• Goal: Pass the test which is same with TestIngressTLS in networking repo by conformance test and controller e2e test.
• Non-goal: Support of net-certmanager, net-http01 functionality.

HTTPRoute does not support tls setting on v1alpha2 (v0.4.0) so we need to use tls.certificateRefs in Gateway like this example.

Current blocker:

• istio/istio#36075
• knative/pkg#2327

This is a tracking issue for kubernetes-sigs/gateway-api#184.
Currently gateway-apis does not define the API of retry policy. So Istio attempts to retry 503 error which is an Istio's default behavior.

We need to wait for gateway-apis defines the API by kubernetes-sigs/gateway-api#184.

Contour is going to cut a new release as soon as Gateway API releases v1beta1/v0.5.0. In the mean time, updating to a recent commit on main for now to start running tests and fixing issues/updating tests.

For more context, see this bit of discussion:
update to Gateway API v0.5.0/v1beta1 · Issue #4560 · projectcontour/contour

Since Gateway API v0.4.0, Istio supports Mesh Traffic:

https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#mesh-traffic

this should be included in the test/controller implementation.

These tests are reimplementation of the same conformance tests in https://github.com/knative/networking/tree/main/test/conformance/ingress. These tests are run without the net-gateway-api controller.

(test/kind-conformance-contour.sh)

• Add basics/*
  • TestBasics
  • TestBasicsHTTP2
  • reference: kubernetes-sigs/gateway-api#204
• Add headers/*
  • TestProbeHeaders - #349
  • TestPreSplitSetHeaders
  • TestPostSplitSetHeaders
  • references:
    • projectcontour/contour#3539
    • projectcontour/contour#3538
• Add dispatch/*
  • TestPath
  • TestPercentage
    • reference: https://github.com/projectcontour/contour/issues/
  • TestPathAndPercentageSplit
  • TestRule
• Add TestMultipleHosts
• Add TestTimeout
• Add websocket/*
  • TestWebsocket
  • TestWebsocketSplit
  • reference: kubernetes-sigs/gateway-api#205
• Add grpc/*
  • Add TestGRPC
  • TestGRPCSplit
• Add visibility/*
  • TestVisibility
  • TestVisibilitySplit
  • TestVisibilityPath
• TestRetry - #20
• TestIngressTLS - #351
  • note: test should pass based on Add support for TLS (conformance test passes) by evankanderson · Pull Request #316 · knative-sandbox/net-gateway-api, but still need to be implemented.
  • projectcontour/contour#3404
  • see: #36 (comment)
• TestUpdate - #352
• TestIngressClass - #353

Should this be in gateway api's conformance testing?

Ref.: knative-extensions/net-istio#585.

app: controller 

https://github.com/knative-sandbox/net-gateway-api/blob/51f18c0d6787f55151d4956b78e4c3aedde6cc49/config/controller.yaml#L28-L45

Issues for adding/fixing Contour conformance and e2e tests.

Critical issue:

• Multiple HTTPRoutes causes 404 projectcontour/contour#3591

Contour & gateway-api:

Note: as these tests get successfully run, their corresponding features get dropped from the list of unavailable features.

• Add TestBasicsHTTP2 & TestGRPC/* kubernetes-sigs/gateway-api#204
• Add TestIngressTLS
  • test should pass based on Add support for TLS (conformance test passes) by evankanderson · Pull Request #316 · knative-sandbox/net-gateway-api, but still need to be implemented.
  • projectcontour/contour#3404
    • see: #36 (comment)
• Add TestRetry - #20
• Add TestWebsocket kubernetes-sigs/gateway-api#205

Done

• Add headers/* & dispatch/* projectcontour/contour#3539 & projectcontour/contour#3538
• Add TestVisibility*
• Add TestPercentage - projectcontour/contour#3560

Current https://github.com/knative/serving runs e2e test against Istio, Contour and Kourier.
net-gateway-api (probably with Istio) should be added in serving's repo.

This checklist tracks that all Knative conformance tests for this Gateway API implementation are passing.

• basics/TestBasics
• basics/TestBasicsHTTP2
• grpc/TestGRPC
• grpc/TestGRPCSplit
• headers/TestProbeHeaders
• headers/TestPreSplitSetHeaders
• headers/TestPostSplitSetHeaders
• hosts/TestMultipleHosts
• dispatch/TestPath
• dispatch/TestPercentage
• dispatch/TestPathAndPercentageSplit
• dispatch/TestRule
• retry/TestRetry
• timeout/TestTimeout
• tls/TestIngressTLS
• update/TestUpdate
• visibility/TestVisibility
• visibility/TestVisibilitySplit
• visibility/TestVisibilityPath
• ingressclass/TestIngressClass
• websocket/TestWebsocket
• websocket/TestWebsocketSplit

Sources:

• skipped tests here: https://github.com/knative-sandbox/net-gateway-api/blob/a48a0ab1752d379a2de4b9bebb678e68d0298247/test/e2e-library.sh#L115
• conformance test to be implemented as per this list: #348

Updated: Aug, 8 2022.

Currenty, we assume a single Gateway resource; when using auto-TLS, we need to update Spec.Listeners for each Knative Route.

The default controller implementation will attempt to reconcile multiple KIngress resources at once, which means that it's likely that we will get some number of update collisions on the Gateway. We should figure out a mechanism for spreading updates across multiple Gateways to enable HA / multi-threaded controllers without bottlenecking on a single Gateway instance.

This is extracted from this PR comment

This checklist tracks that all Knative conformance tests for this Gateway API implementation are passing.

• basics/TestBasics
• basics/TestBasicsHTTP2
• grpc/TestGRPC
• grpc/TestGRPCSplit
• headers/TestProbeHeaders
• headers/TestPreSplitSetHeaders
• headers/TestPostSplitSetHeaders
• hosts/TestMultipleHosts
• dispatch/TestPath
• dispatch/TestPercentage
• dispatch/TestPathAndPercentageSplit
• dispatch/TestRule
• retry/TestRetry
• timeout/TestTimeout
• tls/TestIngressTLS
• update/TestUpdate
• visibility/TestVisibility
• visibility/TestVisibilitySplit
• visibility/TestVisibilityPath
• ingressclass/TestIngressClass
• websocket/TestWebsocket
• websocket/TestWebsocketSplit

Sources:

• skipped tests here: https://github.com/knative-sandbox/net-gateway-api/blob/a48a0ab1752d379a2de4b9bebb678e68d0298247/test/e2e-library.sh#L115
• conformance test to be implemented as per this list: #348

Updated: Aug, 8 2022.

The background is described in original issue - knative/serving#6642
The original design introduced Realm and Domain CRDs but it stopped developing as the design is difficult to align with Ingress v2 (Gateway API).

The new Gateway API controller has visibility based setting (it maps one Visibility to one Gateway) like:

https://github.com/knative-sandbox/net-gateway-api/blob/9218e0d7ff957b2ea4ec106abfdd018988bf72a3/config/config-gateway.yaml#L42-L50

So it will be possible to achieve the goal what knative/serving#6642 tried to address.

Ref.: projectcontour/contour#4603.

These tests are reimplementation of the same conformance tests in https://github.com/knative/networking/tree/main/test/conformance/ingress. These tests are run without the net-gateway-api controller.

(test/kind-conformance-contour.sh)

With this checklist, a new issue can be opened for each implementation and each test checked off as the tests are confirmed as passing.

For visibility, maybe it would be useful to keep these issues pinned and check the tests on/off as the status of each changes.

These are all the tests: #348

Currently net-gateway-api uses v1alpha1 CRD (v0.3.0) but the latest version is v1alpha2 (v0.4.0).

Once knative/pkg#2327 was merged, we need to work on the upgrade.

Ref.: kubernetes-sigs/gateway-api#1248.

Ref.:nhttps://github.com/kubernetes-sigs/gateway-api/discussions/1246.

#74 will points to the Gateway by GatewayAllowAll. We should use
It should use GatewayAllowFromList.

Note, the K Gateway needs some requirement:

• Gateway for Istio to be deployed in the same namespace with Istio's istio-ingressgateway and knative-local-gateway svc.
• Gateway for Contour does not matter about the namespace as Contour can specify the namespace.
• Gateway for Istio needs to configure spec.addresses for knative-local-gateway.istio-system.svc.cluster.local.

These tests are run with the net-gateway-api controller. They are the tests here: net-gateway-api/pkg/reconciler/ingress at main · knative-sandbox/net-gateway-api.

Ex: for how they are invoked:
(test/kind-e2e-contour.sh)

With this checklist, a new issue can be opened for each implementation and each test checked off as the tests are confirmed as passing.

For visibility, maybe it would be useful to keep these issues pinned and check the tests on/off as the status of each changes.

Currently Kourier configures the envoy directly by consuming Kingress. In the future after introducing Ingress v2, we need to think about how to make it work with Kourier before removing all Kingress from serving.

/cc @nak3

knative networking repo added a new test as knative/networking#415.

And 0.4.0-rc1 should support this filter kubernetes-sigs/gateway-api@e4536a0

There are two cases where we might remove Spec.Listeners entries from a Gateway resource:

1. The KIngress associated with the Listener has been deleted.
2. The KIngress associated with the Listener has been changed to have (for example) a different hostname.

Right now, we don't handle either of these scenarios.

Scenario 2 may be somewhat harder; for case 1 we could use a finalizer to make sure that the Gateway entries are removed before the KIngress resource is deleted.

Another option is to turn the reconciliation around and reconcile the Gateway resource(s) across all the KIngresses. I'm not doing that right now because that's not the way the current code is structured, but given #318, that may be a good option.

KIngress has prober function but HTTPRoute does not have it.
Additionally, the HTTPRoute's "admitted" status will not work as it is different from "Ready" status. Please see - https://kubernetes.slack.com/archives/CR0H13KGA/p1611865803004000

TestVisibilitySplit with istio often fails.
Here is some information:

• example log 1, log 2
• The issue is that this HTTPRouteFilter does not set the header so it shows 0% of request received.
• It happens with conformance test only. e2e with controller does not have the issue.
• TestPercentage, which is the same test but just public access, does not cause any error.
• gateway-api v0.4.0 with istio-1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8 also has this issue.

Currently the entry point for tests is oriented to Istio. Refactor so Contour tests can also be triggered and with its associated configs.

Updated by: bump istio to v1.14.3 by dprotaso · Pull Request #345 · knative-sandbox/net-gateway-api.

When trying to kick the tires on this project, I've followed the instructions found in DEVELOPMENT.MD.

When following these instructions, I expect to end up with a working knative using the ingressv2 apis, presumably by installing some sort of net-ingressv2 controller.

However, I observe that no controller is installed. I get errors on the last step (ko apply -f test/config/ -f config/) that config/ does not exist (it was removed in #10). When I create an empty directory there the command succeeds, but nothing is installed since the directory is empty.

I'm assuming there's some command to create and populate config/, but it's not in the documents that I can find. go build doesn't work so I don't think it's that.

k8s 1.19.7 in kind e2e uses Contour but it is failing sometimes.

test list: https://github.com/knative-sandbox/net-ingressv2/actions
failed log: https://github.com/knative-sandbox/net-ingressv2/actions/runs/731809836

Upstream also has some issues projectcontour/contour-operator#251

Issues for adding/fixing Istio conformance and e2e tests.

Istio specific:

• Add TestIngressTLS - istio/istio#31747
• Add TestVisibility* - istio/istio#31746
• Add TestRewriteHost - istio/istio#31844

Istio & gateway-api:

Note: as these tests get successfully run, their corresponding features get dropped from the list of unavailable features.

• Fix 0 weight in TestPercentage - istio/istio#31745, kubernetes-sigs/gateway-api#596
• Add TestRetry - #20

(update from @dprotaso) See this comment for the current limit: #317 (comment)

We add a Listener (and a certificate reference) per Knative Route (KIngress). Each one is around 300 bytes, which means that we can probably fit around 3000 Routes into one Gateway before we exceed etcd storage limits.

According to some of the gateway maintainers, we should be able to split these across multilpe Gateways that all share the same IP address (so that users can still get that nice wildcard DNS mapping).

This issue tracks packing Listeners into multiple Gateways, it's extracted from[ this PR comment

When trying to re-work serving's kind e2e workflow I couldn't get the gateway tests (e2e) to pass

Digging at the logs I saw the kingress had the status ReconcileIngressFailed

Looking at the logs it was full of 409 conflicts. It looked like something was mutating the httproutes constantly. This can happen when two controllers fight over the same resource etc.

We need to set up the conformance tests with the way we use Gateway APIs so that the various networking implementations (e.g. Istio, contour) could run them and check if they can support those Gateway APIs.

/assign @nak3

We need to implement Kingress controller with Gateway APIs so that Knative could consume Gateway APIs.

/cc @nak3 I think we still need it as the intermediate step?

Ref.: kubernetes-sigs/gateway-api#1244.

Current config-gateway.yaml does not work due to the following error:

error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go struct field GatewayConfig.gateway of type types.NamespacedName

The reason is that the NamespacedName fails to be marhaled in pkg/reconciler/ingress/config/gateway.go

        entry := make(map[v1alpha1.IngressVisibility]GatewayConfig)
        if err := yaml.Unmarshal([]byte(v), &entry); err != nil {
                return nil, err
        }

Volunteering to review the doc for installation and find opportunities to expand/improve it.

/assign

Assuming that we still need net-ingressv2 controller, we should run the net-ingressv2 controller against Kingress conformance test to ensure it works.

After bumping Gateway API and Contour.