It is hard to programmatically manage Spec.Listeners
#1248
Replies: 4 comments 9 replies
-
Another option (related to #1246) would be to provide an explict way of sharing I prototyped this out, but it turns out that the Contour implementation doesn't currently support multiple functional Gateways with the same |
Beta Was this translation helpful? Give feedback.
-
This does feel like it could be worth exploring if it helps performance/management at scale - Listeners already have enough object-specific functionality that they feel somewhat-independent from Gateways, such as the attached/detached status. |
Beta Was this translation helpful? Give feedback.
-
I would think the most common case is to *not* set an address at all though
(and get one assigned), which may make that a bit tricky.
I am not sure exactly how this would look in YAML, but I have always
envisioned the correct model to have one "parent" gateway, and other
gateways can just attach listeners. That way you have one clear thing that
represents the underlying infrastructure. Not sure how we would represent
that though.
…On Mon, Jul 11, 2022 at 9:23 PM Nick Young ***@***.***> wrote:
tbh it's always been my dream that the GatewayClass would end up with a
status section that describes what extended features are enabled, so that
programmatic users can look there.
I'm definitely in favor of merging Gateways with the same Spec.Addresses
instead of a separate Listener resource though.
—
Reply to this email directly, view it on GitHub
<#1248 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXN6RHJFTKPKYJDQSDDVTTXNVANCNFSM52K6BTVQ>
.
You are receiving this because you commented.Message ID:
***@***.***
.com>
|
Beta Was this translation helpful? Give feedback.
-
I've created a GEP issue to help address this - #1713 |
Beta Was this translation helpful? Give feedback.
-
Related to #1246; working on Knative Gateway-API support, one change from the Ingress model is that Gateways explicitly delegate TLS to specific namespaces using
Spec.Listeners
. This is good, as it can prevent name squatting.We're using (and managing) separate Listeners and ReferenceGrants for each Knative Route when TLS is enabled, to ensure that the HTTPRoutes we automatically create and manage are correctly associated with TLS certificates and generated hostnames in the correct namespace.
Unfortunately, putting this set of controls into a single resource makes it hard to automatically provision (and de-provision) them in a Controller. In particular, without the ability to set annotations on an individual Listener, it's hard to track whether a particular Listener was previously generated by a Knative Service for the following situations:
service.ns.example.com
-->service.ns.127.0.0.1.sslip.io
)All of this is probably solve-able on a single Gateway resource at the cost of some extra code (for example, we can keep a map from Route UID -> Listener entries in an annotation), but having the option for a separate Listener object per HTTPRoute in the Gateway namespace would simplify things dramatically. In that case,
Listener
objects would work a bit like PersistentVolumes in the storage mode, and HTTPRoutes would work a bit like PVCs in terms of attaching to Listeners.I know there was some concern about increasing the number of required objects for the API (and I'm sensitive to this concern), so one compromise could be to support either a Listener selector or explicit Listener list on the Gateway object? Other ideas also welcome.
Beta Was this translation helpful? Give feedback.
All reactions