gateway
gateway copied to clipboard
envoyproxy
Support routing to Service Cluster IP
two ways to solve this
- add a field within
EnvoyProxycalleddisableEndpointRouting/enableClusterIPRoutingwhich allows us to fallback to routing using Service Cluster IP - incorporate this into the load balancing API
chatted with @kflynn the other day about this and we both feel adding it in the load balancing API is more suitable
- if we added it another API, userX may enable
serviceIPat theEnvoyProxylevel, user Y may set the LB Policy and then wonder why the LB policy isn't working. Adding it inside the LB Policy forces the user to be aware of the lb & routing decision to endpoints
I am +1 on load balancing api, if we set this in EnvoyProxy, IMHO, this is on GC level and working for all managed Gateways, but if people just want this to work in specific Gateways, a Policy is more suitable.
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
this new ClusterIP load balancing type should live in https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/loadbalancer_types.go
Hi @arkodg, i think this use case can be achieved by adding a fallbackToClusterIP field
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
namespace: default
name: policy-for-route1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
namespace: default
loadBalancer:
type: LeastRequest
slowStart:
window: 300s
fallbackToClusterIP: true # Enables fallback to service's cluster IP
Turns out that to get Envoy Gateway working well with Linkerd, we either need this or we need an l5d-dst-override header to be added to the request, so I would definitely like this. š
I'd personally vote for routingType: service or routingType: endpoint, but I'm good with @arkodg's type suggestion.
I like @kflynn's suggestion of a dedicated field routingType, if we take this approach, we'll have to use CEL to disable loadBalancing if routingType: Service
- we discussed this in the community meeting today, most were in favor of this field living in the
BackendTrafficPolicythanks for volunteering to pick this up @kflynn, temporarily assigning this to you for now here's a link to help you get started https://github.com/envoyproxy/gateway/blob/2a38de6067d421026994b8cbea202e399e68c98e/internal/gatewayapi/route.go#L1074 (you'll need to override the globalEndpointRoutingDisabledfield)
rethinking this one, if the field lives in BackendTrafficPolicy, then it won't apply to other backendRefs in other places, e.g. ext_auth in SecurityPolicy, or ext_proc in EnvoyExtensionPolicy or openTelemetry sinks in EnvoyProxy .
we may want to move this field into EnvoyProxy
cc @zhaohuabing @guydc
I guess this depends on do we need per-service configuration for the choice of cluster IP vs pod IP?
one reason to select Service routing is for mesh case (sidecar beside gateway) to work seamlessly, so it will work for the xRoute backends (with sidecars ) but not if the ext auth / ext proc / Otel (have sidecars ) because it won't get intercepted properly in the gateway sidecar
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
Any progress on this? Iām looking to deploy EG alongside an Istio mesh and from what Iām hearing here and in the related ticket, I would need this feature to make it work?
@kflynn by setting the routingType: service would we lose the observability into each endpoint in the /clusters config & metrics and only display the ClusterIP?
@arkodg discussed the possibility of running an idle linkerd proxy sidecar on the gateway which would handle mTLS, but then it seems like we'd lose Linkerd multi-cluster service discovery.
@kflynn by setting the routingType: service would we lose the observability into each endpoint in the /clusters config & metrics and only display the ClusterIP?
I think if service-mesh is being used, the metrics are likely going to be more useful from the mesh than from the ingress, because the mesh will handle service -> service as well as envoy -> service in the same format and namespace..
I think @lnattrass has the right of it ā part of the point of the mesh is that it should be handling both metrics and routing for you in this case.
@arkodg I'd still like to, yes! so here's a question for you. There already is an EndpointRoutingDisabled field in the Translator; do we think that works as a global switch? or is a leftover untested vestigial thing? š
@arkodg I'd still like to, yes! so here's a question for you. There already is an
EndpointRoutingDisabledfield in theTranslator; do we think that works as a global switch? or is a leftover untested vestigial thing? š
@kflynn this should work as expected, the gatewayapi test should prove this easily, if the flag is set, the clusterIP will get set it in the IR
@lnattrass we're not necessarily interested in Linkerd for routing on our ingress, but more so for cross-cluster service discovery and mTLS. So we'd prefer to keep the load balancing capabilities and metrics as close to our proxy as possible. In the past the CPU requirements of running 4k RPS+ on an ingress pod with linkerd over doubles our usage and since we've always used headless services we haven't relied on Linkerd's load balancing.
I suppose this is more of a niche use-case, but it does limit us on implementing multi-cluster Linkerd.
@kflynn would Linkerd be open to mirroring EndpointSlices as well or is it out of scope? I could open an issue (and potentially work on it) if you think it's worth considering
Hi @kflynn I'm sorry to take this over from you, but we internally needed a fix earlier :) feel free to check out and comment my PR, though!
@evacchi No apology needed! as you can see, I've been pulled onto other things, thank you for making this happen!! š