Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to add additional Envoy configs to the Gateway API managed resources(Ingress controller)? #26941

Open
heruscode opened this issue Jul 19, 2023 · 10 comments
Open

Is it possible to add additional Envoy configs to the Gateway API managed resources(Ingress controller)? #26941

heruscode opened this issue Jul 19, 2023 · 10 comments
Assignees
@youngnick
Labels
area/servicemesh GH issues or PRs regarding servicemesh kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related.

Comments

@heruscode
Copy link

I’m trying to understand if its possible to add additional Envoy configs to the Gateway API managed resources(Ingress controller).

I currently have GKE managed cluster, with Cilium enabled ingress controller and I’m using Gateway API resources, I wanted to add some custom Envoy configs that Gateway API doesn’t seem to support(like adding some custom URL Rewriting and Direct Responses)

I tried to follow the official doc examples, but it only seems to affect the traffic within the service-mesh(a Service talking to another Service). What I’m trying to achieve is to customize Ingress traffic(traffic that is coming from real users on the internet)

I see that the Gateway resource auto creates/manages a CiliumEnvoyConfig/cilium-gateway-cilium-gateway that is responsible for the ingress service. Manually editing that manifests would be a no-go, I tried to create a secondary CiliumEnvoyConfig with a new listener pointing to the same ingress service but I had no success:

level=warning msg="Failed to redirect K8s services to Envoy" ciliumClusterwideEnvoyConfigName=cilium-extra error="Service \"dev2-cilium/cilium-gateway-cilium-gateway\" already registered for L7 LB redirection via CiliumEnvoyConfig \"dev2-cilium/cilium-gateway-cilium-gateway\""

Is there anyway to append Envoy configs to the GatewayAPI managed resources?
@youngnick youngnick added kind/question Frequently asked questions & answers. This issue will be linked from the documentation's FAQ. sig/agent Cilium agent related. area/servicemesh GH issues or PRs regarding servicemesh labels Jul 24, 2023
@youngnick
Copy link
Contributor

Hi @heruscode, thanks for this question.

Currently, there is no way to add extra Envoy config to Gateway API objects - we're hoping to build out this functionality in Cilium's Gateway API support instead.

Could you add a bit more detail about what URL Rewriting and Direct Response config you'd like? We may then be able to turn this into a feature request. :)

@heruscode
Copy link
Author

heruscode commented Jul 28, 2023
edited

I have a use case for controlling maintenance pages at ingress level, for example, when I want to turn on maintenance-mode for some service, I can use a nginx config to return a direct response with an static html page on all paths or 503 error for api calls.

Would also be useful to be able to rate-limit requests coming from the internet or doing some url rewrite to mutate the request before it reaches the backend

@youngnick
Copy link
Contributor

Okay, so the two requests are:

  • direct response
  • rate limits

Is that correct?

@heruscode
Copy link
Author

correct

@youngnick
Copy link
Contributor

We're hoping to add both of these things via Gateway API, but we need to define the language in upstream for them first.

@github-actions
Copy link

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Oct 17, 2023
@youngnick youngnick added pinned These issues are not marked stale by our issue bot. and removed stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. labels Oct 17, 2023
@youngnick
Copy link
Contributor

I'm counting this as a feature request for Gateway API to be able to handle the two features above:

  • direct response
  • rate limits

These are definitely on the roadmap upstream, so we should be able to talk more about them post-GA for Gateway API.

@youngnick youngnick self-assigned this Oct 17, 2023
@youngnick youngnick added kind/feature This introduces new functionality. and removed kind/question Frequently asked questions & answers. This issue will be linked from the documentation's FAQ. labels Oct 17, 2023
@eminaktas
Copy link
Contributor

@youngnick, thank you for your interest in this request. It would be great to have extending the Gateway API with custom Envoy configs. I can do it with manipulating the auto-generated envoy config but it is not convenient method. I want to add an oauth2 flow in the Gateway API.

Is this feature planned?

@larssb
Copy link

larssb commented Jan 22, 2024

There IS a workaround. By no means b e a utiful ... However, here it is:

  1. Create your Gateway API gateway instance, httproute and so on
  2. apply your custom CiliumEnvoyConfig to the cluster. One that listens on the Gateway API gateway instance you just created
  3. Now, in order to get rid of the default auto generated CilimEnvoyConfig for the Gateway API gateway instance you need to:
    1. Delete the cilium Gateway Class from the cluster
    2. Then delete the default auto generated CiliumEnvoyConfig
  4. Now Cilium won't auto generate a default CiliumEnvoyConfig covering your Gateway API gateway instance

N.B. this is a rotten but working workaround. Rotten because:

  • to create working gateway api gateway instances in the future you need to:
  1. Apply a working kind: GatewayClass by the name cilium ( have a backup of the default Cilium created cilium Kind: GatewayClass
  2. Create your new Gateway API gateway instance HTTPRoute and so on
  3. when the Gateway API gateway instance is fully instantiated delete the Cilium GatewayClass
  4. Now delete the auto generated CiliumEnvoyConfig For all Gateway API gateway instances on the cluster.

N.B. it should also be perfectly possible to wait with creating you custom CiliumEnvoyConfig until after you:

  • deleted the auto generated CiliumEnvoyConfig
  • and then the cilium GatewayClass

Enjoy 🥇

@vladimirfx
Copy link

IMO parametersRef in GatewayClass is provided for exactly such cases. Gateway API evolving slowly (good thing) but implementors should provide advanced features now.
Envoy Gateway implementation provides an ability to attach custom envoy config (https://gateway.envoyproxy.io/v0.6.0/user/customize-envoyproxy/#add-gatewayclass-parametersref).

It would be nice to have analogical functionality in Cillium Gateway API impl.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@youngnick youngnick

Labels
area/servicemesh GH issues or PRs regarding servicemesh kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vladimirfx @larssb @youngnick @heruscode @eminaktas