-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress/gateway-api: expose listeners on host network #30840
ingress/gateway-api: expose listeners on host network #30840
Conversation
18ac415
to
578d407
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Helm LGTM!
578d407
to
20d79f9
Compare
rebased to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs look good, thanks!
Ingestion of an Passthrough listener (`IngressPassthrough`) never uses the parameters `defaultSecretNamespace` and `defaultSecretName`. Therefore, this commit removes these from the function signature. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
Currently, the reconciliation of `Gateway` fails with an error if the status of the corresponding loadbalancer service isn't ready. Returning an error leads to an additional reconciliation and logs the error. There are cases (upcoming hostnetwork support) where the status of the loadbalancer service is never set which leads to reconciliation loops. Therefore, with this commit, a missing status no longer results in an error. This should also be enough in all other cases because a reconciliation should be triggered on an update of the loadbalancer service itself. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adds support for exposing the L7 Envoy Listeners directly on the host network - and no longer use Kubernetes Services of type `LoadBalancer` or `NodePort`. The listener is exposed on all interfaces (`0.0.0.0` for IPv4 and/or `::` for IPv6). **Enable HostNetwork support via Helm** * Ingress Controller: `ingressController.hostNetwork.enabled=true` * Gateway API: `gatewayAPI.hostNetwork.enabled=true` **Configure listener port** * Shared Ingress: configurable via Helm (`ingressController.hostNetwork.sharedHTTPPort` & `ingressController.hostNetwork.sharedTLSPassthroughPort`) * Dedicated Ingress: configurable via Annotation on the resource `Ingress` (`ingress.cilium.io/http-host-port` & `ingress.cilium.io/tls-passthrough-host-port`) * Gateway API: configurable via `spec.listeners.port` on the resource `Gateway` Be aware that missconfiguration might result in port clashes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
This commit adds support for exposing L7 Envoy Listeners only on a subset of Cilium Nodes. This only works in combination with the hostnetwork mode. **Configure node labelselector via Helm** * Ingress Controller: `ingressController.hostNetwork.nodes.matchLabels` * Gateway API: `gatewayAPI.hostNetwork.nodes.matchLabels` ``` ingressController: hostNetwork: nodes: matchLabels: role: infra component: ingress ``` An empty selector selects all Nodes and continues to expose the functionality on all Cilium Nodes. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
20d79f9
to
24126f3
Compare
rebased to |
/test |
|
👋 @maxpain Thanks for testing the feature. Envoy should have permissions to bind to privileged ports - but that might depend on the actual environment. At least it was working on a local dev kind cluster when i tested this the last time. If this is not working there's still the option to change the default port for the shared listener (HTTP/HTTPS & TLS Passthrough) to an unprivileged port via the helm values Otherwise, feel free to raise a GH issue and provide some more information by attaching a sysdump. Thanks! |
Update: It looks like binding to privileged ports works on kind clusters because Docker lowers the unprivileged port start from
Unfortunately it looks like it's not enough to just add the capability Therefore, binding to privileged ports will not work in clusters where this sysctl option is not set. I try to find a solution. In the meantime it's recommended to test the feature by explicitly configuring an unprivileged port. /cc @maxpain |
Amazing!! Thx!!! |
updates / related changes:
Further information can be found in the PRs. Please open a new issue if you have any questions / problems. /cc @maxpain - and thanks again for reporting! |
This PR introduces support for exposing the Envoy Listeners created by the Ingress Controller and/or Gateway API directly on the host network. This is useful in some edge cases where one don't want / can't to use K8s LoadBalancer/NodePort functionality (dev environments, cluster-external loadbalancer, ...)
Expose Envoy listeners on host network
This commit adds support for exposing the L7 Envoy Listeners directly on the host network - and no longer use Kubernetes Services of type
LoadBalancer
orNodePort
.The listener is exposed on all interfaces (
0.0.0.0
for IPv4 and/or::
for IPv6).Enable HostNetwork support via Helm
ingressController.hostNetwork.enabled=true
gatewayAPI.hostNetwork.enabled=true
Configure listener port
(
ingressController.hostNetwork.sharedHTTPPort
&ingressController.hostNetwork.sharedTLSPassthroughPort
)Ingress
(
ingress.cilium.io/http-host-port
&ingress.cilium.io/tls-passthrough-host-port
)spec.listeners.port
on the resourceGateway
Be aware that missconfiguration might result in port clashes.
Expose Envoy listeners on subset of nodes
This commit adds support for exposing L7 Envoy Listeners only on a subset of Cilium Nodes. This only works in combination with the hostnetwork mode.
Configure node labelselector via Helm
ingressController.hostNetwork.nodes.matchLabels
gatewayAPI.hostNetwork.nodes.matchLabels
An empty selector selects all Nodes and continues to expose the functionality on all Cilium Nodes.
Please review the individual commits.
Fixes: #21390