design: Service APIs implementation #3213
Conversation
youngnick
changed the title
youngnick
changed the title
Codecov Report
@@ Coverage Diff @@
## main #3213 +/- ##
==========================================
+ Coverage 75.30% 75.35% +0.04%
==========================================
Files 98 98
Lines 6249 6249
==========================================
+ Hits 4706 4709 +3
+ Misses 1436 1433 -3
Partials 107 107
|
|
Marking this PR stale since there has been no activity for 14 days. It will be closed if there is no activity for another 90 days. |
github-actions
bot
added
the
lifecycle/stale
stevesloka
removed
the
lifecycle/stale
|
|
||
| In terms of its stated goals, Contour is aiming at being an ingress controller - that is, a Layer 7 proxy with some api gateway functions. | ||
| Currently, Contour provides "TCP Proxying" that allows the forwarding of TLS streams based on the SNI information, which is precisely what the Service APIs TLSRoute object is for. | ||
| If Project Contour (the organisation) does add support for TCP and UDP forwarding, it will not be in the `projectcontour/contour` repo, but will be a separate repo. |
There was a problem hiding this comment.
I'm still confused on the practically of this, you're proposing that we recreate all the same logic to just watch for these two types (e.g. TCP / UDP)?
There was a problem hiding this comment.
I'd guess that as part of this, we'd spin some code out into libraries, probably.
| Contour expects the `spec.addresses` field to be empty. | ||
|
|
||
| For Listeners: | ||
| - Listeners inside Gateways will be merged where possible, as will listeners across Gateways. |
There was a problem hiding this comment.
Contour only supports two listeners today (e.g. http/https). Does this statement assume that you are permitted to create more dynamically?
There was a problem hiding this comment.
The insecure/secure split definitely needs some thinking as a result of this. The initial thought is that we would replicate the current behavior, which would mean accepting only one http and one https listener, but this will be tricky to do. We may need to do something different with automatic http->https redirect for the Service APIs.
There was a problem hiding this comment.
I've opened #3263 with a new design for this, and will update this document accordingly.
youngnick
force-pushed
the
service-apis-design
branch
from
535b45f to
2ded52f
Compare
|
In the latest round of changes, I've updated a few things:
|
| ### Combining Service APIs with other configuration | ||
|
|
||
| When it calculates the Envoy configuration using the DAG, Contour layers different types of configuration in order. | ||
| So, currently, Ingress is overwritten by HTTPProxy, so if an Ingress and a HTTPProxy specify the exact same route, the HTTPProxy will win. | ||
|
|
||
| Once we have the Service-APIs available as well, we have to choose the order. | ||
| In this design, I suggest having the order be Ingress is overwritten by HTTPProxy, is overwritten by the service-apis. | ||
| I could see reversing HTTPProxy and the Service APIs here, but I think this acknowledges that the Service APIs are really an evolution of the ideas in HTTPProxy, and will probably end up being the community standard. |
There was a problem hiding this comment.
I'm OK with either order, as long as we document it.
|
To answer @stevesloka's question about additional features, I've also put some more in the documentation about what parts of the API we will target, and how we will build support. In short, we'll build whatever is in v1alpha1 in the initial cut, then work with the upstream to define the other features (timeouts, websockets, regex headers etc) in the upstream, and support that. |
Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
The service-apis design calls out that GatewayClasses won't be watch or processed by Contour the controller, so this removes them from processing since they won't be used. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
The service-apis design calls out that GatewayClasses & TCPRoutes won't be watched or processed by Contour the controller, so this removes them from processing since they won't be used. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
|
I don't have any additional large comments. There are a lot of behavior details in the API spec which we'll also need to reference during implementation. There are still quite a few TODO's throughout the doc that will need another review pass from folks if they are expaned upon. Thanks for this work @youngnick! |
…#3279) The service-apis design calls out that GatewayClasses & TCPRoutes won't be watched or processed by Contour the controller, so this removes them from processing since they won't be used. Updates #3213 Signed-off-by: Steve Sloka <[email protected]>
Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
Updates #3213 Signed-off-by: Steve Sloka <[email protected]>
| Contour considers a Gateway to describe a single Envoy deployment, deployed and managed by something outside of itself. | ||
| Contour expects to be supplied with the full name (name and namespace) of a single Gateway, which it will watch and update the status of. | ||
| This will be a configuration file parameter. | ||
| When a Gateway is not supplied, Contour will not do Service-APIs processing, or in other words, the existing `--experimental-service-apis` flag will be obsoleted and removed). |
There was a problem hiding this comment.
+1 on removing the flag.
Should we default the name/namespace of a gateway (i.e. contour/projectcontour) so given a generic deployment, someone could use that as a default and not require a config file change?
Contour can still check if the service-apis CRDs exist in the cluster and use that as a key for setting up informers. I just merged #3283 which acts this way, but is different than this design doc, but @skriss asked which is a good point.
There was a problem hiding this comment.
So, the flow if you want to use the service-apis is this:
- install the objects in the cluster
- create a Gateway for Contour to reference
- Configure Contour to use that
If you don't do all those three things, then no service-apis.
That does make sense, although it means that if you install the objects and don't change the default, we should end up logging something saying "hey, you asked me to look for a Gateway called projectcontour/contour, but it doesn't exist". Not a huge deal.
There was a problem hiding this comment.
Right now I have a default programmed, but we could remove that, just thought it might be nice to have some way of allowing someone to create a Gateway without needing to reconfigure / restart Contour.
This came up in a review with @skriss and thought it was a good point that what I PR'd conflicted with this design and thought we should clear up. =)
|
|
||
| Contour will only ever update the `status` of HTTPRoute objects. | ||
|
|
||
| Errors or conflicts here will render that section of the config invalid. |
There was a problem hiding this comment.
For a missing serviceName or LocalObjectReference, the docs say:
If the referent cannot be found, the route must be dropped from the Gateway. The controller should raise the “ResolvedRefs” condition on the Gateway with the “DegradedRoutes” reason. The gateway status for this route should be updated with a condition that describes the error more specifically.
Does that mean the entire HTTPRoute is invalid or just the specific HTTPRoute.HTTPRouteRule is invalid?
There was a problem hiding this comment.
Yeah I wasn't sure about that either (and how it would play with the proposal you had around keeping as much routability as possible even in partially applied resources), I think we chatted about this in office hours or something but I'm not sure there was a conclusion
There was a problem hiding this comment.
You're right, I think we need to implement this per the spec for now, and raise this upstream as a concern. I'll update to reflect this.
There was a problem hiding this comment.
Chatting in Slack the thought is that only that HTTPRoute.Rule is invalidated so I think the design is correct unless we want to specifically call it out better: https://kubernetes.slack.com/archives/CR0H13KGA/p1612463856030500?thread_ts=1612459180.030400&cid=CR0H13KGA
There was a problem hiding this comment.
Thanks for asking this question in the upstream Slack @stevesloka. I agree with Harry's answer there - we will implement this as "conflicts will invalidate that rule" not "conflicts with invalidate the whole Route" for now, and see if we can push that upstream.
Deprecate the '--experimental-service-apis' flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
| ### Combining Service APIs with other configuration | ||
|
|
||
| When it calculates the Envoy configuration using the DAG, Contour layers different types of configuration in order. | ||
| So, currently, Ingress is overwritten by HTTPProxy, so if an Ingress and a HTTPProxy specify the exact same route, the HTTPProxy will win. | ||
|
|
||
| Once we have the Service-APIs available as well, we have to choose the order. | ||
| In this design, I suggest having the order be Ingress is overwritten by HTTPProxy, is overwritten by the service-apis. | ||
| I could see reversing HTTPProxy and the Service APIs here, but I think this acknowledges that the Service APIs are really an evolution of the ideas in HTTPProxy, and will probably end up being the community standard. |
There was a problem hiding this comment.
Some aspects of this are not entirely clear to me, e.g. what if there's a service-apis Listener with a wildcard domain name that overlaps with an HTTPProxy with a specific domain name, or what if some other service-apis Listener settings conflict with Contour's listener settings -- but I'm also not sure it's that important right now, and we can figure it out during implementation.
There was a problem hiding this comment.
I think the wildcard domain name thing will be sorted out by implementing wildcard domains everywhere - we should do that before starting with this, since we need to do it for Ingress v1 anyway. I think the limited form of wildcard FQDN defined in the service-apis is probably implementable in HTTPProxy as well.
I think the LIstener settings details should be sorted out during implementation, but I think that the service-apis spec should probably override the Contour config one, since it's more specific (I think). I don't think it matters really, as long as we document it.
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
Signed-off-by: Nick Young <[email protected]>
youngnick
force-pushed
the
service-apis-design
branch
from
90ab2f9 to
8060741
Compare
|
Looks like the new ExternalName integration test is failing on |
Deprecate the '--experimental-service-apis' flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
…contour#3311) Deprecate the `--experimental-service-apis` flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]>
* Add design document for service-apis implementation. Signed-off-by: Nick Young <[email protected]> Signed-off-by: iyacontrol <[email protected]>
…contour#3311) Deprecate the `--experimental-service-apis` flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]> Signed-off-by: iyacontrol <[email protected]>
* Add design document for service-apis implementation. Signed-off-by: Nick Young <[email protected]> Signed-off-by: iyacontrol <[email protected]>
…contour#3311) Deprecate the `--experimental-service-apis` flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]> Signed-off-by: iyacontrol <[email protected]>
…contour#3311) Deprecate the `--experimental-service-apis` flag to `contour serve` in favor of using the gateway.name & gateway.namespace config file options. Updates projectcontour#3213 Signed-off-by: Steve Sloka <[email protected]> Signed-off-by: iyacontrol <[email protected]>
This is a WIP of the Service APIs implementation. It's been slow going, as I've been trying to check as I went that I've got the Service APIs intent correct, and that the way we'll implement is relatively consistent with Contour's current state.
Interested mostly in feedback on the high-level parts, did I miss anything?
There's quite a bit more detail required, particular for HTTPRoute and TLSRoute.
Very interested to hear about any other areas you all think I should cover as part of this design.