Run Envoy Gateway like DaemonSet

[zvlb]

Issue - #2969

I decided not to wait for architecture discussions and implemented the functionality.

The issue suggested using the OpenTelemetry Operator structure for implementing the functionality. However, if we had followed the OpenTelemetry approach, we would have lost backward compatibility.

In the implemented functionality, the "old" logic remains intact, and the new logic is added for configuring Envoy Proxy as a DaemonSet.

A couple of points:

1. I haven't implemented the DaemonSet logic for EnvoyGateway, only for Gateway. (Here you can see a placeholder). I hope this is not urgent and not needed in the near future (we can create a new task to implement this logic).
2. I have only written tests for envoyService (if it doesn't need to be brought up). I'll write tests for the main functionality as soon as it's confirmed that everything is okay and this functionality is accepted.
3. I'll write documentation after confirmation of the functionality as well, too.

[arkodg]

for your use case, do you need all these fields - pod, container, initcontainers ?

[zvlb]

In my case I test many cases, but most important:

kind: EnvoyProxy
metadata:
  name: envoy-proxy-config
  namespace: envoy-gateway-system
spec:
  provider:
    type: Kubernetes
    kubernetes:
      mode: DaemonSet
      envoyService:
        disable: true
      envoyDaemonSet:
        pod:
          hostNetwork: true
          tolerations:
          - key: node-role.kubernetes.io/control-plane
            operator: Exists
          nodeSelector:
            node-role.kubernetes.io/control-plane: ""

Start Envoy Proxy like daemonset on special nodes with hostnetwork=true

May be for another cases someone need this?

[arkodg]

this is something we dont recommend, its rm this, suggest using patch to achieve this

[zvlb]

Why? It's what I realy need for my case.
patch - not very comfortable

[zirain]

-1 on hostNetwork, we should never recommend using it, patch can help edge case.

[arkodg]

curious, why this is needed

[zvlb]

Bc if I run EnvoyProxy like daemonSet with hostNetwork - I don't need service

[arkodg]

do we need an explicit mode field or can we use CEL validation to make sure

• if Deployment is set, then DaemonSet cannot be set

[zvlb]

If in future someone add tag +kubebuilder:default:="****" to field in KubernetesDeploymentSpec or KubernetesDaemonSetSpec, then field envoyDaemonSet or envoyDaemonSetwill not be empty. How to implement this case?

• the implicit behavior is a bit confusing

[zirain]

will that be rejected by validating webhook?

[zvlb]

I'm not sure I understand what you're referring to. Does Envoy Gateway implement an Admission (Validation) webhook?

[zirain]

EG use CEL

[zvlb]

@arkodg Can you help here? Which kubebuilder tag need you for this logic?

[arkodg]

1. use a ptr type called mode to decide b/w Deployment and DaemonSet, defaulting to Deployment
2. use CEL to make sure when mode is set to DaemonSet , user cannot populate the deployment field e.g.

   gateway/api/v1alpha1/ext_auth_types.go

   Line 13 in 0f87fcb

   // +kubebuilder:validation:XValidation:rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))",message="only one of grpc or http can be specified"

[zvlb]

do we need an explicit mode field or can we use CEL validation to make sure

May be we don't need mode? Only EnvoyDeployment and EnvoyDaemonSet fields with validation. If not set - use Deployment (with default preset)

[arkodg]

do we need an explicit mode field or can we use CEL validation to make sure

May be we don't need mode? Only EnvoyDeployment and EnvoyDaemonSet fields with validation. If not set - use Deployment (with default preset)

I prefer this approach

[zvlb]

Here's a more detailed description of your case:

I have bare-metal installations of Kubernetes clusters. Since the ServiceType LoadBalancer is not supported in my setup, I need to deploy Envoy Proxy on specific nodes to route traffic to pods.

[arkodg]

Im not sure its going to work the way you've intended to

• there's a servicePort/ gateway listener port - containerPort mapping
• you will also need to set dns policy ClusterFirstWithHostNet
  more in Add hostNetwork DNSPolicy support #2309
  I'll defer to @zzjin @Xunzhuo for more details

[zirain]

please kindly proposal API first, otherwise there will be a lot of waste.

[zvlb]

Let's decide how to ultimately implement the necessary functionality and resolve contentious issues:

1. @arkodg believes that using the hostNetwork field is undesirable and suggests implementing this functionality through patch. I'm not sure if this is a good solution because it seems like we're providing users with functionality to manage the hostNetwork field, but doing so inconveniently. Considering there's a real use case for when this is needed, I see no reason not to expose this field.

2. @arkodg also suggested that we should expose the dnsPolicy field as controlled fields to set the value ClusterFirstWithHostNet for DaemonSets.

3. @arkodg сlarified whether we need to expose the container and initContainers fields for DaemonSet control. For my use case, this isn't necessary, but during implementation, I tried to maintain all the flexibility of DaemonSet configuration so that it works the same as Deployment.

Perhaps you want a different implementation for DaemonSet. I'm ready to listen to all proposals and implement what is approved.

[arkodg]

@zvlb I suggest breaking this up into 3 tasks

1. Adding support for DaemonSet
2. Any additional fields in PodSpec
3. Any addition fields in Service

Suggest starting with 1. to make faster progress/ easier to agree on a small set of things and add the minimum fields needed along with the Patch field that supports extensibility

[zvlb]

I will create 3 new PR for this. It's okay?

[arkodg]

I will create 3 new PR for this. It's okay?

sure, but reviewers will most likely review in above order since imo they range from must have to good to have

[arkodg]

@zvlb suggest running make lint, make test, make generate to repro the errors locally

[zvlb]

Actual PR - #3092