Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support an arbitrary number of Listeners per Gateway #4960

Closed
Rycieos opened this issue Jan 5, 2023 · 7 comments · Fixed by #5160
Closed

Support an arbitrary number of Listeners per Gateway #4960

Rycieos opened this issue Jan 5, 2023 · 7 comments · Fixed by #5160
Assignees
Labels
area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. area/gateway-provisioner Issues or PRs related to the Gateway provisioner kind/feature Categorizes issue or PR as related to a new feature.
Milestone

Comments

@Rycieos
Copy link

Rycieos commented Jan 5, 2023

This is an enhancement request, but it could also be considered a bug, as the Kubernetes Gateway API requires this support.

Description

A single Gateway object needs to be able to support an arbitrary number of Listeners, including multiple Listeners of the same type.

User story

I have an application that speaks both HTTP as well as a nonstandard protocol over TCP to the backend servers. I also want all traffic wrapped in TLS. To greatly simplify environment creation, I want all HTTPS and TCP traffic to be handled on the same FQDN, meaning the same IP address, meaning the same Gateway object. Since the HTTPS and TLS wrapped TCP traffic do not differ in FQDN, it is not possible to have them on the same port.

This can be specified with this example Gateway Spec:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
spec:
  listeners:
  - allowedRoutes:
      kinds:
      - group: gateway.networking.k8s.io
        kind: HTTPRoute
    name: https
    port: 443
    protocol: HTTPS
  - allowedRoutes:
      kinds:
      - group: gateway.networking.k8s.io
        kind: TLSRoute
    name: tls
    port: 5000
    protocol: TLS

While currently I do not need multiple listeners of the same type on different ports, it should also be possible to do that as well.

Issue

Currently, if this Gateway is created, Contour returns an error with the message:

Message: "Only one HTTPS/TLS port is supported",

@Rycieos Rycieos added kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Jan 5, 2023
@github-actions
Copy link

github-actions bot commented Jan 5, 2023

Hey @Rycieos! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

@Rycieos Rycieos mentioned this issue Jan 5, 2023
1 task
@skriss skriss added the area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. label Jan 5, 2023
@skriss
Copy link
Member

skriss commented Jan 6, 2023

xref #3616
xref kubernetes-sigs/gateway-api#1607

@skriss
Copy link
Member

skriss commented Jan 9, 2023

@Rycieos FYI I am going to start looking into this to see how we'd implement it. We agree that ultimately, not supporting this use case means we are not Gateway API conformant so we'd like to address it.

@skriss skriss added this to Contour Jan 9, 2023
@skriss skriss self-assigned this Jan 9, 2023
@skriss skriss added this to the 1.25.0 milestone Jan 24, 2023
@skriss skriss removed the lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. label Jan 24, 2023
@skriss skriss moved this to Todo in Contour Jan 24, 2023
@skriss
Copy link
Member

skriss commented Jan 24, 2023

A few things that need to be sorted out here:

  • how to map arbitrary Gateway Listener port numbers to port numbers that Envoy listens on inside the container (external Listener port numbers could be e.g. 81, 5081, 32081)
  • how does this interact with Ingress/HTTPProxy resources, which currently assume just 2 ports, HTTP and HTTPS? The easiest option is to say they are incompatible, at least for now (could set a condition on HTTPProxies if Contour is configured for an incompatible Gateway)

@Sajiyah-Salat
Copy link

Hello @skriss can I work on this issue?

@skriss
Copy link
Member

skriss commented Feb 2, 2023

Hello @skriss can I work on this issue?

@Sajiyah-Salat I'm already working on a design for this issue, plus it's probably not a great first issue anyway since it's fairly intricate. I'd suggest looking at the good first issue or help wanted labels to find a good issue to start with. You could also look at the Gateway API label if you're specifically interested in that area. Thanks for your interest in the project!

skriss added a commit to skriss/contour that referenced this issue Feb 2, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
@skriss skriss moved this from Todo to In Progress in Contour Feb 2, 2023
@skriss
Copy link
Member

skriss commented Feb 24, 2023

@Rycieos if you're interested in trying out an early dev build, I have a branch that seems to be basically working:

Assuming you are using the gateway provisioner, you'd need to change the image used in the provisioner deployment itself, plus add the --contour-image=docker.io/steveheptio/contour:many-listeners flag to its args.

If you're not using the gateway provisioner, let me know, as some other changes will need to be made to the envoy service ports.

Please note that this is just a dev build and may have bugs or limitations, but the basic functionality worked properly in my testing.

skriss added a commit to skriss/contour that referenced this issue Feb 28, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Feb 28, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Mar 8, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Mar 8, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Mar 20, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit to skriss/contour that referenced this issue Mar 20, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit that referenced this issue Mar 20, 2023
Updates #4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss added a commit that referenced this issue Mar 22, 2023
Updates #4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
yangyy93 pushed a commit to projectsesame/contour that referenced this issue Mar 27, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
yangyy93 pushed a commit to projectsesame/contour that referenced this issue Mar 27, 2023
yangyy93 pushed a commit to projectsesame/contour that referenced this issue Mar 27, 2023
Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93 pushed a commit to projectsesame/contour that referenced this issue Mar 27, 2023
…r#5128)

Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93 added a commit to projectsesame/contour that referenced this issue Mar 27, 2023
Signed-off-by: yy <yang.yang@daocloud.io>

add some unit test

Signed-off-by: yy <yang.yang@daocloud.io>

git rebase

Signed-off-by: yy <yang.yang@daocloud.io>

expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971)

The Rate Limit filter in Envoy translates a 429 HTTP response code
to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends
translating it to RESOURCE_EXHAUSTED
(see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md)

This commit introduces a new setting to allow contour to forward the same parameter
introduced in envoyproxy/envoy#4879

The default value is disabled to retain the original behaviour of returning UNAVAILABLE,
as changing it would be a breaking change.

Closes projectcontour#4901.

Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com>
Signed-off-by: yy <yang.yang@daocloud.io>

rebase

Signed-off-by: yy <yang.yang@daocloud.io>

update tracing config validate

Signed-off-by: yy <yang.yang@daocloud.io>

make generate

Signed-off-by: yy <yang.yang@daocloud.io>

add chengelog

Signed-off-by: yy <yang.yang@daocloud.io>

update make general

Signed-off-by: yy <yang.yang@daocloud.io>

goimport

Signed-off-by: yy <yang.yang@daocloud.io>

update tracing

Signed-off-by: yy <yang.yang@daocloud.io>

fix golint

Signed-off-by: yy <yang.yang@daocloud.io>

update test

Signed-off-by: yy <yang.yang@daocloud.io>

delete unused code

Signed-off-by: yy <yang.yang@daocloud.io>

delete error file

Signed-off-by: yy <yang.yang@daocloud.io>

update changelog

Signed-off-by: yy <yang.yang@daocloud.io>

fix some mistake

Signed-off-by: yy <yang.yang@daocloud.io>

feat: Add HTTP support for External Auth (projectcontour#4994)

Support globally configuring an external auth
server which is enabled by default for all vhosts,
both HTTP and HTTPS.

Closes projectcontour#4954.

Signed-off-by: claytonig <claytonivorgonsalves@gmail.com>
Signed-off-by: yy <yang.yang@daocloud.io>

refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128)

Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: yy <yang.yang@daocloud.io>

resolve conflict

Signed-off-by: yy <yang.yang@daocloud.io>

fix

Signed-off-by: yy <yang.yang@daocloud.io>
yangyy93 added a commit to projectsesame/contour that referenced this issue Mar 27, 2023
Signed-off-by: yy <yang.yang@daocloud.io>

add some unit test

Signed-off-by: yy <yang.yang@daocloud.io>

git rebase

Signed-off-by: yy <yang.yang@daocloud.io>

expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971)

The Rate Limit filter in Envoy translates a 429 HTTP response code
to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends
translating it to RESOURCE_EXHAUSTED
(see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md)

This commit introduces a new setting to allow contour to forward the same parameter
introduced in envoyproxy/envoy#4879

The default value is disabled to retain the original behaviour of returning UNAVAILABLE,
as changing it would be a breaking change.

Closes projectcontour#4901.

Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com>
Signed-off-by: yy <yang.yang@daocloud.io>

rebase

Signed-off-by: yy <yang.yang@daocloud.io>

update tracing config validate

Signed-off-by: yy <yang.yang@daocloud.io>

make generate

Signed-off-by: yy <yang.yang@daocloud.io>

add chengelog

Signed-off-by: yy <yang.yang@daocloud.io>

update make general

Signed-off-by: yy <yang.yang@daocloud.io>

goimport

Signed-off-by: yy <yang.yang@daocloud.io>

update tracing

Signed-off-by: yy <yang.yang@daocloud.io>

fix golint

Signed-off-by: yy <yang.yang@daocloud.io>

update test

Signed-off-by: yy <yang.yang@daocloud.io>

delete unused code

Signed-off-by: yy <yang.yang@daocloud.io>

delete error file

Signed-off-by: yy <yang.yang@daocloud.io>

update changelog

Signed-off-by: yy <yang.yang@daocloud.io>

fix some mistake

Signed-off-by: yy <yang.yang@daocloud.io>

feat: Add HTTP support for External Auth (projectcontour#4994)

Support globally configuring an external auth
server which is enabled by default for all vhosts,
both HTTP and HTTPS.

Closes projectcontour#4954.

Signed-off-by: claytonig <claytonivorgonsalves@gmail.com>
Signed-off-by: yy <yang.yang@daocloud.io>

refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128)

Updates projectcontour#4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: yy <yang.yang@daocloud.io>

resolve conflict

Signed-off-by: yy <yang.yang@daocloud.io>

fix

Signed-off-by: yy <yang.yang@daocloud.io>
@skriss skriss modified the milestones: 1.25.0, 1.26.0 Apr 7, 2023
@skriss skriss added the area/gateway-provisioner Issues or PRs related to the Gateway provisioner label May 15, 2023
skriss added a commit that referenced this issue Jun 12, 2023
Adds support for programming an arbitrary number
of Gateway listeners in Envoy and the Envoy service.

Closes #4960.

Signed-off-by: Steve Kriss <krisss@vmware.com>
@github-project-automation github-project-automation bot moved this from In Progress to Done in Contour Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. area/gateway-provisioner Issues or PRs related to the Gateway provisioner kind/feature Categorizes issue or PR as related to a new feature.
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

3 participants