Move Contour routing to Gateway API recipes by default

[willdavsmith]

Summary

This PR updates the Contour recipe-pack design and implementation direction to use Gateway API as the default Contour-backed route path.

The default model is now:

• rad install kubernetes continues installing Contour by default for now.
• When Contour install is enabled, Radius creates the shared Gateway API infrastructure: GatewayClass/contour and Gateway/radius in radius-system.
• The default Radius.Compute/routes recipe renders Gateway API route resources such as HTTPRoute and attaches them to radius-system/radius.
• Applications do not define an application-level gateway resource in the default path.

The design still keeps removal of default Contour installation as a separate review decision.

Scope

• Adds install/upgrade/uninstall handling for the managed default Contour Gateway API Gateway.
• Grants the dynamic RP Gateway API permissions for Gateway and route resources.
• Rewrites the design note to describe Contour Gateway API as the default recipe path.
• Documents HTTPProxy as an alternate compatibility recipe-pack option, not the default.

Related work

• Issue: Plan for removal of Contour installation and replace ingress behavior with recipe packs including docs #11952
• Demo repo: https://github.com/willdavsmith/radius-nginx-demo
• Companion recipe PR: Use Gateway API for Kubernetes routes by default resource-types-contrib#172

Validation

Local:

• GOCACHE=/private/tmp/radius-go-build-cache go test ./pkg/cli/helm ./cmd/rad/cmd

Demo e2e:

• Contour Gateway API recipes: https://github.com/willdavsmith/radius-nginx-demo/actions/runs/26665457465
• NGINX Gateway API recipes: https://github.com/willdavsmith/radius-nginx-demo/actions/runs/26665457417

Notes for reviewers

The key design point is that Radius can keep the same application shape while moving provider-specific route rendering into recipes. Contour remains installed by default for now; the default application routing path moves to Gateway API so the same route recipe shape can work with Contour, NGINX Gateway Fabric, or another Gateway API controller.

Fixes: #12038

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Unit Tests

    2 files  ±0    438 suites  ±0   6m 59s ⏱️ -17s
5 326 tests +4  5 324 ✅ +4  2 💤 ±0  0 ❌ ±0 
6 480 runs  +4  6 478 ✅ +4  2 💤 ±0  0 ❌ ±0 

Results for commit 3ae3ba9. ± Comparison against base commit 1dbd9a1.

This pull request removes 1 and adds 5 tests. Note that renamed tests count towards both.

github.com/radius-project/radius/pkg/cli/helm ‑ TestAddContourValues_HostNetworkDisabled_NoChange

github.com/radius-project/radius/pkg/cli/helm ‑ TestAddContourValues_HostNetworkDisabled_ConfiguresDefaultGatewayRef
github.com/radius-project/radius/pkg/cli/helm ‑ TestDeleteDefaultContourGatewayResourcesOnlyDeletesManagedResources
github.com/radius-project/radius/pkg/cli/helm ‑ TestReconcileDefaultContourGatewayAllowsExistingMatchingGatewayClass
github.com/radius-project/radius/pkg/cli/helm ‑ TestReconcileDefaultContourGatewayCreatesResources
github.com/radius-project/radius/pkg/cli/helm ‑ TestReconcileDefaultContourGatewayRejectsConflictingGatewayClass

♻️ This comment has been updated with latest results.

[codecov]

Codecov Report

❌ Patch coverage is 69.33333% with 46 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.20%. Comparing base (1dbd9a1) to head (3ae3ba9).

Files with missing lines	Patch %	Lines
pkg/cli/helm/contour_gateway.go	67.74%	36 Missing and 4 partials ⚠️
pkg/cli/helm/cluster.go	40.00%	3 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11995      +/-   ##
==========================================
+ Coverage   52.13%   52.20%   +0.06%     
==========================================
  Files         734      735       +1     
  Lines       46704    46854     +150     
==========================================
+ Hits        24350    24458     +108     
- Misses      20017    20054      +37     
- Partials     2337     2342       +5     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Adds a new design note describing how Radius’ current built-in Contour (HTTPProxy) ingress rendering could be moved out of core RP and into contributed recipe packs while preserving the existing Radius.Compute/* application model and default behavior.

Changes:

• Introduces a design proposal for a Contour HTTPProxy compatibility recipe pack (gateways root proxy + routes child proxies + existing containers recipes).
• Documents current Contour installation defaults and how default recipe-pack behavior could incorporate HTTPProxy parity.
• Outlines test, security (RBAC), and compatibility considerations, plus a Gateway API alternative path.

[radius-functional-tests]

Radius functional test overview

🔍 Go to test action run

Click here to see the test run details

Name	Value
Repository	radius-project/radius
Commit ref	3ae3ba9
Unique ID	func09881f5068
Image tag	pr-func09881f5068

• gotestsum 1.13.0
• KinD: v0.29.0
• Dapr: 1.14.4
• Azure KeyVault CSI driver: 1.4.2
• Azure Workload identity webhook: 1.3.0
• Bicep recipe location ghcr.io/radius-project/dev/test/testrecipes/test-bicep-recipes/<name>:pr-func09881f5068
• Terraform recipe location http://tf-module-server.radius-test-tf-module-server.svc.cluster.local/<name>.zip (in cluster)
• applications-rp test image location: ghcr.io/radius-project/dev/applications-rp:pr-func09881f5068
• dynamic-rp test image location: ghcr.io/radius-project/dev/dynamic-rp:pr-func09881f5068
• controller test image location: ghcr.io/radius-project/dev/controller:pr-func09881f5068
• ucp test image location: ghcr.io/radius-project/dev/ucpd:pr-func09881f5068
• deployment-engine test image location: ghcr.io/radius-project/deployment-engine:latest

Test Status

⌛ Building Radius and pushing container images for functional tests...
✅ Container images build succeeded
⌛ Publishing Bicep Recipes for functional tests...
✅ Recipe publishing succeeded
⌛ Starting corerp-cloud functional tests...
⌛ Starting ucp-cloud functional tests...
✅ ucp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded
✅ corerp-cloud functional tests succeeded

[sk593]

Just confirming, the routes recipe has support for TCP and UDP routes depending on the application template. The expectation is that this would not be supported with a Contour installation, correct (I don't think Contour natively supports these)? i.e. we'd use either HTTP or the TLS routing with the Gateway API for default Contour installations

[sk593]

Could use PM input here. We might not need to revisit the design it if the expectation is that users bring their own networking infrastructure. This would just need to be called out explicitly in documentation