Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The TLS configuration cannot be placed in the Gateway's CR. #2289

Closed
fanux opened this issue Dec 11, 2023 · 4 comments
Closed

The TLS configuration cannot be placed in the Gateway's CR. #2289

fanux opened this issue Dec 11, 2023 · 4 comments
Labels
kind/enhancement New feature or request triage

Comments

@fanux
Copy link

fanux commented Dec 11, 2023

kubernetes-sigs/gateway-api#2665
@fanux fanux added kind/enhancement New feature or request triage labels Dec 11, 2023
@fanux
Copy link
Author

fanux commented Dec 11, 2023

Or is there any good way to solve this problem currently? Our scenario is that there are tens of thousands of separate tenants, who may all have their own domain names and certificates to configure, and the Gateway is created uniformly by cluster management, so it is impossible for tenants to modify the listener. And each tenant needs to configure their own domain name certificate in their own namespace.

@zhaohuabing
Copy link
Member

zhaohuabing commented Dec 12, 2023
edited
Loading

@fanux This may solve your problem: each tenant can create its own Gateway with an HTTPS listener in it, and these Gateways can be merged onto the same Envoy Proxy infrastructure by configuring MergeGateways to true.

https://gateway.envoyproxy.io/v0.6.0/api/extension_types/#envoyproxyspec

MergeGateways defines if Gateway resources should be merged onto the same Envoy Proxy Infrastructure. Setting this field to true would merge all Gateway Listeners under the parent Gateway Class. This means that the port, protocol and hostname tuple must be unique for every listener. If a duplicate listener is detected, the newer listener (based on timestamp) will be rejected and its status will be updated with a “Accepted=False” condition.

@liwagu
Copy link

liwagu commented Dec 15, 2023

我尝试使用了这个merge字段,但是并没有merge成功,最后只有一个网关生效
image
image
image

# init_12_parent.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: eg-class
  # namespace: envoy-gateway-system
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
  parametersRef:
    group: gateway.envoyproxy.io
    kind: EnvoyProxy
    name: custom-proxy-config
    namespace: envoy-gateway-system
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: envoy-gateway-system
spec:
  mergeGateways: true
  provider:
    type: Kubernetes
    kubernetes:
      envoyService:
        type: NodePort
# init_12_liwa.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: eg
  namespace: liwa
spec:
  gatewayClassName: eg-class
  listeners:
  - name: https
    port: 443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
      # kinds:
      #   - kind: HTTPRoute
      #     group: gateway.envoyproxy.io
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: liwa-com
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: backend
  namespace: liwa
---
apiVersion: v1
kind: Service
metadata:
  name: backend
  namespace: liwa
  labels:
    app: backend
    service: backend
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    app: backend
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend
  namespace: liwa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backend
      version: v1
  template:
    metadata:
      labels:
        app: backend
        version: v1
    spec:
      serviceAccountName: backend
      containers:
        - image: nginx
          imagePullPolicy: IfNotPresent
          name: backend
          ports:
            - containerPort: 80
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: backend
  namespace: liwa
spec:
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: eg
      sectionName: https
      namespace: liwa
  # parentRefs:
  #   - name: eg
  #     sectionName: https
  hostnames:
    - "www12.liwa.com"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: backend
          port: 80
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /

# init_12_exmaple.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
  namespace: example
spec:
  gatewayClassName: eg-class
  listeners:
  - name: https
    port: 443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    # hostname: "*.example.com"
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: example-com
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: backend-exa
  namespace: example
---
apiVersion: v1
kind: Service
metadata:
  name: backend-exa
  namespace: example
  labels:
    app: backend-exa
    service: backend-exa
spec:
  ports:
    - name: http
      port: 80
      targetPort: 80
  selector:
    app: backend-exa
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backend-exa
  namespace: example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backend-exa
      version: v1
  template:
    metadata:
      labels:
        app: backend-exa
        version: v1
    spec:
      serviceAccountName: backend-exa
      containers:
        - image: nginx
          imagePullPolicy: IfNotPresent
          name: backend-exa
          ports:
            - containerPort: 80
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: backend-exa
  namespace: example
spec:
  # parentRefs:
  #   - name: example-gateway
  #     sectionName: https
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: example-gateway
      sectionName: https
      namespace: example
  hostnames:
    - "www12.example.com"
  rules:
    - backendRefs:
        - group: ""
          kind: Service
          name: backend-exa
          port: 80
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /

@arkodg
Copy link
Contributor

arkodg commented Dec 18, 2023

closing this issue, please refer to #2289 (comment) as a solution to optimize the data plane while still creating resources per tenant

@arkodg arkodg closed this as completed Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zhaohuabing @fanux @arkodg @liwagu