gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Support attachment of policies to multiple Gateways

Open guydc opened this issue 1 year ago • 8 comments
trafficstars

Description: Gateway operators may want to attach common policies to a group of gateways. Currently, duplicated instances of a policy need to be created and attached to each Gateway to achieve this. This can lead to significant configuration duplication, especially when many virtual gateways are merged to a single envoy deployment.

EnvoyPatchPolicy introduced a concept of GatewayClass-atttached policies for the merge gateways scenario.

This form of attachment can be extended to other policies like ClientTrafficPolicy, BackendTrafficPolicy, SecurityPolicy, EnvoyExtensionPolicy and BackendTLSPolicy.

guydc avatar Mar 23 '24 12:03 guydc

Im a -1 on this

2 ways to apply policies (Gateway, Route) is sufficient to solve most cases, 3 ways makes the concepts of defaults, overrides and merges very complicated to comprehend for the user and compute for the translator

  • For EnvoyPatchPolicy we only allow attaching to the GatewayClass if mergeGateways is set

arkodg avatar Mar 26 '24 10:03 arkodg

im a +1 for pluralizing targetRefs so multiple Gateways can be targeted , would ideally like to get guidance on this from upstream before implementing this, this is something we can time box

arkodg avatar Mar 26 '24 10:03 arkodg

im a +1 for pluralizing targetRefs so multiple Gateways can be targeted , would ideally like to get guidance on this from upstream before implementing this, this is something we can time box

Yes, that can also work pretty well, as long as selectors are supported, and users don't have to maintain an explicit gateway list.

guydc avatar Mar 26 '24 16:03 guydc

cc @AliceProxy who was a big +1 for ^

arkodg avatar Mar 26 '24 16:03 arkodg

+1 on pluralizing targetRefs, this would also be useful for targeting multiple HTTPRoutes via the same BackendTrafficPolicy for example where groups of routes may require different timeouts or circuit breaker settings from the defaults on the Gateway

davidalger avatar Apr 02 '24 23:04 davidalger

related discussion in upstream https://github.com/kubernetes-sigs/gateway-api/pull/2966#discussion_r1565161217

arkodg avatar Apr 15 '24 05:04 arkodg

Gateway API v1.1.0-rc1 was released yesterday. It includes "the targetRef field is now a targetRefs list and these references no longer include a namespace field", which is good. However, it seems to be done only for the BackendTLSPolicy and to be implemented as a list of targetRef.

It would be great to see it applied to the Direct Policy Attachment in general and as a choice between targetRef and selector

sadovnikov avatar Apr 25 '24 14:04 sadovnikov

The decision that needs to be made here is two fold

  1. What does targeting multiple resources look like - is it similar to the upstream recommendation of using targetRefs or should Envoy Gateway adopt another way to target multiple resources
  2. should the current way to target a single resource using targetRef be deprecated (not removed) or deprecated and removed in a future release ?

arkodg avatar May 07 '24 22:05 arkodg

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Jun 07 '24 00:06 github-actions[bot]

unassigning myself, I won't have cycles to work on this issue for v1.1, if anyone else wants to drive this, please go ahead

arkodg avatar Jun 07 '24 00:06 arkodg

The decision that needs to be made here is two fold

  1. What does targeting multiple resources look like - is it similar to the upstream recommendation of using targetRefs or should Envoy Gateway adopt another way to target multiple resources
  2. should the current way to target a single resource using targetRef be deprecated (not removed) or deprecated and removed in a future release ?

What was the decision that was reached?

liorokman avatar Jun 09 '24 10:06 liorokman

thanks for picking this one up @liorokman reg 1. - requires a little more brainstorming - should we start off with targetRefs or also support label based targets , this affects the top level API field we introduce reg 2. there was consensus in keeping the existing targetRef field for now

arkodg avatar Jun 10 '24 18:06 arkodg

reg 1. - requires a little more brainstorming - should we start off with targetRefs or also support label based targets , this > affects the top level API field we introduce

I've started implementing with targetRefs in addition to the existing targetRef for now. You can take a look at the attached PR to get some idea of how it would be - I've already done BackendTrafficPolicy and ClientTrafficPolicy.

reg 2. there was consensus in keeping the existing targetRef field for now

100% agree.

liorokman avatar Jun 10 '24 18:06 liorokman

@liorokman with targetRefs, attaching to 10-20 should be fine, then it may become tedious. So if we do decide to support the case of attaching to 100 Gateways, will that field we part of PolicyReferences as a member field e.g. targetSelector ?

arkodg avatar Jun 10 '24 21:06 arkodg

Yes, I think that a target selector can definitely be a part of the PolicyReferences structure.

liorokman avatar Jun 11 '24 05:06 liorokman

I ended up implementing both the plural targetRefs and a targetSelector.

liorokman avatar Jun 11 '24 12:06 liorokman

@liorokman, thank you very much for #3581 👍
Watching #3607 now :)

sadovnikov avatar Jun 19 '24 08:06 sadovnikov