Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new local Gateway sharing same deployment as ingress Gateway. #237

Merged
merged 1 commit into from
Aug 26, 2020
Merged

Add new local Gateway sharing same deployment as ingress Gateway. #237

merged 1 commit into from
Aug 26, 2020

Conversation

JRBANCEL
Copy link
Contributor

Related to #212.

The idea is to create a new Gateway named knative-local-gateway (more consistent with knative-ingress-gateway than cluster-local-gateway). This Gateway binds to the same Envoy Pods as the Istio ingress Gateway, but on a different port (8081 because 8080 is already used by Istio). There is a corresponding Kubernetes Service mapping named knative-local-gateway living in knative-serving (cleaner than cluster-local-gateway living in istio-system) mapping port 80 to port 8081.
knative-local-gateway is added to the default Istio Gateways, this way the VirtualServices of local Knative Services bind to it (i.e. ready to serve traffic), but because the KIngress status uses the first local Gateway in its status, the Services of type ExternalName still point to cluster-local-gateway (and it is not accessible to external requests since 8081 is not exposed through the LoadBalancer Service).

Effectively, this is a no-op, but in the next release we can remove reference to cluster-local-gateway in default config-istio and there will be no traffic interruption and the requests will flow to knative-local-gateway.

After that, everything related to cluster-local-gateway can be safely removed, including the Deployment, which is the end goal here.

/hold
/assign @tcnghia
/assign @ZhiminXiang
Let me know what you think.

@knative-prow-robot knative-prow-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 21, 2020
@googlebot googlebot added the cla: yes Indicates the PR's author has signed the CLA. label Aug 21, 2020
@knative-prow-robot knative-prow-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 21, 2020
@JRBANCEL
Copy link
Contributor Author

/assign @nak3

@JRBANCEL
Copy link
Contributor Author

I am looking into the test failure.
/retest

@JRBANCEL
Copy link
Contributor Author

I need more data.
/retest

@tcnghia
Copy link
Contributor

tcnghia commented Aug 21, 2020

pull-knative-sandbox-net-istio-latest is a lot flakier than pull-knative-sandbox-integration-test because it is using istio-1.5+istioctl. As long as the flakes aren't new you can ignore them. (Majority of these flakes are in visibility/path tests).

I am root-causing these new flakes (they also affect istio-1.5 + helm - but a little bit less), in the mean time apologies for the noises.

@tcnghia
Copy link
Contributor

tcnghia commented Aug 21, 2020

@JRBANCEL does the istio-ingressgateway Deployment has this port open by default, or do we need to change the Deployment when setting up Istio to have this port? Thanks

@JRBANCEL
Copy link
Contributor Author

@JRBANCEL does the istio-ingressgateway Deployment has this port open by default, or do we need to change the Deployment when setting up Istio to have this port? Thanks

The Service selecting the Deployment Pods has port 80 and port 443 open to allow external traffic.
See https://github.com/knative-sandbox/net-istio/blob/master/third_party/istio-1.5.7-helm/istio-ci-no-mesh.yaml#L774.

We specifically don't want that port (8081) to be open, because then cluster local Knative Services would be accessible from outside.

@tcnghia
Copy link
Contributor

tcnghia commented Aug 21, 2020

Yes, this migration plan sounds good to me.

@ZhiminXiang
Copy link

This plan sounds good to me.

Now the envoy pods will have the configurations of both public Ingress and cluster-local Ingress. I think envoy should have the mechanism to isolate the public config and cluster-local config. But we may still want to double check that users cannot access cluster-local ingress from outside of the cluster just in case.

@tcnghia
Copy link
Contributor

tcnghia commented Aug 22, 2020

You may want to add a RELEASE NOTE section in the PR description to make it easier to remember to include in release notes / announcements.

Otherwise
/lgtm

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 22, 2020
@JRBANCEL
Copy link
Contributor Author

But we may still want to double check that users cannot access cluster-local ingress from outside of the cluster just in case.

Yes, I tested that. Since the cluster local Gateway is on a port that is not exposed internally, it can't be accessed.
Either you hit <PUBLIC_IP>:8081 and you can't connect, or you hit <PUBLIC_IP>:80 and it goes to the public Gateway and you get a 404 for a cluster local service.

@ZhiminXiang
Copy link

/lgtm

@ZhiminXiang
Copy link

/approve

@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: JRBANCEL, ZhiminXiang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [JRBANCEL,ZhiminXiang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow-robot knative-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 25, 2020
@tcnghia
Copy link
Contributor

tcnghia commented Aug 25, 2020

@JRBANCEL is this ready for /unhold?

@tcnghia
Copy link
Contributor

tcnghia commented Aug 25, 2020

Also I assigned you knative/serving#6269 since I thought it would be related to this work.

@JRBANCEL
Copy link
Contributor Author

/hold cancel

@knative-prow-robot knative-prow-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 26, 2020
@knative-prow-robot knative-prow-robot merged commit 8b5fec1 into knative-extensions:master Aug 26, 2020
@mpetason mpetason mentioned this pull request Oct 2, 2020
Merged
mattmoor
mattmoor reviewed Oct 21, 2020
View reviewed changes
pkg/reconciler/ingress/config/istio.go
}, {
Namespace: system.Namespace(),
Name: KnativeLocalGateway,
ServiceURL: fmt.Sprintf(KnativeLocalGateway+".knative-serving.svc.%s",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be using system.Namespace()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, we have a helper for synthesizing service hostnames that this should be using too in place of GetClusterDomainName()

@JRBANCEL JRBANCEL mentioned this pull request Oct 28, 2020
Merged
@JRBANCEL JRBANCEL mentioned this pull request Nov 12, 2020
Merged
@lsuanet lsuanet mentioned this pull request Jun 17, 2021
Closed
@pvaneck pvaneck mentioned this pull request Jun 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmoor mattmoor mattmoor left review comments

@evankanderson evankanderson Awaiting requested review from evankanderson

@nak3 nak3 Awaiting requested review from nak3

Assignees

@tcnghia tcnghia

@nak3 nak3

@ZhiminXiang ZhiminXiang

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@JRBANCEL @tcnghia @ZhiminXiang @knative-prow-robot @mattmoor @nak3 @googlebot