DO NOT MERGE: initial v1.4.0 feedback #4042
Conversation
…s#3729) * add mesh confomance tests structure and first test * move mesh tests to mesh folder
kubernetes-sigs#3777) * add redirect-port and redirect scheme mesh tests * mesh tests for path host and status redirect
Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
* Add conformance report for Contour 1.31.0 Supports gateway API 1.2.1 Signed-off-by: Sunjay Bhatia <sunjay.bhatia@broadcom.com> * update implementations.md Signed-off-by: Sunjay Bhatia <sunjay.bhatia@broadcom.com> --------- Signed-off-by: Sunjay Bhatia <sunjay.bhatia@broadcom.com>
…3781) * add csm mesh to implementations.md * fix * fix1 * Update implementations.md Co-authored-by: Rob Scott <rob.scott87@gmail.com> --------- Co-authored-by: Rob Scott <rob.scott87@gmail.com>
…igs#3564) Add feature name processing to remove redundant prefixes and improve readability in conformance comparison tables. Changes include: - Remove "HTTPRoute" and "Gateway" prefixes from feature names - Split camelCase words into space-separated words - Add process_feature_name() function for consistent text processing - Update generate_profiles_report() to use processed feature names This makes the conformance reports easier to read
Signed-off-by: bitliu <bitliu@tencent.com>
The report is generated by Cilium GHA CI https://github.com/cilium/cilium/actions/runs/15111523465 Signed-off-by: Tam Mach <sayboras@yahoo.com>
…igs#3809) * conformance: Add Airlock Microgateway report for v1.3.0 Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com> * add trailing new lines Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com> --------- Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
…#3811) Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
* conformance: add Hook in ConformanceTestSuite * update comment Signed-off-by: zirain <zirain2009@gmail.com> * add Hook in ConformanceOptions Signed-off-by: zirain <zirain2009@gmail.com> --------- Signed-off-by: zirain <zirain2009@gmail.com>
* add mesh conformance for request header modifier * address feedback
* docs: Add v1.3 conformance report table Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com> * Automatically update conformance table files Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com> --------- Signed-off-by: Norwin Schnyder <norwin.schnyder+github@gmail.com>
Signed-off-by: Shane Utt <shaneutt@linux.com>
…-sigs#3827) * add httproute weights mesh conformance tests * gofmt
…#2712) * draft dns configuration for gateway API GEP-2627 minor tweaks Update geps/gep-2627/index.md Co-authored-by: Candace Holman <candita@users.noreply.github.com> Update geps/gep-2627/index.md Co-authored-by: Candace Holman <candita@users.noreply.github.com> Update geps/gep-2627/index.md Co-authored-by: Candace Holman <candita@users.noreply.github.com> * changes post review * rewording * Update geps/gep-2627/index.md Co-authored-by: Nick Young <inocuo@gmail.com> * Update geps/gep-2627/index.md Co-authored-by: Nick Young <inocuo@gmail.com> * Update geps/gep-2627/index.md Co-authored-by: Nick Young <inocuo@gmail.com> * Update geps/gep-2627/index.md Co-authored-by: Nick Young <inocuo@gmail.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * Update geps/gep-2627/index.md Co-authored-by: Shane Utt <shane@shaneutt.com> * minor tweaks to the text and link to kuadrant as an example of a DNSPolicy type API * fix new line * move kuadrant to a reference --------- Co-authored-by: Candace Holman <candita@users.noreply.github.com> Co-authored-by: Nick Young <inocuo@gmail.com> Co-authored-by: Shane Utt <shane@shaneutt.com>
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
* Kubevernor conformance report * Adding Kubvernor section to implementations section
Adding conformance report for the v2.0 NGINX Gateway Fabric release. Now supporting Gateway API v1.3.
* Update naming * fix failures
shaneutt
added
the
do-not-merge
|
Skipping CI for Draft Pull Request. |
|
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages. The list of commits with invalid commit messages:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shaneutt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
shaneutt
requested review from
robscott,
youngnick,
mlavacca,
danwinship,
aojea and
bowei
and removed request for
howardjohn and
LiorLieberman
| // +kubebuilder:validation:Minimum=1 | ||
| // +kubebuilder:validation:Maximum=65535 | ||
| // <gateway:experimental> | ||
| Port PortNumber `json:"port"` |
There was a problem hiding this comment.
we had this questions in the review of GIE, right now everything is HTTP1 and HTTP2 that are TCP , but eventually we'll get to http3 that is UDP :/ and this will require to discriminate by port ... and then the key need to be Port+proto ... just commenting
There was a problem hiding this comment.
Handling HTTP3 correctly will require a lot of changes , I guess we should add this to the pile. Thanks!
| // FrontendTLSConfig specifies frontend tls configuration for gateway. | ||
| type FrontendTLSConfig struct { | ||
| // Default specifies the default client certificate validation configuration | ||
| // for all Listeners handling HTTPS traffic, unless a per-port configuration |
There was a problem hiding this comment.
just for my understanding, this field is required, so the unless a per-port configuration means if a Port configuration exists it overrides the default, but is not that this is a kind of oneOf API, you always need to define a default?
There was a problem hiding this comment.
Good question, I don't think we defined what happens if you don't set a default and do set a per-port config. We either need to say you can't do that, or define what happens when you do.
There was a problem hiding this comment.
@aojea yes :)
After all review rounds we agreeded that per port override rules might be confusing. Therefore, a default option is required and will apply to all Listeners with HTTPS protocol. If someone needs to divers frontend TLS config then it can be overridden for a specific port if needed.
| // | ||
| // References to a resource in a different namespace are invalid UNLESS there | ||
| // is a ReferenceGrant in the target namespace that allows the certificate | ||
| // to be attached. If a ReferenceGrant does not allow this reference, the | ||
| // "ResolvedRefs" condition MUST be set to False for this listener with the | ||
| // "RefNotPermitted" reason. | ||
| // | ||
| // +required | ||
| // +listType=atomic |
There was a problem hiding this comment.
TIL default is atomic kubernetes/kubernetes#121759 , I'm educating myself here, is that right @thockin ?
There was a problem hiding this comment.
Yep - kube-api-linter is requiring us to specify in all cases, even though this is the default. It's easy to forget to set this and accidentally end up with atomic, so I think this is a net positive.
There was a problem hiding this comment.
yeah, explicit > implicit :)
| // if relevant.) | ||
| // | ||
| // </gateway:util:excludeFromCRD> | ||
| // | ||
| // +listType=map | ||
| // +listMapKey=type | ||
| // +kubebuilder:validation:MaxItems=8 |
There was a problem hiding this comment.
question, I see in some places you require one item
gateway-api/apis/v1/shared_types.go
Lines 510 to 515 in 8ec8a83
is this allowed to have empty or you always want to have at least 1?
// +kubebuilder:validation:MinItems=1
| // If this list is empty, then the following headers must be sent: | ||
| // | ||
| // - `Authorization` | ||
| // - `Location` | ||
| // - `Proxy-Authenticate` | ||
| // - `Set-Cookie` | ||
| // - `WWW-Authenticate` | ||
| // | ||
| // If the list has entries, only those entries must be sent. |
There was a problem hiding this comment.
why not default the list to these if empty?
There was a problem hiding this comment.
This brings up, to me, an ambiguity in the spec.
If the list is empty, does the proxy need to send exactly these 5 headers and nothing else? Or at least these 5, and the rest is implementation specific?
If the former, how can I say "send all headers", which is (IIUC) the most common usage with grpc?
If the latter, why not just default to all headers?
There was a problem hiding this comment.
I based this on the protos at https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-extauthz, but on rereading, them, I've made a mistake.
The gRPC header config should be as @howardjohn says - if unspecified or empty, then all headers should be sent. Those five headers are relevant for the HTTP external servers, not the gRPC one.
I'll make a PR to fix this.
There was a problem hiding this comment.
Hmm, actually, looking back, @kflynn asked for this list to be included (in #3884 (comment)), so I think that he should have the chance to respond here.
There was a problem hiding this comment.
Looking back over my comments and rereading, I'm pretty sure that I was unclear in my original comment. It's critical that HTTP not send all headers, ever. For gRPC, the implementations I know of just send all the headers because it's safe to do so.
Sorry for the confusion and thanks for doublechecking, @youngnick!
There was a problem hiding this comment.
Just to fully close the loop on this and be explicit -- I agree with Flynn that HTTP=subset, gRPC=all is the correct default here.
There was a problem hiding this comment.
Okay, great, I will make a PR to change this today.
There was a problem hiding this comment.
Opened #4061 with changes.
This is a PR to gather some early initial feedback on the upcoming changes for #3756. It should not be merged.