contour
contour copied to clipboard
projectcontour
With Gateway API enabled, why adding 8000 to the Listener port number is needed?
What question do you have?: From the site: https://projectcontour.io/docs/1.28/config/gateway-api/
To get from the Gateway Listener port to the port that Envoy will be configured to listen on, i.e. the container port:
add 8000 to the Listener port number
if the result is greater than 65535, subtract 65535
if the result is less than or equal to 1023, add 1023.
Related codes:
func toContainerPort(listenerPort gatewayapi_v1beta1.PortNumber) int32 {
// Add 8000 to the Listener port, wrapping around if needed,
// and skipping over privileged ports 1-1023.
containerPort := listenerPort + 8000
if containerPort > 65535 {
containerPort -= 65535
}
if containerPort <= 1023 {
containerPort += 1023
}
return int32(containerPort)
}
Why adding 8000 to the Listener port number is needed? It looks like we can't let the envoy listen on 80 port that way. In my case, i need to let the envoy run by hostNetwork on 80 port.
Environment:
- Contour version: 1.28.1
- Kubernetes version: (use
kubectl version): 1.19.3
Hey @iamyeka! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The desire was to not use privileged ports within the Envoy container so it didn't have to run as root/with any elevated privileges. Host networking is not currently supported via the Gateway provisioner, you would need to use custom YAML for that.
If i need to use privileged ports like 80&443 within the Envoy container and gateway api at the same time, how could i be able to do that?
From the codes below, it looks like the port will be added 8000 as long as the gateway instance exists. I've done the some tests and can confirm that.
func (p *ListenerProcessor) Run(dag *DAG, cache *KubernetesCache) {
if cache.gateway != nil {
dag.HasDynamicListeners = true
for _, port := range gatewayapi.ValidateListeners(cache.gateway.Spec.Listeners).Ports {
address := p.HTTPAddress
if port.Protocol == "https" {
address = p.HTTPSAddress
}
dag.Listeners[port.Name] = &Listener{
Name: port.Name,
Protocol: port.Protocol,
Address: address,
Port: int(port.ContainerPort),
EnableWebsockets: true,
vhostsByName: map[string]*VirtualHost{},
svhostsByName: map[string]*SecureVirtualHost{},
}
}
} else {
dag.Listeners[HTTP_LISTENER_NAME] = &Listener{
Name: HTTP_LISTENER_NAME,
Protocol: "http",
Address: p.HTTPAddress,
Port: intOrDefault(p.HTTPPort, 8080),
RouteConfigName: "ingress_http",
vhostsByName: map[string]*VirtualHost{},
}
dag.Listeners[HTTPS_LISTENER_NAME] = &Listener{
Name: HTTPS_LISTENER_NAME,
Protocol: "https",
Address: p.HTTPSAddress,
Port: intOrDefault(p.HTTPSPort, 8443),
RouteConfigName: "https",
FallbackCertRouteConfigName: "ingress_fallbackcert",
svhostsByName: map[string]*SecureVirtualHost{},
}
}
}
The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack
The Contour project currently lacks enough contributors to adequately respond to all Issues.
This bot triages Issues according to the following rules:
- After 60d of inactivity, lifecycle/stale is applied
- After 30d of inactivity since lifecycle/stale was applied, the Issue is closed
You can:
- Mark this Issue as fresh by commenting
- Close this Issue
- Offer to help out with triage
Please send feedback to the #contour channel in the Kubernetes Slack