-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support an arbitrary number of Listeners per Gateway #4960
Comments
Hey @Rycieos! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace |
xref #3616 |
@Rycieos FYI I am going to start looking into this to see how we'd implement it. We agree that ultimately, not supporting this use case means we are not Gateway API conformant so we'd like to address it. |
A few things that need to be sorted out here:
|
Hello @skriss can I work on this issue? |
@Sajiyah-Salat I'm already working on a design for this issue, plus it's probably not a great first issue anyway since it's fairly intricate. I'd suggest looking at the good first issue or help wanted labels to find a good issue to start with. You could also look at the Gateway API label if you're specifically interested in that area. Thanks for your interest in the project! |
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
@Rycieos if you're interested in trying out an early dev build, I have a branch that seems to be basically working:
Assuming you are using the gateway provisioner, you'd need to change the image used in the provisioner deployment itself, plus add the If you're not using the gateway provisioner, let me know, as some other changes will need to be made to the envoy service ports. Please note that this is just a dev build and may have bugs or limitations, but the basic functionality worked properly in my testing. |
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates #4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates #4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
…r#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io>
…r#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io>
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io> feat: Add HTTP support for External Auth (projectcontour#4994) Support globally configuring an external auth server which is enabled by default for all vhosts, both HTTP and HTTPS. Closes projectcontour#4954. Signed-off-by: claytonig <claytonivorgonsalves@gmail.com> Signed-off-by: yy <yang.yang@daocloud.io> refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io> resolve conflict Signed-off-by: yy <yang.yang@daocloud.io> fix Signed-off-by: yy <yang.yang@daocloud.io>
Signed-off-by: yy <yang.yang@daocloud.io> add some unit test Signed-off-by: yy <yang.yang@daocloud.io> git rebase Signed-off-by: yy <yang.yang@daocloud.io> expose configuration for envoy's RateLimitedAsResourceExhausted (projectcontour#4971) The Rate Limit filter in Envoy translates a 429 HTTP response code to UNAVAILABLE as specified in the gRPC mapping document, but Google recommends translating it to RESOURCE_EXHAUSTED (see https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md) This commit introduces a new setting to allow contour to forward the same parameter introduced in envoyproxy/envoy#4879 The default value is disabled to retain the original behaviour of returning UNAVAILABLE, as changing it would be a breaking change. Closes projectcontour#4901. Signed-off-by: Víctor Roldán Betancort <vroldanbet@authzed.com> Signed-off-by: yy <yang.yang@daocloud.io> rebase Signed-off-by: yy <yang.yang@daocloud.io> update tracing config validate Signed-off-by: yy <yang.yang@daocloud.io> make generate Signed-off-by: yy <yang.yang@daocloud.io> add chengelog Signed-off-by: yy <yang.yang@daocloud.io> update make general Signed-off-by: yy <yang.yang@daocloud.io> goimport Signed-off-by: yy <yang.yang@daocloud.io> update tracing Signed-off-by: yy <yang.yang@daocloud.io> fix golint Signed-off-by: yy <yang.yang@daocloud.io> update test Signed-off-by: yy <yang.yang@daocloud.io> delete unused code Signed-off-by: yy <yang.yang@daocloud.io> delete error file Signed-off-by: yy <yang.yang@daocloud.io> update changelog Signed-off-by: yy <yang.yang@daocloud.io> fix some mistake Signed-off-by: yy <yang.yang@daocloud.io> feat: Add HTTP support for External Auth (projectcontour#4994) Support globally configuring an external auth server which is enabled by default for all vhosts, both HTTP and HTTPS. Closes projectcontour#4954. Signed-off-by: claytonig <claytonivorgonsalves@gmail.com> Signed-off-by: yy <yang.yang@daocloud.io> refactor DAG and DAG consumers to support >2 Listeners (projectcontour#5128) Updates projectcontour#4960. Signed-off-by: Steve Kriss <krisss@vmware.com> Signed-off-by: yy <yang.yang@daocloud.io> resolve conflict Signed-off-by: yy <yang.yang@daocloud.io> fix Signed-off-by: yy <yang.yang@daocloud.io>
Adds support for programming an arbitrary number of Gateway listeners in Envoy and the Envoy service. Closes #4960. Signed-off-by: Steve Kriss <krisss@vmware.com>
This is an enhancement request, but it could also be considered a bug, as the Kubernetes Gateway API requires this support.
Description
A single Gateway object needs to be able to support an arbitrary number of Listeners, including multiple Listeners of the same type.
User story
I have an application that speaks both HTTP as well as a nonstandard protocol over TCP to the backend servers. I also want all traffic wrapped in TLS. To greatly simplify environment creation, I want all HTTPS and TCP traffic to be handled on the same FQDN, meaning the same IP address, meaning the same Gateway object. Since the HTTPS and TLS wrapped TCP traffic do not differ in FQDN, it is not possible to have them on the same port.
This can be specified with this example Gateway Spec:
While currently I do not need multiple listeners of the same type on different ports, it should also be possible to do that as well.
Issue
Currently, if this Gateway is created, Contour returns an error with the message:
contour/internal/gatewayapi/listeners.go
Line 128 in d7d4012
The text was updated successfully, but these errors were encountered: