New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gateway-api: Add support for gateway-api v0.5.1 #21749
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 tasks
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Oct 17, 2022
sayboras
added
the
release-note/major
This PR introduces major new functionality to Cilium.
label
Oct 17, 2022
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
label
Oct 17, 2022
sayboras
added
dont-merge/preview-only
Only for preview or testing, don't merge it.
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
labels
Oct 17, 2022
maintainer-s-little-helper
bot
removed
dont-merge/needs-release-note-label
The author needs to describe the release impact of these changes.
labels
Oct 17, 2022
sayboras
changed the title
gateway-api: Add support for gateway-api v0.5.1 #21708
gateway-api: Add support for gateway-api v0.5.1
Oct 17, 2022
sayboras
force-pushed
the
ft/master/gateway-api-support
branch
6 times, most recently
from
October 19, 2022 14:51
79563a8
to
6bcc58a
Compare
sayboras
removed
the
dont-merge/preview-only
Only for preview or testing, don't merge it.
label
Oct 19, 2022
sayboras
force-pushed
the
ft/master/gateway-api-support
branch
14 times, most recently
from
October 24, 2022 03:48
2022086
to
719c878
Compare
This was referenced Oct 31, 2022
This commit is to leverage controller-runtime library for Gateway API controllers. operator-sdk CLI is used to create the scaffold structure and code. ``` operator-sdk create api --group gateway --version v1beta1 --kind GatewayClass --resource --controller --namespaced false operator-sdk create api --group gateway --version v1beta1 --kind Gateway --resource --controller operator-sdk create api --group gateway --version v1beta1 --kind HTTPRoute --resource --controller ``` One adjustment is to separate the reconciliation event trigger (e.g. watch sepecific resource) and the reconciliation logic itself into different files (e.g. gateway.go and gateway_reconcile.go). This will create some space for actual implementation later. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is doing nothing but just add a flag for enabling Gateway API support. The permission for operator clusterrole is updated as required. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is just to add a simple reconciliation loop, which will just check controller name and update the status accordingly. Currently, there is no support of GatewayClass configuration from either custom resource or configmap (preferred), hence the Accepted condition will be just updated to True. Future improvement can be done with different set of configuration parameters (e.g. internal vs external, etc). Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
force-pushed
the
ft/master/gateway-api-support
branch
from
October 31, 2022 06:12
07c5dd9
to
39984cb
Compare
For HTTPRoute resources, the reconciliation should start if any of below event happens: - Changes in HTTPRoute itself - Changes in related backend services - Changes in parent Gateway spec (e.g. allowedRoutes) The current reconciliation loop is trying its best to make sure that HTTPRoute is attachable to Gateway. If all validations are passed, then the Accepted condition will be updated to True, which signals the reconciliation loop for parent Gateway resources. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to support headers and query params matching, also add weightage attribute for backends as well. The goal is to prepare for supporting more options in HTTPRoute from Gateway API in subsequent changes. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is just to lift and shift existing shared translator (used in Ingress) to higher level, so that it can be re-used naturally for both Ingress and Gateway API. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to support multiple TLS secrets, which can be useful for some use cases in Gateway API. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to support hostnames in route level, mainly for the stricter domain validation compared to listener domain. For example, listener might have wildcard domain such as *.example.com, but each route might have its own sub-domains such as route1.example.com or route2.example.com. If nothing is specified in route level, the value from listener will be honoured. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This is to support the scenario, in which no backend is valid or available. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to support request header add/set/removal operation. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to convert gateway api resource to our internal representation. The logic is pretty simple, just few things to highlight compared to Ingress: - Query match, header match are supported. - Request header filter is supported for operations Set, Add and Remove. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to our internal representation to CEC, LB Service and Endpoints. The logic is exactly the same compared to default translator, except a few tweaks: - hostname matching is suffix based - multiple listeners might have a same port number (e.g. 80 or 443), so we need to consider only unique values. Signed-off-by: Tam Mach <tam.mach@cilium.io>
For gateway resources, the reconciliation should start if any of below events happens: - Changes in related GatewayClass - Changes in any of HTTPRoute status - Changes in owning LB services status - Changes in owning CEC (as currently we don't have status subresource) - Changes in any Secret used in TLS As we are using the same LB service for all listeners, it's all or nothing for ListenerStatus. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to make sure that any TLS related secret will be synced to cilium-secrets namespace, so that the agent's permission is scoped down to single namespace instead of cluster-wide. The same approach is used in Ingress. However, it's better to keep it separate due to: - underlying framework is different (e.g. controller-runtime) - placeholder to support ReferenceGrant API later. Signed-off-by: Tam Mach <tam.mach@cilium.io>
This commit is to support ReferenceGrant for cross-namespace resources: - Secret is referenced in Gateway - Service is referenced in HTTPRoute The conformance test is also enabled with ReferenceGrant feature. Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
force-pushed
the
ft/master/gateway-api-support
branch
from
October 31, 2022 06:28
39984cb
to
3cbb772
Compare
/test Job 'Cilium-PR-K8s-1.24-kernel-4.19' has 2 failures but they might be new flakes since it also hit 1 known flakes: #17628 (92.24) |
aanm
reviewed
Oct 31, 2022
This commit is add gateway api conformance test from upstream. The goal is to have it running on every PR, so that we can catch any issue due to regression, refactoring or adding new features. The upstream conformance, by default, is not configured with query param matching feature. To reduce the coupling with upstream, the conformance_test.go is added for flexibility, for example, query param tests are enabled. Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras
force-pushed
the
ft/master/gateway-api-support
branch
from
October 31, 2022 10:25
3cbb772
to
497f3d7
Compare
Merging since the only change done was https://github.com/cilium/cilium/compare/3cbb772a5f5dbecf88addd4c443568d15bcd9c49..497f3d7c2ac30693ebd69a6bc4bc8edf9e58319d and the CI was green before the push. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/servicemesh
GH issues or PRs regarding servicemesh
release-note/major
This PR introduces major new functionality to Cilium.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This is to support betav1 API Gateway API spec from the upstream. Additionally, ReferenceGrant v1alpha2 is included.
Relates #20655
Details
Please refer to individual commit for more details. In the high level, we are having a controller for each resource:
Tasks
Note: Documentation will be done after the first round of review, or in subsequent PR
At the time of writing, the below APIs were just graduated to beta, it's making sense to start with these APIs as the first step.
At the high level, the L7 HTTP route could be done the same way Cilium does with IngressController. Below items can be used as references or starting points:
Pre-configure Cilium GatewayClass if the feature flag is enabled.User needs to configure Cilium GatewayClass accordingly if CRDs are not pre-installed. Multiple gateway classes are supported.Follow-up Actions
This list will be updated based on review comments.
Testing
Conformance test
Please refer related commit on how the conformance test is customized and run as part of GHA. Below is a snippet of the test result.
Conformance test
Basic Test
Basic testing is done with the below spec, mainly to verify again with HTTP and HTTPS listeners. Note: HTTPS conformance test seems to run with ReferenceGrant only, however, ReferenceGrant is not beta yet in v0.5.1
Test snippet