-
Notifications
You must be signed in to change notification settings - Fork 435
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update multiple-ns guide for v1alpha2 #807
docs: update multiple-ns guide for v1alpha2 #807
Conversation
Skipping CI for Draft Pull Request. |
fb71855
to
c365248
Compare
b18e2eb
to
b86de6e
Compare
the least permissive choice which ensures that other Gateways in the cluster | ||
(perhaps created in the future at some point) will not bind with these Routes. | ||
If cluster administrators have full control over how Gateways are deployed in a | ||
cluster then a more permissive binding option could be configured on Routes. The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@robscott Are we using "Route Binding" or "Route attachment" from a terminology perspective? If latter, please change within the doc for consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we've historically used the terms interchangeably, but especially with the newer v1alpha2 approach, I personally prefer "attachment"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we're getting a lot of this mixed around, for instance the site-src/v1alpha2/concepts/api-overview.md
recently changed the nomenclature of the section previously known as Route Binding
to Attaching Routes to Gateways
but then inside of that section continues to use the word binding (interchangeably, as rob suggested).
For the purposes of updating this specific guide, I've removed the binding language and just use "attachment" for consistency with the Attaching Routes to Gateways
section in the concepts docs:
Let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still working on the API overview, but I think we should standardise on "attach" as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this guide now uses "route attachment"
@@ -63,90 +64,71 @@ administration to ensure that Routes are not over-exposed. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Route-owners can specify that they will bind with all Gateways in the cluster,
or only Gateways from a specific Namespace, with a specific label selector, or
an individual Gateway.
This is outdated. Route owners now target specific gateways only.
Similarly, Gateways provide the same level of control.
Please expand on this. Gateways trust namespaces where Routes (which bind to it) can live.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
49cd40e was created to clean up the wording, and expand the wording as requested.
b86de6e
to
0ab36db
Compare
1d12e51
to
49cd40e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all your work on this @shaneutt!
examples/v1alpha2/cross-namespace-routing/example-namespaces.yaml
Outdated
Show resolved
Hide resolved
As a result, Gateways and Routes have independent control to determine which | ||
resources they permit binding with. It is a handshake between the infra owners | ||
and the application owners that allows them to be independent actors. | ||
Route-owners can specify that they will bind with all Gateways in the cluster, | ||
or only Gateways from a specific Namespace, with a specific label selector, or | ||
an individual Gateway. Similarly, Gateways provide the same level of control. | ||
This allows a cluster to be more self-governed, which requires less central | ||
administration to ensure that Routes are not over-exposed. | ||
resources they permit attaching to. It is a handshake between the infra owners | ||
and the application owners that allows them to be independent actors. Routes | ||
can only attach to specified gateways and Gateways provide a similar level of | ||
selection control over which Routes they will send traffic to by trusting | ||
specific namespaces in which those Routes live and operate. This allows a | ||
cluster to be more self-governed, which requires less central administration | ||
to ensure that Routes are not over-exposed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be updated more significantly. It all seems a bit too close to the v1alpha1 docs with the mentions of selection. In the new model, Routes directly reference Gateways they want to attach to, and Gateways describe where they trust Routes to attach from. These docs got lost in the recent restructuring, but might be a helpful reference point for rewriting this: https://deploy-preview-762--kubernetes-sigs-gateway-api.netlify.app/v1alpha2/concepts/api-overview/#how-it-works.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2ad44ca was an attempt to significantly reword this area of the guide based on feedback, let me know your thoughts and if you feel there's more that needs to be done here.
I made changes such as:
- using specific label selectors for namespaces, instead of "All"
- splitting the previous "deployment" section into two sections "multiple ns for gateways" and "attaching routes"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you have is looking pretty good, but I'd probably change this to reference that Gateways allow attachment, and Routes request attachment.
So, this section should be something like (sorry Github won't let me suggest here for some reason):
As a result, Gateways and Routes have independent control to determine which
resources will succeed in attaching. It is a handshake between the infra owners
and the application owners that allows them to be independent actors. Routes
can only attach to specified gateways and Gateways provide a similar level of
selection control over which Routes they allow to attach to by trusting
specific namespaces in which those Routes live and operate. This allows a
cluster to be more self-governed, which requires less central administration
to ensure that Routes are not over-exposed.
I also think we need to be really careful with "forward traffic to" because that implies the existence of an extra routing hop, which won't be the case with most implementations.
I think that for the attachment process, we need to make sure we're talking purely in terms of the Kubernetes objects and how they interact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made the changes you requested in e5488f6 and verified that the word "forwarding" is being used in the technical sense and is not misrepresented elsewhere in the doc. Let me know if there's anything further you want to see changed.
1885e38
to
8908617
Compare
d2ff120
to
2ad44ca
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I'm being really nitpicky about language I've been inconsistent with too. But I think that the point that we need to have consistent language is one hundred percent fair, and I think that should extend to how we talk about the Route - Gateway attachment process.
As a result, Gateways and Routes have independent control to determine which | ||
resources they permit binding with. It is a handshake between the infra owners | ||
and the application owners that allows them to be independent actors. | ||
Route-owners can specify that they will bind with all Gateways in the cluster, | ||
or only Gateways from a specific Namespace, with a specific label selector, or | ||
an individual Gateway. Similarly, Gateways provide the same level of control. | ||
This allows a cluster to be more self-governed, which requires less central | ||
administration to ensure that Routes are not over-exposed. | ||
resources they permit attaching to. It is a handshake between the infra owners | ||
and the application owners that allows them to be independent actors. Routes | ||
can only attach to specified gateways and Gateways provide a similar level of | ||
selection control over which Routes they will send traffic to by trusting | ||
specific namespaces in which those Routes live and operate. This allows a | ||
cluster to be more self-governed, which requires less central administration | ||
to ensure that Routes are not over-exposed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you have is looking pretty good, but I'd probably change this to reference that Gateways allow attachment, and Routes request attachment.
So, this section should be something like (sorry Github won't let me suggest here for some reason):
As a result, Gateways and Routes have independent control to determine which
resources will succeed in attaching. It is a handshake between the infra owners
and the application owners that allows them to be independent actors. Routes
can only attach to specified gateways and Gateways provide a similar level of
selection control over which Routes they allow to attach to by trusting
specific namespaces in which those Routes live and operate. This allows a
cluster to be more self-governed, which requires less central administration
to ensure that Routes are not over-exposed.
I also think we need to be really careful with "forward traffic to" because that implies the existence of an extra routing hop, which won't be the case with most implementations.
I think that for the attachment process, we need to make sure we're talking purely in terms of the Kubernetes objects and how they interact.
As a note please don't merge thus until we hear back from @mark-church, as he and I were talking in Slack and I've given him write access to my fork: he has some updates he wants to add to this guide as well as a part of this PR. |
/hold |
Just an update: Talked with Mark, we've still got some inbound commits for this PR he's working on 👍 still on hold for a bit longer |
okay finally got my edits in! @shaneutt I accidentally created a PR in your repo, which you can ignore, while trying to figure out how to push to your PR. |
25510e0
to
6801ae3
Compare
Seeing following error in the tests but I am unsure why:
|
/unhold |
@mark-church |
6801ae3
to
7a7afb2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the work on this @shaneutt and @mark-church! Have a few nits but otherwise LGTM.
access and fault domains. | ||
|
||
Gateways and Routes can be deployed into different Namespaces and Routes | ||
attached to Gateways across Namespace boundaries. This allows differing user access and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure on this one, but maybe "different", feel free to ignore.
attached to Gateways across Namespace boundaries. This allows differing user access and | |
attached to Gateways across Namespace boundaries. This allows different user access and |
is explored in this guide and demonstrates how independent teams can safely | ||
share the same Gateway. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is explored in this guide and demonstrates how independent teams can safely | |
share the same Gateway. | |
is explored in this guide and demonstrates how independent teams can safely | |
share the same Gateway. |
This Gateway also configures HTTPS using the `foo-example-com` Secret | ||
in the `infra-ns` Namespace. This allows the infrastructure team to centrally | ||
manage TLS on behalf of app owners. The `foo-example-com` certificate will | ||
terminate all traffic going to all its attached Routes, without any TLS configuration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tiny nit, but maybe the second "and" can be removed, feel free to ignore.
terminate all traffic going to all its attached Routes, without any TLS configuration | |
terminate all traffic going to its attached Routes, without any TLS configuration |
namespaces: | ||
from: "All" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you'd still need a line like this, just from: "SameNamespace"
from: "All" | ||
selector: | ||
matchLabels: | ||
shared-gateway-access: "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shared-gateway-access: "true" | |
shared-gateway-access: "true" |
application owners that enables them to be independent actors. Routes | ||
can only attach to specified Gateways and Gateways can constrain the Namespaces | ||
and type of Routes which are able to attach to it. Clusters which use attachment | ||
constraints to govern Route and Gateway attachment require less central administration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I found this section a bit confusing, but I'm not sure my suggestion here is better, feel free to ignore.
application owners that enables them to be independent actors. Routes | |
can only attach to specified Gateways and Gateways can constrain the Namespaces | |
and type of Routes which are able to attach to it. Clusters which use attachment | |
constraints to govern Route and Gateway attachment require less central administration | |
application owners that enables them to be independent actors. App owners directly reference | |
the Gateway(s) they want their Routes to be attached to. Infra owners can constrain the | |
namespaces and types of Routes that can be attached to their Gateway(s). Clusters which use | |
these attachment constraints to govern Route and Gateway attachment require less central | |
administration |
precedence](/references/spec/#networking.x-k8s.io/v1alpha1.HTTPRouteRule) | ||
between the flat list of routing rules is determined by most specific match and | ||
After these three Routes are deployed, they will all be attached to the | ||
`shared-gateway` Gateway. The Gateway merges its bound attached into a single flat |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this was the intent?
`shared-gateway` Gateway. The Gateway merges its bound attached into a single flat | |
`shared-gateway` Gateway. The Gateway merges its attached Routes into a single flat |
owner both agree to the relationship. This bi-directional relationship exists | ||
for two reasons: | ||
[Route attachment][attaching] is an important concept that dictates how Routes | ||
and Gateways select each other to apply routing configuration to a Gateway. It |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's better to remove the idea of selecting each other since that's not really what happens now.
and Gateways select each other to apply routing configuration to a Gateway. It | |
are attached to Gateways. It |
is especially relevant when there are multiple Gateways and multiple Namespaces | ||
in a cluster. Gateway and Route attachment is bidirectional - attachment can |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is especially relevant when there are multiple Gateways and multiple Namespaces | |
in a cluster. Gateway and Route attachment is bidirectional - attachment can | |
is especially relevant when there are Routes in multiple namespaces that need to be | |
attached to a shared Gateway. Gateway and Route attachment is bidirectional - attachment can |
kind: Namespace | ||
metadata: | ||
name: no-external-access | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: Looks like an extra newline here.
35132c5
to
958cf60
Compare
…aints, and updated guide text
958cf60
to
3900382
Compare
Thanks for the work on this @shaneutt and @mark-church! /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott, shaneutt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
This updates the
multiple-ns.md
guide forv1alpha2
.Which issue(s) this PR fixes:
Resolves the 3rd task for #783
Does this PR introduce a user-facing change?: