-
-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UDPRoutes from other namespaces are not getting attached #90
Comments
Thanks for the report, this is indeed a bug. In fact, it is a combination of two things: a somewhat underdocumented STUNner limitation plus an actual bug:
Is deploying the Gateway and the UDPRoute into the same namespace an acceptable workaround to you until we fix this? Note that, as another subtle STUNner limitation, currently the UDPRoute can refer to any Service in any namespace (see docs here): to comply with the Gateway API we would also need to implement ReferenceGrants, but this is also a low-prio item on the TODO list at this point. |
This would mean I need to allow application helm chart to modify stunner namespace or add UDPRoutes to stunner-config helm chart. It can be temp workaround, but it's not good. Thank you very much for a quick response anyway, at the moment I'll use this workaround, but I'm waiting for this to be solved! :D |
I see. We'll prioritize this feature then. Quick question: do you want full support for ReferenceGrants (ReferenceGrant is a CRD that you place into a namespace to allow Gateways from other namespaces to accept routes from said namespace or vice versa) or is it enough if we allow UDPRoute bindings from any namespace without restriction? Anyway, this feature is contingent on another major milestone: maganed dataplane support in the operator. Once that lands, we can easily add support for cross-namespace bindings. Until then, please bear with us. Or better yet: please keep on bugging us frequently on Discord or here so that we do not forget!...:-) |
This would be enough: https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.AllowedRoutes (a field on the listener). I don't use discord ;/ |
This should now fixed as of e770d05 in the gateway-operator repo, can you please test? The below now works for me perfectly: apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: stunner-config
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners:
- name: udp-listener
port: 3478
protocol: UDP
allowedRoutes:
namespaces:
from: All apiVersion: gateway.networking.k8s.io/v1alpha2
kind: UDPRoute
metadata:
name: janus-dev
namespace: dev
spec:
parentRefs:
- name: stunner-config
namespace: stunner
rules:
- backendRefs:
- name: janus-dev
namespace: dev You can also use label selectors to choose the namespaces the gateway would accept routes from: apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
name: stunner-config
namespace: stunner
spec:
gatewayClassName: stunner-gatewayclass
listeners:
- name: udp-listener
port: 3478
protocol: UDP
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
udp-gateway: accept
Of course, this requires the target namespace to be labelled with Currently this feature is only available on the dev release channel from the helm install stunner-gateway-operator stunner/stunner-gateway-operator-dev --create-namespace --namespace=stunner-system We hope to put together a new stable release soon. Please report back your findings. |
@FLM210 Can I please ask you to test the dev version to know if it fixes the problem? I've no time to break my develop infra just to check if it fixes the issue. |
The dev version solved my problem, but there is a small issue with the dev version |
This should be fixed by now. |
@FLM210 Can you check it now? |
@davidkornel Now the dev version can run normally |
Great, if you face any issues feel free to reopen, until then I'm closing this issue. |
Hello,
I hit very weird problem today:
When I'm using UDPRoute in app's namespace (and allowed all namespaces on the listener) - the route seems attached in route status, but on Gateway status there are 0 attached routes. My clients also cannot connect to the backend app and are getting permission denied from the stunner.
There's a route:
But when I apply similar route to the same namespace as Gateway is - it works just fine.
Now traffic is being passed through stunner and gateway shows
attachedRoutes: 1
on the listener status.The text was updated successfully, but these errors were encountered: