-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate per-Ingress Gateway instead of reconciling the global Ingress Gateway when auto TLS is enabled #170
Generate per-Ingress Gateway instead of reconciling the global Ingress Gateway when auto TLS is enabled #170
Conversation
Hi @ZhiminXiang ,
|
@zhanggbj I am not sure very sure about your use case. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ZhiminXiang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@ZhiminXiang Here is what we have in knative ingress
but in facts, we have TLS configs in gateway
|
func MakeIngressGateways(ctx context.Context, ing *v1alpha1.Ingress, originSecrets map[string]*corev1.Secret, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { | ||
// MakeIngressTLSGateways creates Gateways for a given Ingress. | ||
func MakeIngressTLSGateways(ctx context.Context, ing *v1alpha1.Ingress, ingressTLS []v1alpha1.IngressTLS, originSecrets map[string]*corev1.Secret, svcLister corev1listers.ServiceLister) ([]*v1beta1.Gateway, error) { | ||
// No need to create Gateway if there is no related ingress TLS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if it might be more future proof to create a Gateway per ksvc, no matter if TLS is here or not.
This way, it is there, already scoped to the specific hosts. Because otherwise I worried we go from a global gateway to a custom one just because TLS was enabled.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I consider the Gateway split as two parts: TLS Gateway split and non-TLS (or HTTP) Gateway Split.
It seems no doubt that we need TLS Gateway split as we don't want to keep reconciling the global Gateway.
For non-TLS Gateway split, I think we need more considerations. Currently we do not provide a way to configure the non-TLS behavior through Kingerss. So all Kingresses have the same HTTP behavior by default (unless users directly change the Gateway). From this perspective, I am a little concerned that splitting non-TLS Gateway may cause performance regression for the default behavior (as Istio pilot now needs merging Gateway).
wildcardGatewayNames = resources.GetQualifiedGatewayNames(desiredWildcardGateways) | ||
|
||
// VirtualService will be attached to both global Gateways and the Knative generated Gateways. | ||
// We still want to attach to the global Gateways to respect any global Gateway configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does this work though?
By global Gateway, I am assuming you mean a *
Gateway?
In this case, the more specific Gateway will be picked and other ignored, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more specific Gateway (or Knative generated Gateway) only has the TLS configuration.
In this PR, I plan to just simply move the TLS configuration from the global Gateway to the more specific Gateway. So for the TLS part, there is no conflict when attaching VirtualService to both global and the more specific Gateway.
And by attaching VirtualService to the global Gateway, I want to retain the non-TLS behavior for the backward compatibility reason.
/lgtm |
The following is the coverage report on the affected files.
|
/lgtm |
Currently when auto TLS is enabled, the controller updates the global Gateway to configure TLS. This is not a good pattern because:
This PR moves the TLS servers within a global Gateway to an independent Gateway, and makes VirtualService also attach to it.
This PR is backward compatible, and should not affect the ongoing traffic because from Istio's perspective, the Gateway related configurations are kept as the same.
This PR will not affect any behavior when auto TLS is disabled.
Fix knative/serving#4312