Kubernetes Gateway ignored by default revision if not injected

[keithmattix]

When creating a k8s Gateway (i.e Gateway API) in a revisioned istiod environment, the Gateway is accepted (Accepted condition = True), but no pods or services are deployed unless the namespace or Gateway object is labeled for injection. This seems strange and presents some friction for adopting Gateway API. @howardjohn or others may have some context for why this was decided, but IMO, it would be better for the default revision to program non-injected Gateways. Note that this probably affects waypoints as well, but I haven't checked.

[costinm]

I double checked - the namespace does not require the label for injection when using the K8S Gateway.

The Gateway object does allow a istio.io/rev ( optional, defaults to "default" ) - which will be accepted only by the specific istiod revision. I have tested this for few hours - it works pretty well for canarying/testing new istiod options or versions that impact the deployment and gateway config.

We should discuss if we want to document and make this feature 'supported'.

[keithmattix]

Interesting...when I didn't add the istio.io/rev label, the Gateway infra was never created; I'll have to go and double check. I think the revision label is supported/intended and we should document it better

[costinm]

If you only have a revisioned istiod - I think you do need istio.io/rev label ( can be on the Gateway object itself - I don't think we document that clearly). I never tried with a label on namespace - that's supposed to be for injectors.

If you have a default Istiod - it should pick all the gateways without a label. I have not tried what happens if you have a revisioned Istiod and a tag for default - in most of my tests I had a default istiod and a revisioned Istiod, and wanted to make sure Gateway objects with the label are handled by the corresponding revision of Istiod, which seems to be the case.

[keithmattix]

If you only have a revisioned istiod - I think you do need istio.io/rev label ( can be on the Gateway object itself - I don't think we document that clearly). I never tried with a label on namespace - that's supposed to be for injectors.

Yes, this was what I observed before. I wasn't able to reproduce it in kind the other day, but haven't been able to revisit it

[keithmattix]

Figured out why I couldn't reproduce it: non-labeled, revisioned gateway creation works in the default namespace, but all other namespaces fail and the informers don't even seem to get the events. I suspect this has to do with resource scoping.