Upgrade Higress to 2.2.0 and add deployment health test

[amd-ama10002-2]

Problem

When installing Higress 2.2.0 via Bootstrap/higress/higress.sh, the Higress controller fails to become ready. The higress-controller pod shows 0/2 Running and the higress-gateway pods get stuck in ContainerCreating.

Root cause: The script installs Gateway API CRDs v1.0.0, which only exposes BackendTLSPolicy as v1alpha2. Higress 2.2.0 expects v1.BackendTLSPolicy, which doesn't exist in that version.

You can confirm this by checking the controller logs:

kubectl logs -n higress-system -l app=higress-controller -c higress-core --tail=50

The key error is:

failed to list *v1.BackendTLSPolicy: the server could not find the requested resource (get backendtlspolicies.gateway.networking.k8s.io)

Summary

• Upgrade the Higress Helm chart from 2.1.8 to 2.2.0 and switch the chart source from the private OCI registry (registry-1.docker.io/primussafe/higress) to the public Higress repo (higress.io/higress), since the private registry only hosts 2.1.8.
• Upgrade Gateway API CRDs from v1.0.0 to v1.4.0 with --server-side apply. Higress 2.2.0 expects v1.BackendTLSPolicy, which only ships in Gateway API v1.4.0 (v1.0.0 only provides v1alpha2). Without this, the controller fails with failed to list *v1.BackendTLSPolicy.
• Add a Kyverno Chainsaw infrastructure test for verifying the Higress deployment health.
• Add Bootstrap/kubespray/ and Bootstrap/kubespray-venv/ to .gitignore (generated at runtime by bootstrap.sh).

What changed

File	Change
Bootstrap/higress/higress.sh	Helm chart source changed to higress.io/higress, version bumped to 2.2.0. Gateway API CRDs updated to v1.4.0 with --server-side.
Bootstrap/tests/higress/chainsaw-test.yaml	New Chainsaw test that asserts: (1) higress-controller deployment has ready replicas, (2) at least one higress-gateway pod is Running, (3) ssh-gateway Gateway resource exists.
Bootstrap/tests/.chainsaw.yaml	Shared Chainsaw configuration (timeouts, fail-fast).
Bootstrap/tests/README.md	Documentation for running the infrastructure tests.
.gitignore	Ignore Bootstrap/kubespray/ and Bootstrap/kubespray-venv/.

Why Gateway API v1.4.0?

The experimental channel (experimental-install.yaml) is required because Higress uses CRDs that the standard channel does not include (TCPRoute, BackendTLSPolicy, etc.). Version 1.4.0 is the minimum that serves v1.BackendTLSPolicy, which Higress 2.2.0 requires.

Test plan

Run the deployment script and then the Chainsaw test:

cd ~/Primus-SaFE/Bootstrap
bash higress/higress.sh

sudo nerdctl run --rm \
    -v ./tests/:/chainsaw/ \
    -v ${HOME}/.kube/:/etc/kubeconfig/ \
    -e KUBECONFIG=/etc/kubeconfig/config \
    --network=host \
    ghcr.io/kyverno/chainsaw \
    test /chainsaw --config /chainsaw/.chainsaw.yaml

Expected result: All 3 checks pass.

Known limitation

The controller logs show non-fatal RBAC warnings for experimental gateway.networking.x-k8s.io resources (xbackendtrafficpolicies, xlistenersets). These do not prevent the controller from reaching Ready state. The Higress Helm chart does not ship RBAC for these experimental CRDs; this can be addressed in a follow-up if needed.

Testing

Screenshot Installation works:

Details

Screenshot of infra test passing -- pods are running.

Details

Screenshot showing higress gateway is accessible:

Details

[Copilot]

Pull request overview

This PR updates the Bootstrap Higress installation to work with Higress 2.2.0 by upgrading the Helm chart source/version and upgrading the Kubernetes Gateway API CRDs to a version that includes v1.BackendTLSPolicy. It also introduces Kyverno Chainsaw-based infrastructure health checks for the Higress deployment and documents how to run them.

Changes:

• Upgrade Higress Helm chart to 2.2.0 and switch chart source to higress.io/higress.
• Upgrade Gateway API CRDs to v1.4.0 using server-side apply.
• Add Chainsaw test/config + documentation for Bootstrap infrastructure tests; update .gitignore for generated Bootstrap directories.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
Bootstrap/higress/higress.sh	Bumps Higress chart to 2.2.0 and updates Gateway API CRDs to v1.4.0 (server-side apply).
Bootstrap/tests/higress/chainsaw-test.yaml	Adds a Chainsaw test to validate Higress controller readiness, gateway pods running, and presence of a Gateway resource.
Bootstrap/tests/.chainsaw.yaml	Adds shared Chainsaw configuration (timeouts, fail-fast, cleanup behavior).
Bootstrap/tests/README.md	Documents how to run the infrastructure tests and the test directory structure.
.gitignore	Ignores runtime-generated Bootstrap/kubespray/ and Bootstrap/kubespray-venv/.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!