Add new local Gateway sharing same deployment as ingress Gateway. #237
Conversation
knative-prow-robot
added
the
do-not-merge/hold
knative-prow-robot
added
the
size/M
|
/assign @nak3 |
|
I am looking into the test failure. |
|
I need more data. |
|
I am root-causing these new flakes (they also affect |
|
@JRBANCEL does the |
The We specifically don't want that port (8081) to be open, because then cluster local Knative Services would be accessible from outside. |
|
Yes, this migration plan sounds good to me. |
|
This plan sounds good to me. Now the envoy pods will have the configurations of both public Ingress and cluster-local Ingress. I think envoy should have the mechanism to isolate the public config and cluster-local config. But we may still want to double check that users cannot access cluster-local ingress from outside of the cluster just in case. |
|
You may want to add a RELEASE NOTE section in the PR description to make it easier to remember to include in release notes / announcements. Otherwise |
Yes, I tested that. Since the cluster local Gateway is on a port that is not exposed internally, it can't be accessed. |
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JRBANCEL, ZhiminXiang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
|
@JRBANCEL is this ready for |
|
Also I assigned you knative/serving#6269 since I thought it would be related to this work. |
|
/hold cancel |
knative-prow-robot
removed
the
do-not-merge/hold
| }, { | ||
| Namespace: system.Namespace(), | ||
| Name: KnativeLocalGateway, | ||
| ServiceURL: fmt.Sprintf(KnativeLocalGateway+".knative-serving.svc.%s", |
There was a problem hiding this comment.
This should be using system.Namespace()
There was a problem hiding this comment.
In fact, we have a helper for synthesizing service hostnames that this should be using too in place of GetClusterDomainName()
Related to #212.
The idea is to create a new
Gatewaynamedknative-local-gateway(more consistent withknative-ingress-gatewaythancluster-local-gateway). This Gateway binds to the same Envoy Pods as the Istio ingress Gateway, but on a different port (8081because8080is already used by Istio). There is a corresponding Kubernetes Service mapping namedknative-local-gatewayliving inknative-serving(cleaner thancluster-local-gatewayliving inistio-system) mapping port80to port8081.knative-local-gatewayis added to the default Istio Gateways, this way the VirtualServices of local Knative Services bind to it (i.e. ready to serve traffic), but because theKIngressstatus uses the first local Gateway in its status, the Services of typeExternalNamestill point tocluster-local-gateway(and it is not accessible to external requests since8081is not exposed through theLoadBalancerService).Effectively, this is a no-op, but in the next release we can remove reference to
cluster-local-gatewayin defaultconfig-istioand there will be no traffic interruption and the requests will flow toknative-local-gateway.After that, everything related to
cluster-local-gatewaycan be safely removed, including theDeployment, which is the end goal here./hold
/assign @tcnghia
/assign @ZhiminXiang
Let me know what you think.