knative-extensions / net-gateway-api Goto Github PK
View Code? Open in Web Editor NEWIntegration between Knative and service-apis (ingress v2) for Knative Ingress migration.
License: Apache License 2.0
Integration between Knative and service-apis (ingress v2) for Knative Ingress migration.
License: Apache License 2.0
#74 will points to the Gateway by GatewayAllowAll
. We should use
It should use GatewayAllowFromList
.
Note, the K Gateway needs some requirement:
spec.addresses
for knative-local-gateway.istio-system.svc.cluster.local
.(update from @dprotaso) See this comment for the current limit: #317 (comment)
We add a Listener (and a certificate reference) per Knative Route (KIngress). Each one is around 300 bytes, which means that we can probably fit around 3000 Routes into one Gateway before we exceed etcd storage limits.
According to some of the gateway maintainers, we should be able to split these across multilpe Gateways that all share the same IP address (so that users can still get that nice wildcard DNS mapping).
This issue tracks packing Listeners into multiple Gateways, it's extracted from[ this PR comment
When trying to kick the tires on this project, I've followed the instructions found in DEVELOPMENT.MD.
When following these instructions, I expect to end up with a working knative using the ingressv2 apis, presumably by installing some sort of net-ingressv2 controller.
However, I observe that no controller is installed. I get errors on the last step (ko apply -f test/config/ -f config/
) that config/
does not exist (it was removed in #10). When I create an empty directory there the command succeeds, but nothing is installed since the directory is empty.
I'm assuming there's some command to create and populate config/
, but it's not in the documents that I can find. go build
doesn't work so I don't think it's that.
Since Gateway API v0.4.0, Istio supports Mesh Traffic:
https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/#mesh-traffic
this should be included in the test/controller implementation.
Ref.:nhttps://github.com/kubernetes-sigs/gateway-api/discussions/1246.
TestIngressTLS
in networking repo by conformance test and controller e2e test.HTTPRoute does not support tls
setting on v1alpha2 (v0.4.0) so we need to use tls.certificateRefs
in Gateway like this example.
These tests are reimplementation of the same conformance tests in https://github.com/knative/networking/tree/main/test/conformance/ingress. These tests are run without the net-gateway-api
controller.
(test/kind-conformance-contour.sh
)
Currently the entry point for tests is oriented to Istio. Refactor so Contour tests can also be triggered and with its associated configs.
After bumping Gateway API and Contour.
The background is described in original issue - knative/serving#6642
The original design introduced Realm
and Domain
CRDs but it stopped developing as the design is difficult to align with Ingress v2 (Gateway API).
The new Gateway API controller has visibility based setting (it maps one Visibility to one Gateway) like:
So it will be possible to achieve the goal what knative/serving#6642 tried to address.
Ref.: projectcontour/contour#4603.
k8s 1.19.7 in kind e2e uses Contour but it is failing sometimes.
test list: https://github.com/knative-sandbox/net-ingressv2/actions
failed log: https://github.com/knative-sandbox/net-ingressv2/actions/runs/731809836
Upstream also has some issues projectcontour/contour-operator#251
Currently Kourier configures the envoy directly by consuming Kingress. In the future after introducing Ingress v2, we need to think about how to make it work with Kourier before removing all Kingress from serving.
/cc @nak3
We need to implement Kingress controller with Gateway APIs so that Knative could consume Gateway APIs.
/cc @nak3 I think we still need it as the intermediate step?
This is a tracking issue for kubernetes-sigs/gateway-api#184.
Currently gateway-apis does not define the API of retry policy. So Istio attempts to retry 503
error which is an Istio's default behavior.
We need to wait for gateway-apis defines the API by kubernetes-sigs/gateway-api#184.
Contour is going to cut a new release as soon as Gateway API releases v1beta1
/v0.5.0
. In the mean time, updating to a recent commit on main
for now to start running tests and fixing issues/updating tests.
For more context, see this bit of discussion:
update to Gateway API v0.5.0/v1beta1 · Issue #4560 · projectcontour/contour
Note: as these tests get successfully run, their corresponding features get dropped from the list of unavailable features.
Note: as these tests get successfully run, their corresponding features get dropped from the list of unavailable features.
TestVisibilitySplit with istio often fails.
Here is some information:
HTTPRouteFilter
does not set the header so it shows 0%
of request received.TestPercentage
, which is the same test but just public access, does not cause any error.Currenty, we assume a single Gateway
resource; when using auto-TLS, we need to update Spec.Listeners
for each Knative Route.
The default controller implementation will attempt to reconcile multiple KIngress resources at once, which means that it's likely that we will get some number of update collisions on the Gateway. We should figure out a mechanism for spreading updates across multiple Gateways to enable HA / multi-threaded controllers without bottlenecking on a single Gateway instance.
This is extracted from this PR comment
Volunteering to review the doc for installation and find opportunities to expand/improve it.
/assign
Should this be in gateway api's conformance testing?
Sources:
Updated: Aug, 8 2022.
When trying to re-work serving's kind e2e workflow I couldn't get the gateway tests (e2e) to pass
Digging at the logs I saw the kingress had the status ReconcileIngressFailed
Looking at the logs it was full of 409 conflicts. It looked like something was mutating the httproutes constantly. This can happen when two controllers fight over the same resource etc.
Current https://github.com/knative/serving runs e2e test against Istio, Contour and Kourier.
net-gateway-api (probably with Istio) should be added in serving's repo.
These tests are reimplementation of the same conformance tests in https://github.com/knative/networking/tree/main/test/conformance/ingress. These tests are run without the net-gateway-api
controller.
(test/kind-conformance-contour.sh
)
With this checklist, a new issue can be opened for each implementation and each test checked off as the tests are confirmed as passing.
For visibility, maybe it would be useful to keep these issues pinned and check the tests on/off as the status of each changes.
These are all the tests: #348
KIngress has prober function but HTTPRoute does not have it.
Additionally, the HTTPRoute's "admitted" status will not work as it is different from "Ready" status. Please see - https://kubernetes.slack.com/archives/CR0H13KGA/p1611865803004000
There are two cases where we might remove Spec.Listeners
entries from a Gateway
resource:
Right now, we don't handle either of these scenarios.
Scenario 2 may be somewhat harder; for case 1 we could use a finalizer to make sure that the Gateway entries are removed before the KIngress resource is deleted.
Another option is to turn the reconciliation around and reconcile the Gateway
resource(s) across all the KIngresses. I'm not doing that right now because that's not the way the current code is structured, but given #318, that may be a good option.
Current config-gateway.yaml
does not work due to the following error:
error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go struct field GatewayConfig.gateway of type types.NamespacedName
The reason is that the NamespacedName fails to be marhaled in pkg/reconciler/ingress/config/gateway.go
entry := make(map[v1alpha1.IngressVisibility]GatewayConfig)
if err := yaml.Unmarshal([]byte(v), &entry); err != nil {
return nil, err
}
Assuming that we still need net-ingressv2 controller, we should run the net-ingressv2 controller against Kingress conformance test to ensure it works.
We need to set up the conformance tests with the way we use Gateway APIs so that the various networking implementations (e.g. Istio, contour) could run them and check if they can support those Gateway APIs.
/assign @nak3
knative networking repo added a new test as knative/networking#415.
And 0.4.0-rc1 should support this filter kubernetes-sigs/gateway-api@e4536a0
Sources:
Updated: Aug, 8 2022.
Currently net-gateway-api uses v1alpha1 CRD (v0.3.0) but the latest version is v1alpha2 (v0.4.0).
Once knative/pkg#2327 was merged, we need to work on the upgrade.
These tests are run with the net-gateway-api
controller. They are the tests here: net-gateway-api/pkg/reconciler/ingress at main · knative-sandbox/net-gateway-api.
Ex: for how they are invoked:
(test/kind-e2e-contour.sh
)
With this checklist, a new issue can be opened for each implementation and each test checked off as the tests are confirmed as passing.
For visibility, maybe it would be useful to keep these issues pinned and check the tests on/off as the status of each changes.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.