With Gateway API enabled, why adding 8000 to the Listener port number is needed?

[iamyeka]

What question do you have?:
From the site: https://projectcontour.io/docs/1.28/config/gateway-api/

To get from the Gateway Listener port to the port that Envoy will be configured to listen on, i.e. the container port:

add 8000 to the Listener port number
if the result is greater than 65535, subtract 65535
if the result is less than or equal to 1023, add 1023.

Related codes:

func toContainerPort(listenerPort gatewayapi_v1beta1.PortNumber) int32 {
	// Add 8000 to the Listener port, wrapping around if needed,
	// and skipping over privileged ports 1-1023.

	containerPort := listenerPort + 8000

	if containerPort > 65535 {
		containerPort -= 65535
	}

	if containerPort <= 1023 {
		containerPort += 1023
	}

	return int32(containerPort)
}

Why adding 8000 to the Listener port number is needed? It looks like we can't let the envoy listen on 80 port that way. In my case, i need to let the envoy run by hostNetwork on 80 port.

Environment:

• Contour version: 1.28.1
• Kubernetes version: (use kubectl version): 1.19.3

[github-actions]

Hey @iamyeka! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[skriss]

The desire was to not use privileged ports within the Envoy container so it didn't have to run as root/with any elevated privileges. Host networking is not currently supported via the Gateway provisioner, you would need to use custom YAML for that.

[iamyeka]

If i need to use privileged ports like 80&443 within the Envoy container and gateway api at the same time, how could i be able to do that?

From the codes below, it looks like the port will be added 8000 as long as the gateway instance exists. I've done the some tests and can confirm that.

func (p *ListenerProcessor) Run(dag *DAG, cache *KubernetesCache) {
	if cache.gateway != nil {
		dag.HasDynamicListeners = true

		for _, port := range gatewayapi.ValidateListeners(cache.gateway.Spec.Listeners).Ports {
			address := p.HTTPAddress
			if port.Protocol == "https" {
				address = p.HTTPSAddress
			}
			dag.Listeners[port.Name] = &Listener{
				Name:             port.Name,
				Protocol:         port.Protocol,
				Address:          address,
				Port:             int(port.ContainerPort),
				EnableWebsockets: true,
				vhostsByName:     map[string]*VirtualHost{},
				svhostsByName:    map[string]*SecureVirtualHost{},
			}
		}
	} else {
		dag.Listeners[HTTP_LISTENER_NAME] = &Listener{
			Name:            HTTP_LISTENER_NAME,
			Protocol:        "http",
			Address:         p.HTTPAddress,
			Port:            intOrDefault(p.HTTPPort, 8080),
			RouteConfigName: "ingress_http",
			vhostsByName:    map[string]*VirtualHost{},
		}

		dag.Listeners[HTTPS_LISTENER_NAME] = &Listener{
			Name:                        HTTPS_LISTENER_NAME,
			Protocol:                    "https",
			Address:                     p.HTTPSAddress,
			Port:                        intOrDefault(p.HTTPSPort, 8443),
			RouteConfigName:             "https",
			FallbackCertRouteConfigName: "ingress_fallbackcert",
			svhostsByName:               map[string]*SecureVirtualHost{},
		}
	}
}