err)
+
+	return service, exist, err
+}
+
+// GetEndpoints returns the named endpoints from the given namespace.
+func (c *clientWrapper) GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error) {
+	if !c.isWatchedNamespace(namespace) {
+		return nil, false, fmt.Errorf("failed to get endpoints %s/%s: namespace is not within watched namespaces", namespace, name)
+	}
+
+	endpoint, err := c.factoriesKube[c.lookupNamespace(namespace)].Core().V1().Endpoints().Lister().Endpoints(namespace).Get(name)
+	exist, err := translateNotFoundError(err)
+
+	return endpoint, exist, err
+}
+
+// GetSecret returns the named secret from the given namespace.
+func (c *clientWrapper) GetSecret(namespace, name string) (*corev1.Secret, bool, error) {
+	if !c.isWatchedNamespace(namespace) {
+		return nil, false, fmt.Errorf("failed to get secret %s/%s: namespace is not within watched namespaces", namespace, name)
+	}
+
+	secret, err := c.factoriesSecret[c.lookupNamespace(namespace)].Core().V1().Secrets().Lister().Secrets(namespace).Get(name)
+	exist, err := translateNotFoundError(err)
+
+	return secret, exist, err
+}
+
+// lookupNamespace returns the lookup namespace key for the given namespace.
+// When listening on all namespaces, it returns the client-go identifier ("")
+// for all-namespaces. Otherwise, it returns the given namespace.
+// The distinction is necessary because we index all informers on the special
+// identifier iff all-namespaces are requested but receive specific namespace
+// identifiers from the Kubernetes API, so we have to bridge this gap.
+func (c *clientWrapper) lookupNamespace(ns string) string {
+	if c.isNamespaceAll {
+		return metav1.NamespaceAll
+	}
+	return ns
+}
+
+// eventHandlerFunc will pass the obj on to the events channel or drop it.
+// This is so passing the events along won't block in the case of high volume.
+// The events are only used for signaling anyway so dropping a few is ok.
+func eventHandlerFunc(events chan<- interface{}, obj interface{}) {
+	select {
+	case events <- obj:
+	default:
+	}
+}
+
+// translateNotFoundError will translate a "not found" error to a boolean return
+// value which indicates if the resource exists and a nil error.
+func translateNotFoundError(err error) (bool, error) {
+	if kubeerror.IsNotFound(err) {
+		return false, nil
+	}
+	return err == nil, err
+}
+
+// isWatchedNamespace checks to ensure that the namespace is being watched before we request
+// it to ensure we don't panic by requesting an out-of-watch object.
+func (c *clientWrapper) isWatchedNamespace(ns string) bool {
+	if c.isNamespaceAll {
+		return true
+	}
+	for _, watchedNamespace := range c.watchedNamespaces {
+		if watchedNamespace == ns {
+			return true
+		}
+	}
+	return false
+}

pkg/provider/kubernetes/gateway/client_mock_test.go

@@ -0,0 +1,181 @@
+package gateway
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+
+	"github.com/traefik/traefik/v2/pkg/provider/kubernetes/k8s"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes/scheme"
+	"sigs.k8s.io/service-apis/apis/v1alpha1"
+)
+
+var _ Client = (*clientMock)(nil)
+
+func init() {
+	// required by k8s.MustParseYaml
+	err := v1alpha1.AddToScheme(scheme.Scheme)
+	if err != nil {
+		panic(err)
+	}
+}
+
+type clientMock struct {
+	services  []*corev1.Service
+	secrets   []*corev1.Secret
+	endpoints []*corev1.Endpoints
+
+	apiServiceError   error
+	apiSecretError    error
+	apiEndpointsError error
+
+	gatewayClasses []*v1alpha1.GatewayClass
+	gateways       []*v1alpha1.Gateway
+	httpRoutes     []*v1alpha1.HTTPRoute
+
+	watchChan chan interface{}
+}
+
+func newClientMock(paths ...string) clientMock {
+	var c clientMock
+
+	for _, path := range paths {
+		yamlContent, err := ioutil.ReadFile(filepath.FromSlash("./fixtures/" + path))
+		if err != nil {
+			panic(err)
+		}
+
+		k8sObjects := k8s.MustParseYaml(yamlContent)
+		for _, obj := range k8sObjects {
+			switch o := obj.(type) {
+			case *corev1.Service:
+				c.services = append(c.services, o)
+			case *corev1.Secret:
+				c.secrets = append(c.secrets, o)
+			case *corev1.Endpoints:
+				c.endpoints = append(c.endpoints, o)
+			case *v1alpha1.GatewayClass:
+				c.gatewayClasses = append(c.gatewayClasses, o)
+			case *v1alpha1.Gateway:
+				c.gateways = append(c.gateways, o)
+			case *v1alpha1.HTTPRoute:
+				c.httpRoutes = append(c.httpRoutes, o)
+			default:
+				panic(fmt.Sprintf("Unknown runtime object %+v %T", o, o))
+			}
+		}
+	}
+
+	return c
+}
+
+func (c clientMock) UpdateGatewayStatus(gateway *v1alpha1.Gateway, gatewayStatus v1alpha1.GatewayStatus) error {
+	for _, g := range c.gateways {
+		if g.Name == gateway.Name {
+			if !statusEquals(g.Status, gatewayStatus) {
+				g.Status = gatewayStatus
+				return nil
+			}
+			return fmt.Errorf("cannot update gateway %v", gateway.Name)
+		}
+	}
+	return nil
+}
+
+func (c clientMock) UpdateGatewayClassStatus(gatewayClass *v1alpha1.GatewayClass, condition metav1.Condition) error {
+	for _, gc := range c.gatewayClasses {
+		if gc.Name == gatewayClass.Name {
+			for _, c := range gc.Status.Conditions {
+				if c.Type == condition.Type && c.Status != condition.Status {
+					c.Status = condition.Status
+					c.LastTransitionTime = condition.LastTransitionTime
+					c.Message = condition.Message
+					c.Reason = condition.Reason
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (c clientMock) UpdateGatewayStatusConditions(gateway *v1alpha1.Gateway, condition metav1.Condition) error {
+	for _, g := range c.gatewayClasses {
+		if g.Name == gateway.Name {
+			for _, c := range g.Status.Conditions {
+				if c.Type == condition.Type && (c.Status != condition.Status || c.Reason != condition.Reason) {
+					c.Status = condition.Status
+					c.LastTransitionTime = condition.LastTransitionTime
+					c.Message = condition.Message
+					c.Reason = condition.Reason
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func (c clientMock) GetGatewayClasses() ([]*v1alpha1.GatewayClass, error) {
+	return c.gatewayClasses, nil
+}
+
+func (c clientMock) GetGateways() []*v1alpha1.Gateway {
+	return c.gateways
+}
+
+func (c clientMock) GetHTTPRoutes(namespace string, selector labels.Selector) ([]*v1alpha1.HTTPRoute, error) {
+	httpRoutes := make([]*v1alpha1.HTTPRoute, len(c.httpRoutes))
+
+	for _, httpRoute := range c.httpRoutes {
+		if httpRoute.Namespace == namespace && selector.Matches(labels.Set(httpRoute.Labels)) {
+			httpRoutes = append(httpRoutes, httpRoute)
+		}
+	}
+	return httpRoutes, nil
+}
+
+func (c clientMock) GetService(namespace, name string) (*corev1.Service, bool, error) {
+	if c.apiServiceError != nil {
+		return nil, false, c.apiServiceError
+	}
+
+	for _, service := range c.services {
+		if service.Namespace == namespace && service.Name == name {
+			return service, true, nil
+		}
+	}
+	return nil, false, c.apiServiceError
+}
+
+func (c clientMock) GetEndpoints(namespace, name string) (*corev1.Endpoints, bool, error) {
+	if c.apiEndpointsError != nil {
+		return nil, false, c.apiEndpointsError
+	}
+
+	for _, endpoints := range c.endpoints {
+		if endpoints.Namespace == namespace && endpoints.Name == name {
+			return endpoints, true, nil
+		}
+	}
+
+	return &corev1.Endpoints{}, false, nil
+}
+
+func (c clientMock) GetSecret(namespace, name string) (*corev1.Secret, bool, error) {
+	if c.apiSecretError != nil {
+		return nil, false, c.apiSecretError
+	}
+
+	for _, secret := range c.secrets {
+		if secret.Namespace == namespace && secret.Name == name {
+			return secret, true, nil
+		}
+	}
+	return nil, false, nil
+}
+
+func (c clientMock) WatchAll(namespaces []string, stopCh <-chan struct{}) (<-chan interface{}, error) {
+	return c.watchChan, nil
+}

pkg/provider/kubernetes/gateway/client_test.go

@@ -0,0 +1,246 @@
+package gateway
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/service-apis/apis/v1alpha1"
+)
+
+func TestStatusEquals(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		statusA  v1alpha1.GatewayStatus
+		statusB  v1alpha1.GatewayStatus
+		expected bool
+	}{
+		{
+			desc:     "Empty",
+			statusA:  v1alpha1.GatewayStatus{},
+			statusB:  v1alpha1.GatewayStatus{},
+			expected: true,
+		},
+		{
+			desc: "Same status",
+			statusA: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type:   "foobar",
+						Reason: "foobar",
+					},
+				},
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port: 80,
+						Conditions: []metav1.Condition{
+							{
+								Type:   "foobar",
+								Reason: "foobar",
+							},
+						},
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type:   "foobar",
+						Reason: "foobar",
+					},
+				},
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port: 80,
+						Conditions: []metav1.Condition{
+							{
+								Type:   "foobar",
+								Reason: "foobar",
+							},
+						},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			desc: "Listeners length not equal",
+			statusA: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway conditions length not equal",
+			statusA: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway conditions different types",
+			statusA: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type: "foobar",
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type: "foobir",
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway conditions same types but different reason",
+			statusA: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type: "foobar",
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Conditions: []metav1.Condition{
+					{
+						Type:   "foobar",
+						Reason: "Another reason",
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway listeners conditions length",
+			statusA: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port:       80,
+						Conditions: []metav1.Condition{},
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port: 80,
+						Conditions: []metav1.Condition{
+							{},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway listeners conditions same types but different status",
+			statusA: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Conditions: []metav1.Condition{
+							{
+								Type: "foobar",
+							},
+						},
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Conditions: []metav1.Condition{
+							{
+								Type:   "foobar",
+								Status: "Another status",
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway listeners conditions same types but different message",
+			statusA: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Conditions: []metav1.Condition{
+							{
+								Type: "foobar",
+							},
+						},
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Conditions: []metav1.Condition{
+							{
+								Type:    "foobar",
+								Message: "Another status",
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			desc: "Gateway listeners conditions same types/reason but different ports",
+			statusA: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port: 80,
+						Conditions: []metav1.Condition{
+							{
+								Type:   "foobar",
+								Reason: "foobar",
+							},
+						},
+					},
+				},
+			},
+			statusB: v1alpha1.GatewayStatus{
+				Listeners: []v1alpha1.ListenerStatus{
+					{
+						Port: 443,
+						Conditions: []metav1.Condition{
+							{
+								Type:   "foobar",
+								Reason: "foobar",
+							},
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			result := statusEquals(test.statusA, test.statusB)
+
+			assert.Equal(t, test.expected, result)
+		})
+	}
+}

pkg/provider/kubernetes/gateway/fixtures/gatewayclass_with_unknown_controller.yml

@@ -0,0 +1,46 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: unkown.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/one_rule_two_targets.yml

@@ -0,0 +1,49 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1
+        - serviceName: whoami2
+          port: 8080
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/services.yml

@@ -0,0 +1,166 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  namespace: default
+
+spec:
+  ports:
+    - name: web2
+      port: 8000
+      targetPort: web2
+    - name: web
+      port: 80
+      targetPort: web
+  selector:
+    app: containous
+    task: whoami
+
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: whoami
+  namespace: default
+
+subsets:
+  - addresses:
+      - ip: 10.10.0.1
+      - ip: 10.10.0.2
+    ports:
+      - name: web
+        port: 80
+      - name: web2
+        port: 8000
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami2
+  namespace: default
+
+spec:
+  ports:
+    - name: web
+      port: 8080
+      targetPort: web
+  selector:
+    app: containous
+    task: whoami2
+
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: whoami2
+  namespace: default
+
+subsets:
+  - addresses:
+      - ip: 10.10.0.3
+      - ip: 10.10.0.4
+    ports:
+      - name: web
+        port: 8080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoamitls
+  namespace: default
+
+spec:
+  ports:
+    - name: websecure
+      port: 443
+      targetPort: websecure
+  selector:
+    app: containous
+    task: whoami2
+
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: whoamitls
+  namespace: default
+
+subsets:
+  - addresses:
+      - ip: 10.10.0.5
+      - ip: 10.10.0.6
+    ports:
+      - name: websecure
+        port: 8443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami3
+  namespace: default
+
+spec:
+  ports:
+    - name: websecure2
+      port: 8443
+      targetPort: websecure2
+      scheme: https
+  selector:
+    app: containous
+    task: whoami3
+
+---
+kind: Endpoints
+apiVersion: v1
+metadata:
+  name: whoami3
+  namespace: default
+
+subsets:
+  - addresses:
+      - ip: 10.10.0.7
+      - ip: 10.10.0.8
+    ports:
+      - name: websecure2
+        port: 8443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-svc
+  namespace: default
+spec:
+  externalName: external.domain
+  type: ExternalName
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-svc-with-http
+  namespace: default
+spec:
+  externalName: external.domain
+  type: ExternalName
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external-svc-with-https
+  namespace: default
+spec:
+  externalName: external.domain
+  type: ExternalName
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443

pkg/provider/kubernetes/gateway/fixtures/simple.yml

@@ -0,0 +1,46 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/two_rules.yml

@@ -0,0 +1,54 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1
+    - matches:
+        - path:
+            type: Exact
+            value: /bir
+      forwardTo:
+        - serviceName: whoami2
+          port: 8080
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_multiple_host.yml

@@ -0,0 +1,43 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+    - "bar.com"
+  rules:
+    - forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_protocol_https.yml

@@ -0,0 +1,62 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supersecret
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTPS
+      port: 443
+      tls:
+        certificateRef:
+          kind: Secret
+          name: supersecret
+          group: core
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_protocol_https_without_tls.yml

@@ -0,0 +1,46 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTPS
+      port: 443
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_several_rules.yml

@@ -0,0 +1,64 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Prefix
+            value: /bar
+          headers:
+            type: Exact
+            values:
+              my-header: foo
+              my-header2: bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1
+
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+          headers:
+            type: Exact
+            values:
+              my-header: bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_two_gateways_one_httproute.yml

@@ -0,0 +1,80 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supersecret
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-https
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTPS
+      port: 443
+      tls:
+        certificateRef:
+          kind: Secret
+          name: supersecret
+          group: core
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-http
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_two_listeners_one_httproute.yml

@@ -0,0 +1,70 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: supersecret
+  namespace: default
+
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTPS
+      port: 443
+      tls:
+        certificateRef:
+          kind: Secret
+          name: supersecret
+          group: core
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/with_wrong_service_port.yml

@@ -0,0 +1,46 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          weight: 1
+          port: 9000

pkg/provider/kubernetes/gateway/fixtures/without_gatewayclass.yml

@@ -0,0 +1,38 @@
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo
+
+---
+kind: HTTPRoute
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: http-app-1
+  namespace: default
+  labels:
+    app: foo
+spec:
+  hostnames:
+    - "foo.com"
+  rules:
+    - matches:
+        - path:
+            type: Exact
+            value: /bar
+      forwardTo:
+        - serviceName: whoami
+          port: 80
+          weight: 1

pkg/provider/kubernetes/gateway/fixtures/without_httproute.yml

@@ -0,0 +1,25 @@
+---
+kind: GatewayClass
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway-class
+spec:
+  controller: traefik.io/gateway-controller
+
+---
+kind: Gateway
+apiVersion: networking.x-k8s.io/v1alpha1
+metadata:
+  name: my-gateway
+  namespace: default
+spec:
+  gatewayClassName: my-gateway-class
+  listeners:  # Use GatewayClass defaults for listener definition.
+    - protocol: HTTP
+      port: 80
+      routes:
+        kind: HTTPRoute
+        namespaces:
+          from: Same
+        selector:
+          app: foo

pkg/provider/kubernetes/gateway/kubernetes.go

@@ -0,0 +1,906 @@
+package gateway
+
+import (
+	"context"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/hashicorp/go-multierror"
+	"github.com/mitchellh/hashstructure"
+	ptypes "github.com/traefik/paerser/types"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/job"
+	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/provider"
+	"github.com/traefik/traefik/v2/pkg/safe"
+	"github.com/traefik/traefik/v2/pkg/tls"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"sigs.k8s.io/service-apis/apis/v1alpha1"
+)
+
+const providerName = "kubernetesgateway"
+
+// Provider holds configurations of the provider.
+type Provider struct {
+	Endpoint         string                `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+	Token            string                `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
+	CertAuthFilePath string                `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
+	Namespaces       []string              `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
+	LabelSelector    string                `description:"Kubernetes label selector to select specific GatewayClasses." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
+	ThrottleDuration ptypes.Duration       `description:"Kubernetes refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
+	EntryPoints      map[string]Entrypoint `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
+
+	lastConfiguration safe.Safe
+}
+
+// Entrypoint defines the available entry points.
+type Entrypoint struct {
+	Address        string
+	HasHTTPTLSConf bool
+}
+
+func (p *Provider) newK8sClient(ctx context.Context) (*clientWrapper, error) {
+	// Label selector validation
+	_, err := labels.Parse(p.LabelSelector)
+	if err != nil {
+		return nil, fmt.Errorf("invalid label selector: %q", p.LabelSelector)
+	}
+	log.FromContext(ctx).Infof("label selector is: %q", p.LabelSelector)
+
+	withEndpoint := ""
+	if p.Endpoint != "" {
+		withEndpoint = fmt.Sprintf(" with endpoint %s", p.Endpoint)
+	}
+
+	var client *clientWrapper
+	switch {
+	case os.Getenv("KUBERNETES_SERVICE_HOST") != "" && os.Getenv("KUBERNETES_SERVICE_PORT") != "":
+		log.FromContext(ctx).Infof("Creating in-cluster Provider client%s", withEndpoint)
+		client, err = newInClusterClient(p.Endpoint)
+	case os.Getenv("KUBECONFIG") != "":
+		log.FromContext(ctx).Infof("Creating cluster-external Provider client from KUBECONFIG %s", os.Getenv("KUBECONFIG"))
+		client, err = newExternalClusterClientFromFile(os.Getenv("KUBECONFIG"))
+	default:
+		log.FromContext(ctx).Infof("Creating cluster-external Provider client%s", withEndpoint)
+		client, err = newExternalClusterClient(p.Endpoint, p.Token, p.CertAuthFilePath)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+	client.labelSelector = p.LabelSelector
+
+	return client, nil
+}
+
+// Init the provider.
+func (p *Provider) Init() error {
+	return nil
+}
+
+// Provide allows the k8s provider to provide configurations to traefik
+// using the given configuration channel.
+func (p *Provider) Provide(configurationChan chan<- dynamic.Message, pool *safe.Pool) error {
+	ctxLog := log.With(context.Background(), log.Str(log.ProviderName, providerName))
+	logger := log.FromContext(ctxLog)
+
+	k8sClient, err := p.newK8sClient(ctxLog)
+	if err != nil {
+		return err
+	}
+
+	pool.GoCtx(func(ctxPool context.Context) {
+		operation := func() error {
+			eventsChan, err := k8sClient.WatchAll(p.Namespaces, ctxPool.Done())
+			if err != nil {
+				logger.Errorf("Error watching kubernetes events: %v", err)
+				timer := time.NewTimer(1 * time.Second)
+				select {
+				case <-timer.C:
+					return err
+				case <-ctxPool.Done():
+					return nil
+				}
+			}
+
+			throttleDuration := time.Duration(p.ThrottleDuration)
+			throttledChan := throttleEvents(ctxLog, throttleDuration, pool, eventsChan)
+			if throttledChan != nil {
+				eventsChan = throttledChan
+			}
+
+			for {
+				select {
+				case <-ctxPool.Done():
+					return nil
+				case event := <-eventsChan:
+					// Note that event is the *first* event that came in during this throttling interval -- if we're hitting our throttle, we may have dropped events.
+					// This is fine, because we don't treat different event types differently.
+					// But if we do in the future, we'll need to track more information about the dropped events.
+					conf := p.loadConfigurationFromGateway(ctxLog, k8sClient)
+
+					confHash, err := hashstructure.Hash(conf, nil)
+					switch {
+					case err != nil:
+						logger.Error("Unable to hash the configuration")
+					case p.lastConfiguration.Get() == confHash:
+						logger.Debugf("Skipping Kubernetes event kind %T", event)
+					default:
+						p.lastConfiguration.Set(confHash)
+						configurationChan <- dynamic.Message{
+							ProviderName:  providerName,
+							Configuration: conf,
+						}
+					}
+
+					// If we're throttling,
+					// we sleep here for the throttle duration to enforce that we don't refresh faster than our throttle.
+					// time.Sleep returns immediately if p.ThrottleDuration is 0 (no throttle).
+					time.Sleep(throttleDuration)
+				}
+			}
+		}
+
+		notify := func(err error, time time.Duration) {
+			logger.Errorf("Provider connection error: %v; retrying in %s", err, time)
+		}
+		err := backoff.RetryNotify(safe.OperationWithRecover(operation), backoff.WithContext(job.NewBackOff(backoff.NewExponentialBackOff()), ctxPool), notify)
+		if err != nil {
+			logger.Errorf("Cannot connect to Provider: %v", err)
+		}
+	})
+
+	return nil
+}
+
+// TODO Handle errors and update resources statuses (gatewayClass, gateway).
+func (p *Provider) loadConfigurationFromGateway(ctx context.Context, client Client) *dynamic.Configuration {
+	logger := log.FromContext(ctx)
+
+	gatewayClassNames := map[string]struct{}{}
+
+	gatewayClasses, err := client.GetGatewayClasses()
+	if err != nil {
+		logger.Errorf("Cannot find GatewayClasses: %v", err)
+		return &dynamic.Configuration{
+			UDP: &dynamic.UDPConfiguration{
+				Routers:  map[string]*dynamic.UDPRouter{},
+				Services: map[string]*dynamic.UDPService{},
+			},
+			TCP: &dynamic.TCPConfiguration{
+				Routers:  map[string]*dynamic.TCPRouter{},
+				Services: map[string]*dynamic.TCPService{},
+			},
+			HTTP: &dynamic.HTTPConfiguration{
+				Routers:     map[string]*dynamic.Router{},
+				Middlewares: map[string]*dynamic.Middleware{},
+				Services:    map[string]*dynamic.Service{},
+			},
+			TLS: &dynamic.TLSConfiguration{},
+		}
+	}
+
+	for _, gatewayClass := range gatewayClasses {
+		if gatewayClass.Spec.Controller == "traefik.io/gateway-controller" {
+			gatewayClassNames[gatewayClass.Name] = struct{}{}
+
+			err := client.UpdateGatewayClassStatus(gatewayClass, metav1.Condition{
+				Type:               string(v1alpha1.GatewayClassConditionStatusAdmitted),
+				Status:             metav1.ConditionTrue,
+				Reason:             "Handled",
+				Message:            "Handled by Traefik controller",
+				LastTransitionTime: metav1.Now(),
+			})
+			if err != nil {
+				logger.Errorf("Failed to update %s condition: %v", v1alpha1.GatewayClassConditionStatusAdmitted, err)
+			}
+		}
+	}
+
+	cfgs := map[string]*dynamic.Configuration{}
+
+	// TODO check if we can only use the default filtering mechanism
+	for _, gateway := range client.GetGateways() {
+		ctxLog := log.With(ctx, log.Str("gateway", gateway.Name), log.Str("namespace", gateway.Namespace))
+		logger := log.FromContext(ctxLog)
+
+		if _, ok := gatewayClassNames[gateway.Spec.GatewayClassName]; !ok {
+			continue
+		}
+
+		cfg, err := p.createGatewayConf(client, gateway)
+		if err != nil {
+			logger.Error(err)
+			continue
+		}
+
+		cfgs[gateway.Name+gateway.Namespace] = cfg
+	}
+
+	conf := provider.Merge(ctx, cfgs)
+
+	conf.TLS = &dynamic.TLSConfiguration{}
+
+	for _, cfg := range cfgs {
+		if conf.TLS == nil {
+			conf.TLS = &dynamic.TLSConfiguration{}
+		}
+
+		conf.TLS.Certificates = append(conf.TLS.Certificates, cfg.TLS.Certificates...)
+
+		for name, options := range cfg.TLS.Options {
+			if conf.TLS.Options == nil {
+				conf.TLS.Options = map[string]tls.Options{}
+			}
+
+			conf.TLS.Options[name] = options
+		}
+
+		for name, store := range cfg.TLS.Stores {
+			if conf.TLS.Stores == nil {
+				conf.TLS.Stores = map[string]tls.Store{}
+			}
+
+			conf.TLS.Stores[name] = store
+		}
+	}
+
+	return conf
+}
+
+func (p *Provider) createGatewayConf(client Client, gateway *v1alpha1.Gateway) (*dynamic.Configuration, error) {
+	conf := &dynamic.Configuration{
+		UDP: &dynamic.UDPConfiguration{
+			Routers:  map[string]*dynamic.UDPRouter{},
+			Services: map[string]*dynamic.UDPService{},
+		},
+		TCP: &dynamic.TCPConfiguration{
+			Routers:  map[string]*dynamic.TCPRouter{},
+			Services: map[string]*dynamic.TCPService{},
+		},
+		HTTP: &dynamic.HTTPConfiguration{
+			Routers:     map[string]*dynamic.Router{},
+			Middlewares: map[string]*dynamic.Middleware{},
+			Services:    map[string]*dynamic.Service{},
+		},
+		TLS: &dynamic.TLSConfiguration{},
+	}
+
+	tlsConfigs := make(map[string]*tls.CertAndStores)
+
+	// GatewayReasonListenersNotValid is used when one or more
+	// Listeners have an invalid or unsupported configuration
+	// and cannot be configured on the Gateway.
+	listenerStatuses := p.fillGatewayConf(client, gateway, conf, tlsConfigs)
+
+	gatewayStatus, errG := p.makeGatewayStatus(listenerStatuses)
+
+	err := client.UpdateGatewayStatus(gateway, gatewayStatus)
+	if err != nil {
+		return nil, fmt.Errorf("an error occurred while updating gateway status: %w", err)
+	}
+
+	if errG != nil {
+		return nil, fmt.Errorf("an error occurred while creating gateway status: %w", errG)
+	}
+
+	if len(tlsConfigs) > 0 {
+		conf.TLS.Certificates = append(conf.TLS.Certificates, getTLSConfig(tlsConfigs)...)
+	}
+
+	return conf, nil
+}
+
+func (p *Provider) fillGatewayConf(client Client, gateway *v1alpha1.Gateway, conf *dynamic.Configuration, tlsConfigs map[string]*tls.CertAndStores) []v1alpha1.ListenerStatus {
+	listenerStatuses := make([]v1alpha1.ListenerStatus, len(gateway.Spec.Listeners))
+
+	for i, listener := range gateway.Spec.Listeners {
+		listenerStatuses[i] = v1alpha1.ListenerStatus{
+			Port:       listener.Port,
+			Conditions: []metav1.Condition{},
+		}
+
+		// Supported Protocol
+		if listener.Protocol != v1alpha1.HTTPProtocolType && listener.Protocol != v1alpha1.HTTPSProtocolType {
+			// update "Detached" status true with "UnsupportedProtocol" reason
+			listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+				Type:               string(v1alpha1.ListenerConditionDetached),
+				Status:             metav1.ConditionTrue,
+				LastTransitionTime: metav1.Now(),
+				Reason:             string(v1alpha1.ListenerReasonUnsupportedProtocol),
+				Message:            fmt.Sprintf("Unsupported listener protocol %q", listener.Protocol),
+			})
+
+			continue
+		}
+
+		ep, err := p.entryPointName(listener.Port, listener.Protocol)
+		if err != nil {
+			// update "Detached" status with "PortUnavailable" reason
+			listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+				Type:               string(v1alpha1.ListenerConditionDetached),
+				Status:             metav1.ConditionTrue,
+				LastTransitionTime: metav1.Now(),
+				Reason:             string(v1alpha1.ListenerReasonPortUnavailable),
+				Message:            fmt.Sprintf("Cannot find entryPoint for Gateway: %v", err),
+			})
+
+			continue
+		}
+
+		if listener.Protocol == v1alpha1.HTTPSProtocolType {
+			if listener.TLS == nil {
+				// update "Detached" status with "UnsupportedProtocol" reason
+				listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+					Type:               string(v1alpha1.ListenerConditionDetached),
+					Status:             metav1.ConditionTrue,
+					LastTransitionTime: metav1.Now(),
+					Reason:             string(v1alpha1.ListenerReasonUnsupportedProtocol),
+					Message:            fmt.Sprintf("No TLS configuration for Gateway Listener port %d and protocol %q", listener.Port, listener.Protocol),
+				})
+
+				continue
+			}
+
+			if listener.TLS.CertificateRef.Kind != "Secret" || listener.TLS.CertificateRef.Group != "core" {
+				// update "ResolvedRefs" status true with "InvalidCertificateRef" reason
+				listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+					Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+					Status:             metav1.ConditionFalse,
+					LastTransitionTime: metav1.Now(),
+					Reason:             string(v1alpha1.ListenerReasonInvalidCertificateRef),
+					Message:            fmt.Sprintf("Unsupported TLS CertificateRef group/kind : %v/%v", listener.TLS.CertificateRef.Group, listener.TLS.CertificateRef.Kind),
+				})
+
+				continue
+			}
+
+			configKey := gateway.Namespace + "/" + listener.TLS.CertificateRef.Name
+			if _, tlsExists := tlsConfigs[configKey]; !tlsExists {
+				tlsConf, err := getTLS(client, listener.TLS.CertificateRef.Name, gateway.Namespace)
+				if err != nil {
+					// update "ResolvedRefs" status true with "InvalidCertificateRef" reason
+					listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+						Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+						Status:             metav1.ConditionFalse,
+						LastTransitionTime: metav1.Now(),
+						Reason:             string(v1alpha1.ListenerReasonInvalidCertificateRef),
+						Message:            fmt.Sprintf("Error while retrieving certificate: %v", err),
+					})
+
+					continue
+				}
+
+				tlsConfigs[configKey] = tlsConf
+			}
+		}
+
+		// Supported Route types
+		if listener.Routes.Kind != "HTTPRoute" {
+			// update "ResolvedRefs" status true with "InvalidRoutesRef" reason
+			listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+				Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+				Status:             metav1.ConditionFalse,
+				LastTransitionTime: metav1.Now(),
+				Reason:             string(v1alpha1.ListenerReasonInvalidRoutesRef),
+				Message:            fmt.Sprintf("Unsupported Route Kind %q", listener.Routes.Kind),
+			})
+
+			continue
+		}
+
+		// TODO: support RouteNamespaces
+		httpRoutes, err := client.GetHTTPRoutes(gateway.Namespace, labels.SelectorFromSet(listener.Routes.Selector.MatchLabels))
+		if err != nil {
+			// update "ResolvedRefs" status true with "InvalidRoutesRef" reason
+			listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+				Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+				Status:             metav1.ConditionFalse,
+				LastTransitionTime: metav1.Now(),
+				Reason:             string(v1alpha1.ListenerReasonInvalidRoutesRef),
+				Message:            fmt.Sprintf("Cannot fetch HTTPRoutes for namespace %q and matchLabels %v", gateway.Namespace, listener.Routes.Selector.MatchLabels),
+			})
+			continue
+		}
+
+		for _, httpRoute := range httpRoutes {
+			// Should never happen
+			if httpRoute == nil {
+				continue
+			}
+
+			hostRule := hostRule(httpRoute.Spec)
+
+			for _, routeRule := range httpRoute.Spec.Rules {
+				rule, err := extractRule(routeRule, hostRule)
+				if err != nil {
+					// update "ResolvedRefs" status true with "DroppedRoutes" reason
+					listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+						Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+						Status:             metav1.ConditionFalse,
+						LastTransitionTime: metav1.Now(),
+						Reason:             string(v1alpha1.ListenerReasonDegradedRoutes),
+						Message:            fmt.Sprintf("Skipping HTTPRoute %s: cannot generate rule: %v", httpRoute.Name, err),
+					})
+					continue
+				}
+
+				router := dynamic.Router{
+					Rule:        rule,
+					EntryPoints: []string{ep},
+				}
+
+				if listener.TLS != nil {
+					// TODO support let's encrypt
+					router.TLS = &dynamic.RouterTLSConfig{}
+				}
+
+				// Adding the gateway name and the entryPoint name prevents overlapping of routers build from the same routes.
+				routerName := httpRoute.Name + "-" + gateway.Name + "-" + ep
+				routerKey, err := makeRouterKey(router.Rule, makeID(httpRoute.Namespace, routerName))
+				if err != nil {
+					// update "ResolvedRefs" status true with "DroppedRoutes" reason
+					listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+						Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+						Status:             metav1.ConditionFalse,
+						LastTransitionTime: metav1.Now(),
+						Reason:             string(v1alpha1.ListenerReasonDegradedRoutes),
+						Message:            fmt.Sprintf("Skipping HTTPRoute %s: cannot make router's key with rule %s: %v", httpRoute.Name, router.Rule, err),
+					})
+
+					// TODO update the RouteStatus condition / deduplicate conditions on listener
+					continue
+				}
+
+				if routeRule.ForwardTo != nil {
+					wrrService, subServices, err := loadServices(client, gateway.Namespace, routeRule.ForwardTo)
+					if err != nil {
+						// update "ResolvedRefs" status true with "DroppedRoutes" reason
+						listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+							Type:               string(v1alpha1.ListenerConditionResolvedRefs),
+							Status:             metav1.ConditionFalse,
+							LastTransitionTime: metav1.Now(),
+							Reason:             string(v1alpha1.ListenerReasonDegradedRoutes),
+							Message:            fmt.Sprintf("Cannot load service from HTTPRoute %s/%s : %v", gateway.Namespace, httpRoute.Name, err),
+						})
+
+						// TODO update the RouteStatus condition / deduplicate conditions on listener
+						continue
+					}
+
+					for svcName, svc := range subServices {
+						conf.HTTP.Services[svcName] = svc
+					}
+
+					serviceName := provider.Normalize(routerKey + "-wrr")
+					conf.HTTP.Services[serviceName] = wrrService
+
+					router.Service = serviceName
+				}
+
+				if router.Service != "" {
+					routerKey = provider.Normalize(routerKey)
+
+					conf.HTTP.Routers[routerKey] = &router
+				}
+			}
+		}
+	}
+
+	return listenerStatuses
+}
+
+func (p *Provider) makeGatewayStatus(listenerStatuses []v1alpha1.ListenerStatus) (v1alpha1.GatewayStatus, error) {
+	// As Status.Addresses are not implemented yet, we initialize an empty array to follow the API expectations.
+	gatewayStatus := v1alpha1.GatewayStatus{
+		Addresses: []v1alpha1.GatewayAddress{},
+	}
+
+	var result error
+	for i, listener := range listenerStatuses {
+		if len(listener.Conditions) == 0 {
+			// GatewayConditionReady "Ready", GatewayConditionReason "ListenerReady"
+			listenerStatuses[i].Conditions = append(listenerStatuses[i].Conditions, metav1.Condition{
+				Type:               string(v1alpha1.ListenerConditionReady),
+				Status:             metav1.ConditionTrue,
+				LastTransitionTime: metav1.Now(),
+				Reason:             "ListenerReady",
+				Message:            "No error found",
+			})
+
+			continue
+		}
+
+		for _, condition := range listener.Conditions {
+			result = multierror.Append(result, errors.New(condition.Message))
+		}
+	}
+
+	if result != nil {
+		// GatewayConditionReady "Ready", GatewayConditionReason "ListenersNotValid"
+		gatewayStatus.Conditions = append(gatewayStatus.Conditions, metav1.Condition{
+			Type:               string(v1alpha1.GatewayConditionReady),
+			Status:             metav1.ConditionFalse,
+			LastTransitionTime: metav1.Now(),
+			Reason:             string(v1alpha1.GatewayReasonListenersNotValid),
+			Message:            "All Listeners must be valid",
+		})
+
+		return gatewayStatus, result
+	}
+
+	gatewayStatus.Listeners = listenerStatuses
+
+	// update "Scheduled" status with "ResourcesAvailable" reason
+	gatewayStatus.Conditions = append(gatewayStatus.Conditions, metav1.Condition{
+		Type:               string(v1alpha1.GatewayConditionScheduled),
+		Status:             metav1.ConditionTrue,
+		Reason:             "ResourcesAvailable",
+		Message:            "Resources available",
+		LastTransitionTime: metav1.Now(),
+	})
+
+	// update "Ready" status with "ListenersValid" reason
+	gatewayStatus.Conditions = append(gatewayStatus.Conditions, metav1.Condition{
+		Type:               string(v1alpha1.GatewayConditionReady),
+		Status:             metav1.ConditionTrue,
+		Reason:             "ListenersValid",
+		Message:            "Listeners valid",
+		LastTransitionTime: metav1.Now(),
+	})
+
+	return gatewayStatus, nil
+}
+
+func hostRule(httpRouteSpec v1alpha1.HTTPRouteSpec) string {
+	hostRule := ""
+	for i, hostname := range httpRouteSpec.Hostnames {
+		if i > 0 && len(hostname) > 0 {
+			hostRule += "`, `"
+		}
+		hostRule += string(hostname)
+	}
+
+	if hostRule != "" {
+		return "Host(`" + hostRule + "`)"
+	}
+
+	return ""
+}
+
+func extractRule(routeRule v1alpha1.HTTPRouteRule, hostRule string) (string, error) {
+	var rule string
+	var matchesRules []string
+
+	for _, match := range routeRule.Matches {
+		if len(match.Path.Type) == 0 && match.Headers == nil {
+			continue
+		}
+
+		var matchRules []string
+		// TODO handle other path types
+		if len(match.Path.Type) > 0 {
+			switch match.Path.Type {
+			case v1alpha1.PathMatchExact:
+				matchRules = append(matchRules, "Path(`"+match.Path.Value+"`)")
+			case v1alpha1.PathMatchPrefix:
+				matchRules = append(matchRules, "PathPrefix(`"+match.Path.Value+"`)")
+			default:
+				return "", fmt.Errorf("unsupported path match %s", match.Path.Type)
+			}
+		}
+
+		// TODO handle other headers types
+		if match.Headers != nil {
+			switch match.Headers.Type {
+			case v1alpha1.HeaderMatchExact:
+				var headerRules []string
+
+				for headerName, headerValue := range match.Headers.Values {
+					headerRules = append(headerRules, "Headers(`"+headerName+"`,`"+headerValue+"`)")
+				}
+				// to have a consistent order
+				sort.Strings(headerRules)
+				matchRules = append(matchRules, headerRules...)
+			default:
+				return "", fmt.Errorf("unsupported header match type %s", match.Headers.Type)
+			}
+		}
+
+		matchesRules = append(matchesRules, strings.Join(matchRules, " && "))
+	}
+
+	// If no matches are specified, the default is a prefix
+	// path match on "/", which has the effect of matching every
+	// HTTP request.
+	if len(routeRule.Matches) == 0 {
+		matchesRules = append(matchesRules, "PathPrefix(`/`)")
+	}
+
+	if hostRule != "" {
+		if len(matchesRules) == 0 {
+			return hostRule, nil
+		}
+		rule += hostRule + " && "
+	}
+
+	if len(matchesRules) == 1 {
+		return rule + matchesRules[0], nil
+	}
+
+	if len(rule) == 0 {
+		return strings.Join(matchesRules, " || "), nil
+	}
+
+	return rule + "(" + strings.Join(matchesRules, " || ") + ")", nil
+}
+
+func (p *Provider) entryPointName(port v1alpha1.PortNumber, protocol v1alpha1.ProtocolType) (string, error) {
+	portStr := strconv.FormatInt(int64(port), 10)
+
+	for name, entryPoint := range p.EntryPoints {
+		if strings.HasSuffix(entryPoint.Address, ":"+portStr) {
+			// if the protocol is HTTP the entryPoint must have no TLS conf
+			if protocol == v1alpha1.HTTPProtocolType && entryPoint.HasHTTPTLSConf {
+				continue
+			}
+
+			return name, nil
+		}
+	}
+
+	return "", fmt.Errorf("no matching entryPoint for port %d and protocol %q", port, protocol)
+}
+
+func makeRouterKey(rule, name string) (string, error) {
+	h := sha256.New()
+	if _, err := h.Write([]byte(rule)); err != nil {
+		return "", err
+	}
+
+	key := fmt.Sprintf("%s-%.10x", name, h.Sum(nil))
+
+	return key, nil
+}
+
+func makeID(namespace, name string) string {
+	if namespace == "" {
+		return name
+	}
+
+	return namespace + "-" + name
+}
+
+func getTLS(k8sClient Client, secretName, namespace string) (*tls.CertAndStores, error) {
+	secret, exists, err := k8sClient.GetSecret(namespace, secretName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch secret %s/%s: %w", namespace, secretName, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("secret %s/%s does not exist", namespace, secretName)
+	}
+
+	cert, key, err := getCertificateBlocks(secret, namespace, secretName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tls.CertAndStores{
+		Certificate: tls.Certificate{
+			CertFile: tls.FileOrContent(cert),
+			KeyFile:  tls.FileOrContent(key),
+		},
+	}, nil
+}
+
+func getTLSConfig(tlsConfigs map[string]*tls.CertAndStores) []*tls.CertAndStores {
+	var secretNames []string
+	for secretName := range tlsConfigs {
+		secretNames = append(secretNames, secretName)
+	}
+	sort.Strings(secretNames)
+
+	var configs []*tls.CertAndStores
+	for _, secretName := range secretNames {
+		configs = append(configs, tlsConfigs[secretName])
+	}
+
+	return configs
+}
+
+func getCertificateBlocks(secret *corev1.Secret, namespace, secretName string) (string, string, error) {
+	var missingEntries []string
+
+	tlsCrtData, tlsCrtExists := secret.Data["tls.crt"]
+	if !tlsCrtExists {
+		missingEntries = append(missingEntries, "tls.crt")
+	}
+
+	tlsKeyData, tlsKeyExists := secret.Data["tls.key"]
+	if !tlsKeyExists {
+		missingEntries = append(missingEntries, "tls.key")
+	}
+
+	if len(missingEntries) > 0 {
+		return "", "", fmt.Errorf("secret %s/%s is missing the following TLS data entries: %s",
+			namespace, secretName, strings.Join(missingEntries, ", "))
+	}
+
+	cert := string(tlsCrtData)
+	if cert == "" {
+		missingEntries = append(missingEntries, "tls.crt")
+	}
+
+	key := string(tlsKeyData)
+	if key == "" {
+		missingEntries = append(missingEntries, "tls.key")
+	}
+
+	if len(missingEntries) > 0 {
+		return "", "", fmt.Errorf("secret %s/%s contains the following empty TLS data entries: %s",
+			namespace, secretName, strings.Join(missingEntries, ", "))
+	}
+
+	return cert, key, nil
+}
+
+// loadServices is generating a WRR service, even when there is only one target.
+func loadServices(client Client, namespace string, targets []v1alpha1.HTTPRouteForwardTo) (*dynamic.Service, map[string]*dynamic.Service, error) {
+	services := map[string]*dynamic.Service{}
+
+	wrrSvc := &dynamic.Service{
+		Weighted: &dynamic.WeightedRoundRobin{
+			Services: []dynamic.WRRService{},
+		},
+	}
+
+	for _, forwardTo := range targets {
+		if forwardTo.ServiceName == nil {
+			continue
+		}
+
+		svc := dynamic.Service{
+			LoadBalancer: &dynamic.ServersLoadBalancer{
+				PassHostHeader: func(v bool) *bool { return &v }(true),
+			},
+		}
+
+		// TODO Handle BackendRefs
+
+		service, exists, err := client.GetService(namespace, *forwardTo.ServiceName)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		if !exists {
+			return nil, nil, errors.New("service not found")
+		}
+
+		if len(service.Spec.Ports) > 1 && forwardTo.Port == 0 {
+			// If the port is unspecified and the backend is a Service
+			// object consisting of multiple port definitions, the route
+			// must be dropped from the Gateway. The controller should
+			// raise the "ResolvedRefs" condition on the Gateway with the
+			// "DroppedRoutes" reason.  The gateway status for this route
+			// should be updated with a condition that describes the error
+			// more specifically.
+			log.WithoutContext().Errorf("A multiple ports Kubernetes Service cannot be used if unspecified forwardTo.Port")
+			continue
+		}
+
+		var portName string
+		var portSpec corev1.ServicePort
+		var match bool
+
+		for _, p := range service.Spec.Ports {
+			if forwardTo.Port == 0 || p.Port == int32(forwardTo.Port) {
+				portName = p.Name
+				portSpec = p
+				match = true
+				break
+			}
+		}
+
+		if !match {
+			return nil, nil, errors.New("service port not found")
+		}
+
+		endpoints, endpointsExists, endpointsErr := client.GetEndpoints(namespace, *forwardTo.ServiceName)
+		if endpointsErr != nil {
+			return nil, nil, endpointsErr
+		}
+
+		if !endpointsExists {
+			return nil, nil, errors.New("endpoints not found")
+		}
+
+		if len(endpoints.Subsets) == 0 {
+			return nil, nil, errors.New("subset not found")
+		}
+
+		var port int32
+		var portStr string
+		for _, subset := range endpoints.Subsets {
+			for _, p := range subset.Ports {
+				if portName == p.Name {
+					port = p.Port
+					break
+				}
+			}
+
+			if port == 0 {
+				return nil, nil, errors.New("cannot define a port")
+			}
+
+			protocol := getProtocol(portSpec, portName)
+
+			portStr = strconv.FormatInt(int64(port), 10)
+			for _, addr := range subset.Addresses {
+				svc.LoadBalancer.Servers = append(svc.LoadBalancer.Servers, dynamic.Server{
+					URL: fmt.Sprintf("%s://%s", protocol, net.JoinHostPort(addr.IP, portStr)),
+				})
+			}
+		}
+
+		serviceName := provider.Normalize(makeID(service.Namespace, service.Name) + "-" + portStr)
+		services[serviceName] = &svc
+
+		weight := int(forwardTo.Weight)
+		wrrSvc.Weighted.Services = append(wrrSvc.Weighted.Services, dynamic.WRRService{Name: serviceName, Weight: &weight})
+	}
+
+	if len(services) == 0 {
+		return nil, nil, errors.New("no service has been created")
+	}
+
+	return wrrSvc, services, nil
+}
+
+func getProtocol(portSpec corev1.ServicePort, portName string) string {
+	protocol := "http"
+	if portSpec.Port == 443 || strings.HasPrefix(portName, "https") {
+		protocol = "https"
+	}
+
+	return protocol
+}
+
+func throttleEvents(ctx context.Context, throttleDuration time.Duration, pool *safe.Pool, eventsChan <-chan interface{}) chan interface{} {
+	if throttleDuration == 0 {
+		return nil
+	}
+	// Create a buffered channel to hold the pending event (if we're delaying processing the event due to throttling)
+	eventsChanBuffered := make(chan interface{}, 1)
+
+	// Run a goroutine that reads events from eventChan and does a non-blocking write to pendingEvent.
+	// This guarantees that writing to eventChan will never block,
+	// and that pendingEvent will have something in it if there's been an event since we read from that channel.
+	pool.GoCtx(func(ctxPool context.Context) {
+		for {
+			select {
+			case <-ctxPool.Done():
+				return
+			case nextEvent := <-eventsChan:
+				select {
+				case eventsChanBuffered <- nextEvent:
+				default:
+					// We already have an event in eventsChanBuffered, so we'll do a refresh as soon as our throttle allows us to.
+					// It's fine to drop the event and keep whatever's in the buffer -- we don't do different things for different events
+					log.FromContext(ctx).Debugf("Dropping event kind %T due to throttling", nextEvent)
+				}
+			}
+		}
+	})
+
+	return eventsChanBuffered
+}

pkg/provider/kubernetes/gateway/kubernetes_test.go

@@ -0,0 +1,990 @@
+package gateway
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	"github.com/traefik/traefik/v2/pkg/provider"
+	"github.com/traefik/traefik/v2/pkg/tls"
+	"sigs.k8s.io/service-apis/apis/v1alpha1"
+)
+
+var _ provider.Provider = (*Provider)(nil)
+
+func Bool(v bool) *bool { return &v }
+
+func TestLoadHTTPRoutes(t *testing.T) {
+	testCases := []struct {
+		desc         string
+		ingressClass string
+		paths        []string
+		expected     *dynamic.Configuration
+		entryPoints  map[string]Entrypoint
+	}{
+		{
+			desc: "Empty",
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "Empty because missing entry point",
+			paths: []string{"services.yml", "simple.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":443",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "Empty because no http route defined",
+			paths: []string{"services.yml", "without_httproute.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc: "Empty caused by missing GatewayClass",
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			paths: []string{"services.yml", "without_gatewayclass.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc: "Empty caused by unknown GatewayClass controller name",
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			paths: []string{"services.yml", "gatewayclass_with_unknown_controller.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc: "Empty caused by multiport service with wrong TargetPort",
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			paths: []string{"services.yml", "with_wrong_service_port.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc: "Empty caused by HTTPS without TLS",
+			entryPoints: map[string]Entrypoint{"websecure": {
+				Address: ":443",
+			}},
+			paths: []string{"services.yml", "with_protocol_https_without_tls.yml"},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers:     map[string]*dynamic.Router{},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services:    map[string]*dynamic.Service{},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "Simple HTTPRoute, with foo entrypoint",
+			paths: []string{"services.yml", "simple.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "Simple HTTPRoute with protocol HTTPS",
+			paths: []string{"services.yml", "with_protocol_https.yml"},
+			entryPoints: map[string]Entrypoint{"websecure": {
+				Address: ":443",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"websecure"},
+							Service:     "default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+							TLS:         &dynamic.RouterTLSConfig{},
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc:  "Simple HTTPRoute, with multiple hosts",
+			paths: []string{"services.yml", "with_multiple_host.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-75dd1ad561e42725558a": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-web-75dd1ad561e42725558a-wrr",
+							Rule:        "Host(`foo.com`, `bar.com`) && PathPrefix(`/`)",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-75dd1ad561e42725558a-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "One HTTPRoute with two different rules",
+			paths: []string{"services.yml", "two_rules.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"web"},
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+							Service:     "default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr",
+						},
+						"default-http-app-1-my-gateway-web-d737b4933fa88e68ab8a": {
+							EntryPoints: []string{"web"},
+							Rule:        "Host(`foo.com`) && Path(`/bir`)",
+							Service:     "default-http-app-1-my-gateway-web-d737b4933fa88e68ab8a-wrr",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-http-app-1-my-gateway-web-d737b4933fa88e68ab8a-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami2-8080",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+						"default-whoami2-8080": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.3:8080",
+									},
+									{
+										URL: "http://10.10.0.4:8080",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "One HTTPRoute with one rule two targets",
+			paths: []string{"services.yml", "one_rule_two_targets.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"web"},
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+							Service:     "default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+									{
+										Name:   "default-whoami2-8080",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+						"default-whoami2-8080": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.3:8080",
+									},
+									{
+										URL: "http://10.10.0.4:8080",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+		{
+			desc:  "Two Gateways and one HTTPRoute",
+			paths: []string{"services.yml", "with_two_gateways_one_httproute.yml"},
+			entryPoints: map[string]Entrypoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-http-web-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-http-web-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+						},
+						"default-http-app-1-my-gateway-https-websecure-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"websecure"},
+							Service:     "default-http-app-1-my-gateway-https-websecure-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+							TLS:         &dynamic.RouterTLSConfig{},
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-http-web-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-http-app-1-my-gateway-https-websecure-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc:  "Gateway with two listeners and one HTTPRoute",
+			paths: []string{"services.yml", "with_two_listeners_one_httproute.yml"},
+			entryPoints: map[string]Entrypoint{
+				"web": {
+					Address: ":80",
+				},
+				"websecure": {
+					Address: ":443",
+				},
+			},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+						},
+						"default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06": {
+							EntryPoints: []string{"websecure"},
+							Service:     "default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`)",
+							TLS:         &dynamic.RouterTLSConfig{},
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-http-app-1-my-gateway-websecure-1c0cf64bde37d9d0df06-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{
+					Certificates: []*tls.CertAndStores{
+						{
+							Certificate: tls.Certificate{
+								CertFile: tls.FileOrContent("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"),
+								KeyFile:  tls.FileOrContent("-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----"),
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			desc:  "Simple HTTPRoute, with several rules",
+			paths: []string{"services.yml", "with_several_rules.yml"},
+			entryPoints: map[string]Entrypoint{"web": {
+				Address: ":80",
+			}},
+			expected: &dynamic.Configuration{
+				UDP: &dynamic.UDPConfiguration{
+					Routers:  map[string]*dynamic.UDPRouter{},
+					Services: map[string]*dynamic.UDPService{},
+				},
+				TCP: &dynamic.TCPConfiguration{
+					Routers:  map[string]*dynamic.TCPRouter{},
+					Services: map[string]*dynamic.TCPService{},
+				},
+				HTTP: &dynamic.HTTPConfiguration{
+					Routers: map[string]*dynamic.Router{
+						"default-http-app-1-my-gateway-web-6211a6376ce8f78494a8": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-web-6211a6376ce8f78494a8-wrr",
+							Rule:        "Host(`foo.com`) && PathPrefix(`/bar`) && Headers(`my-header2`,`bar`) && Headers(`my-header`,`foo`)",
+						},
+						"default-http-app-1-my-gateway-web-fe80e69a38713941ea22": {
+							EntryPoints: []string{"web"},
+							Service:     "default-http-app-1-my-gateway-web-fe80e69a38713941ea22-wrr",
+							Rule:        "Host(`foo.com`) && Path(`/bar`) && Headers(`my-header`,`bar`)",
+						},
+					},
+					Middlewares: map[string]*dynamic.Middleware{},
+					Services: map[string]*dynamic.Service{
+						"default-http-app-1-my-gateway-web-6211a6376ce8f78494a8-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-http-app-1-my-gateway-web-fe80e69a38713941ea22-wrr": {
+							Weighted: &dynamic.WeightedRoundRobin{
+								Services: []dynamic.WRRService{
+									{
+										Name:   "default-whoami-80",
+										Weight: func(i int) *int { return &i }(1),
+									},
+								},
+							},
+						},
+						"default-whoami-80": {
+							LoadBalancer: &dynamic.ServersLoadBalancer{
+								Servers: []dynamic.Server{
+									{
+										URL: "http://10.10.0.1:80",
+									},
+									{
+										URL: "http://10.10.0.2:80",
+									},
+								},
+								PassHostHeader: Bool(true),
+							},
+						},
+					},
+				},
+				TLS: &dynamic.TLSConfiguration{},
+			},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			if test.expected == nil {
+				return
+			}
+
+			p := Provider{EntryPoints: test.entryPoints}
+			conf := p.loadConfigurationFromGateway(context.Background(), newClientMock(test.paths...))
+			assert.Equal(t, test.expected, conf)
+		})
+	}
+}
+
+func TestHostRule(t *testing.T) {
+	testCases := []struct {
+		desc         string
+		routeSpec    v1alpha1.HTTPRouteSpec
+		expectedRule string
+	}{
+		{
+			desc:         "Empty rule and matches",
+			expectedRule: "",
+		},
+		{
+			desc: "One Host",
+			routeSpec: v1alpha1.HTTPRouteSpec{
+				Hostnames: []v1alpha1.Hostname{
+					"Foo",
+				},
+			},
+			expectedRule: "Host(`Foo`)",
+		},
+		{
+			desc: "Multiple Hosts",
+			routeSpec: v1alpha1.HTTPRouteSpec{
+				Hostnames: []v1alpha1.Hostname{
+					"Foo",
+					"Bar",
+					"Bir",
+				},
+			},
+			expectedRule: "Host(`Foo`, `Bar`, `Bir`)",
+		},
+		{
+			desc: "Multiple Hosts with empty one",
+			routeSpec: v1alpha1.HTTPRouteSpec{
+				Hostnames: []v1alpha1.Hostname{
+					"Foo",
+					"",
+					"Bir",
+				},
+			},
+			expectedRule: "Host(`Foo`, `Bir`)",
+		},
+		{
+			desc: "Multiple empty hosts",
+			routeSpec: v1alpha1.HTTPRouteSpec{
+				Hostnames: []v1alpha1.Hostname{
+					"",
+					"",
+					"",
+				},
+			},
+			expectedRule: "",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			assert.Equal(t, test.expectedRule, hostRule(test.routeSpec))
+		})
+	}
+}
+
+func TestExtractRule(t *testing.T) {
+	testCases := []struct {
+		desc          string
+		routeRule     v1alpha1.HTTPRouteRule
+		hostRule      string
+		expectedRule  string
+		expectedError bool
+	}{
+		{
+			desc:         "Empty rule and matches",
+			expectedRule: "PathPrefix(`/`)",
+		},
+		{
+			desc:         "One Host rule without matches",
+			hostRule:     "Host(`foo.com`)",
+			expectedRule: "Host(`foo.com`) && PathPrefix(`/`)",
+		},
+		{
+			desc: "One Path in matches",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+					},
+				},
+			},
+			expectedRule: "Path(`/foo/`)",
+		},
+		{
+			desc: "One Path in matches and another unknown",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+					},
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  "unknown",
+							Value: "/foo/",
+						},
+					},
+				},
+			},
+			expectedError: true,
+		},
+		{
+			desc: "One Path in matches and another empty",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+					},
+					{},
+				},
+			},
+			expectedRule: "Path(`/foo/`)",
+		},
+		{
+			desc: "Path OR Header rules",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+					},
+					{
+						Headers: &v1alpha1.HTTPHeaderMatch{
+							Type: v1alpha1.HeaderMatchExact,
+							Values: map[string]string{
+								"my-header": "foo",
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "Path(`/foo/`) || Headers(`my-header`,`foo`)",
+		},
+		{
+			desc: "Path && Header rules",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+						Headers: &v1alpha1.HTTPHeaderMatch{
+							Type: v1alpha1.HeaderMatchExact,
+							Values: map[string]string{
+								"my-header": "foo",
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "Path(`/foo/`) && Headers(`my-header`,`foo`)",
+		},
+		{
+			desc:     "Host && Path && Header rules",
+			hostRule: "Host(`foo.com`)",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+						Headers: &v1alpha1.HTTPHeaderMatch{
+							Type: v1alpha1.HeaderMatchExact,
+							Values: map[string]string{
+								"my-header": "foo",
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "Host(`foo.com`) && Path(`/foo/`) && Headers(`my-header`,`foo`)",
+		},
+		{
+			desc:     "Host && (Path || Header) rules",
+			hostRule: "Host(`foo.com`)",
+			routeRule: v1alpha1.HTTPRouteRule{
+				Matches: []v1alpha1.HTTPRouteMatch{
+					{
+						Path: v1alpha1.HTTPPathMatch{
+							Type:  v1alpha1.PathMatchExact,
+							Value: "/foo/",
+						},
+					},
+					{
+						Headers: &v1alpha1.HTTPHeaderMatch{
+							Type: v1alpha1.HeaderMatchExact,
+							Values: map[string]string{
+								"my-header": "foo",
+							},
+						},
+					},
+				},
+			},
+			expectedRule: "Host(`foo.com`) && (Path(`/foo/`) || Headers(`my-header`,`foo`))",
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			rule, err := extractRule(test.routeRule, test.hostRule)
+			if test.expectedError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			assert.Equal(t, test.expectedRule, rule)
+		})
+	}
+}

pkg/provider/kubernetes/ingress/kubernetes.go

@@ -36,16 +36,15 @@ const (
 
 // Provider holds configurations of the provider.
 type Provider struct {
-	Endpoint               string           `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
-	Token                  string           `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
-	CertAuthFilePath       string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
-	DisablePassHostHeaders bool             `description:"Kubernetes disable PassHost Headers." json:"disablePassHostHeaders,omitempty" toml:"disablePassHostHeaders,omitempty" yaml:"disablePassHostHeaders,omitempty" export:"true"`
-	Namespaces             []string         `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
-	LabelSelector          string           `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
-	IngressClass           string           `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
-	IngressEndpoint        *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
-	ThrottleDuration       ptypes.Duration  `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
-	lastConfiguration      safe.Safe
+	Endpoint          string           `description:"Kubernetes server endpoint (required for external cluster client)." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
+	Token             string           `description:"Kubernetes bearer token (not needed for in-cluster client)." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty"`
+	CertAuthFilePath  string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)." json:"certAuthFilePath,omitempty" toml:"certAuthFilePath,omitempty" yaml:"certAuthFilePath,omitempty"`
+	Namespaces        []string         `description:"Kubernetes namespaces." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty" export:"true"`
+	LabelSelector     string           `description:"Kubernetes Ingress label selector to use." json:"labelSelector,omitempty" toml:"labelSelector,omitempty" yaml:"labelSelector,omitempty" export:"true"`
+	IngressClass      string           `description:"Value of kubernetes.io/ingress.class annotation to watch for." json:"ingressClass,omitempty" toml:"ingressClass,omitempty" yaml:"ingressClass,omitempty" export:"true"`
+	IngressEndpoint   *EndpointIngress `description:"Kubernetes Ingress Endpoint." json:"ingressEndpoint,omitempty" toml:"ingressEndpoint,omitempty" yaml:"ingressEndpoint,omitempty" export:"true"`
+	ThrottleDuration  ptypes.Duration  `description:"Ingress refresh throttle duration" json:"throttleDuration,omitempty" toml:"throttleDuration,omitempty" yaml:"throttleDuration,omitempty" export:"true"`
+	lastConfiguration safe.Safe
 }
 
 // EndpointIngress holds the endpoint information for the Kubernetes provider.

pkg/provider/kubernetes/k8s/parser.go

@@ -12,7 +12,7 @@ import (
 
 // MustParseYaml parses a YAML to objects.
 func MustParseYaml(content []byte) []runtime.Object {
-	acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|IngressRouteUDP|Middleware|Secret|TLSOption|TLSStore|TraefikService|IngressClass|ServersTransport)$`)
+	acceptedK8sTypes := regexp.MustCompile(`^(Deployment|Endpoints|Service|Ingress|IngressRoute|IngressRouteTCP|IngressRouteUDP|Middleware|Secret|TLSOption|TLSStore|TraefikService|IngressClass|ServersTransport|GatewayClass|Gateway|HTTPRoute)$`)
 
 	files := strings.Split(string(content), "---")
 	retVal := make([]runtime.Object, 0, len(files))