docs: update multiple-ns guide for v1alpha2

[shaneutt]

What type of PR is this?

/kind documentation

What this PR does / why we need it:

This updates the multiple-ns.md guide for v1alpha2.

Which issue(s) this PR fixes:

Resolves the 3rd task for #783

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[hbagdi]

@robscott Are we using "Route Binding" or "Route attachment" from a terminology perspective? If latter, please change within the doc for consistency.

[robscott]

I think we've historically used the terms interchangeably, but especially with the newer v1alpha2 approach, I personally prefer "attachment"

[shaneutt]

It looks like we're getting a lot of this mixed around, for instance the site-src/v1alpha2/concepts/api-overview.md recently changed the nomenclature of the section previously known as Route Binding to Attaching Routes to Gateways but then inside of that section continues to use the word binding (interchangeably, as rob suggested).

For the purposes of updating this specific guide, I've removed the binding language and just use "attachment" for consistency with the Attaching Routes to Gateways section in the concepts docs:

48b31b7

Let me know what you think.

[youngnick]

I'm still working on the API overview, but I think we should standardise on "attach" as well.

[mark-church]

this guide now uses "route attachment"

[hbagdi]

Route-owners can specify that they will bind with all Gateways in the cluster,
or only Gateways from a specific Namespace, with a specific label selector, or
an individual Gateway.

This is outdated. Route owners now target specific gateways only.

Similarly, Gateways provide the same level of control.

Please expand on this. Gateways trust namespaces where Routes (which bind to it) can live.

[shaneutt]

49cd40e was created to clean up the wording, and expand the wording as requested.

[robscott]

Thanks for all your work on this @shaneutt!

[robscott]

I think this should be updated more significantly. It all seems a bit too close to the v1alpha1 docs with the mentions of selection. In the new model, Routes directly reference Gateways they want to attach to, and Gateways describe where they trust Routes to attach from. These docs got lost in the recent restructuring, but might be a helpful reference point for rewriting this: https://deploy-preview-762--kubernetes-sigs-gateway-api.netlify.app/v1alpha2/concepts/api-overview/#how-it-works.

[shaneutt]

2ad44ca was an attempt to significantly reword this area of the guide based on feedback, let me know your thoughts and if you feel there's more that needs to be done here.

I made changes such as:

• using specific label selectors for namespaces, instead of "All"
• splitting the previous "deployment" section into two sections "multiple ns for gateways" and "attaching routes"

[youngnick]

I think what you have is looking pretty good, but I'd probably change this to reference that Gateways allow attachment, and Routes request attachment.

So, this section should be something like (sorry Github won't let me suggest here for some reason):

As a result, Gateways and Routes have independent control to determine which
resources will succeed in attaching. It is a handshake between the infra owners
and the application owners that allows them to be independent actors. Routes
can only attach to specified gateways and Gateways provide a similar level of
selection control over which Routes they allow to attach to by trusting
specific namespaces in which those Routes live and operate. This allows a
cluster to be more self-governed, which requires less central administration
to ensure that Routes are not over-exposed.

I also think we need to be really careful with "forward traffic to" because that implies the existence of an extra routing hop, which won't be the case with most implementations.

I think that for the attachment process, we need to make sure we're talking purely in terms of the Kubernetes objects and how they interact.

[shaneutt]

I made the changes you requested in e5488f6 and verified that the word "forwarding" is being used in the technical sense and is not misrepresented elsewhere in the doc. Let me know if there's anything further you want to see changed.

[youngnick]

Sorry, I'm being really nitpicky about language I've been inconsistent with too. But I think that the point that we need to have consistent language is one hundred percent fair, and I think that should extend to how we talk about the Route - Gateway attachment process.

[youngnick]

I think what you have is looking pretty good, but I'd probably change this to reference that Gateways allow attachment, and Routes request attachment.

So, this section should be something like (sorry Github won't let me suggest here for some reason):

As a result, Gateways and Routes have independent control to determine which
resources will succeed in attaching. It is a handshake between the infra owners
and the application owners that allows them to be independent actors. Routes
can only attach to specified gateways and Gateways provide a similar level of
selection control over which Routes they allow to attach to by trusting
specific namespaces in which those Routes live and operate. This allows a
cluster to be more self-governed, which requires less central administration
to ensure that Routes are not over-exposed.

I also think we need to be really careful with "forward traffic to" because that implies the existence of an extra routing hop, which won't be the case with most implementations.

I think that for the attachment process, we need to make sure we're talking purely in terms of the Kubernetes objects and how they interact.

[shaneutt]

As a note please don't merge thus until we hear back from @mark-church, as he and I were talking in Slack and I've given him write access to my fork: he has some updates he wants to add to this guide as well as a part of this PR.

[hbagdi]

As a note please don't merge thus until we hear back from @mark-church, as he and I were talking in Slack and I've given him write access to my fork: he has some updates he wants to add to this guide as well as a part of this PR.

/hold

[shaneutt]

Just an update: Talked with Mark, we've still got some inbound commits for this PR he's working on 👍 still on hold for a bit longer

[mark-church]

okay finally got my edits in! @shaneutt I accidentally created a PR in your repo, which you can ignore, while trying to figure out how to push to your PR.

[mark-church]

Seeing following error in the tests but I am unsure why:

error: error validating "examples/v1alpha2/cross-namespace-routing/gateway.yaml": error validating data: ValidationError(Gateway.spec.listeners[0]): unknown field "routes" in io.k8s.networking.gateway.v1alpha2.Gateway.spec.listeners; if you choose to ignore these errors, turn validation off with --validate=false

[shaneutt]

/unhold

[robscott]

@mark-church listener.routes has been renamed to listener.allowedRoutes based on feedback from the sig-network review.

[robscott]

Thanks for the work on this @shaneutt and @mark-church! Have a few nits but otherwise LGTM.

[robscott]

Not sure on this one, but maybe "different", feel free to ignore.

Suggested change

	attached to Gateways across Namespace boundaries. This allows differing user access and
	attached to Gateways across Namespace boundaries. This allows different user access and

[robscott]

Suggested change

	is explored in this guide and demonstrates how independent teams can safely
	share the same Gateway.
	is explored in this guide and demonstrates how independent teams can safely
	share the same Gateway.

[robscott]

Tiny nit, but maybe the second "and" can be removed, feel free to ignore.

Suggested change

	terminate all traffic going to all its attached Routes, without any TLS configuration
	terminate all traffic going to its attached Routes, without any TLS configuration

[robscott]

I think you'd still need a line like this, just from: "SameNamespace"

[robscott]

Suggested change

	shared-gateway-access: "true"
	shared-gateway-access: "true"

[robscott]

I found this section a bit confusing, but I'm not sure my suggestion here is better, feel free to ignore.

Suggested change

	application owners that enables them to be independent actors. Routes
	can only attach to specified Gateways and Gateways can constrain the Namespaces
	and type of Routes which are able to attach to it. Clusters which use attachment
	constraints to govern Route and Gateway attachment require less central administration
	application owners that enables them to be independent actors. App owners directly reference
	the Gateway(s) they want their Routes to be attached to. Infra owners can constrain the
	namespaces and types of Routes that can be attached to their Gateway(s). Clusters which use
	these attachment constraints to govern Route and Gateway attachment require less central
	administration

[robscott]

Maybe this was the intent?

Suggested change

	`shared-gateway` Gateway. The Gateway merges its bound attached into a single flat
	`shared-gateway` Gateway. The Gateway merges its attached Routes into a single flat

[robscott]

I think it's better to remove the idea of selecting each other since that's not really what happens now.

Suggested change

	and Gateways select each other to apply routing configuration to a Gateway. It
	are attached to Gateways. It

[robscott]

Suggested change

	is especially relevant when there are multiple Gateways and multiple Namespaces
	in a cluster. Gateway and Route attachment is bidirectional - attachment can
	is especially relevant when there are Routes in multiple namespaces that need to be
	attached to a shared Gateway. Gateway and Route attachment is bidirectional - attachment can

[robscott]

Nit: Looks like an extra newline here.

[robscott]

Thanks for the work on this @shaneutt and @mark-church!

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, shaneutt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [robscott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment