Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Gateway API extensions (output providers) #125

Open
arkodg opened this issue Jan 16, 2024 · 16 comments · Fixed by #188
Open

Support Gateway API extensions (output providers) #125

arkodg opened this issue Jan 16, 2024 · 16 comments · Fixed by #188
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@arkodg
Copy link

arkodg commented Jan 16, 2024

What would you like to be added:

Add the ability to translate provider specific APIs into implementation specific Gateway API extensions (output providers) for fields not currently supported in the Gateway API

Why this is needed:
Adding ability to translate all input provider specific intent without losing any functionality
For e.g. the current ingress-nginx translation only translates a subset of the API (annotations) https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#annotations
Without this feature, its unlikely that the user will migrate to Gateway API until all the input provider features are supported in the Gateway API APIs
If this tool supports the notion of output providers, the input API could be translated to various implementation specific Gateway API extensions

@arkodg arkodg added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 16, 2024
@mlavacca
Copy link
Member

mlavacca commented Feb 1, 2024

Hi @arkodg , thanks for creating this issue! It looks reasonable to me 👍

@arkodg
Copy link
Author

arkodg commented Feb 1, 2024

cool, I think istio is a good one to start off with and a use case would be to translate existing Istio resources in native istio type to Gateway API + Gateway API extensions defined in istio
we probably need an explicit flag ( e.g. --out-provider=istio) to opt into this
does this sgty @LiorLieberman @howardjohn ?

@LiorLieberman
Copy link
Member

Thanks @arkodg.
Can you provide a bit more details?
Like maybe the full example you had in mind for a real scenario where a native Istio resource is translated to GW API resource Plus Extension?

Also I did not fully understand what --out-provider should represent?

@arkodg
Copy link
Author

arkodg commented Feb 12, 2024

@LiorLieberman here's an example for Istio

Input

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: test
spec:
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - test.com
  - port:
      number: 443
      protocol: HTTPS
    hosts:
    - "bookinfo/*.bookinfo.com"
    -  "*"
    tls:
      httpsRedirect: true
      mode: SIMPLE
      # all following tls related fields are ignored as there's no direct mapping to the k8s gateway api
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
      credentialName: bookinfo-secret
      caCertificates: /etc/certs/caCertificates
      subjectAltNames: ["v1"]
      verifyCertificateSpki: ["v1"]
      verifyCertificateHash: ["v1"]
      minProtocolVersion: TLSV1_0
      maxProtocolVersion: TLSV1_3
      cipherSuites: ["v1"]
    bind: 1.2.3.4 # is ignored
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: test
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
     istio: ingressgateway   

Output

piVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: test
spec:
  gatewayClassName: istio
  listeners:
  - name: https-protocol-bookinfo-ns-wildcard.bookinfo.com
    hostname: "*.bookinfo.com"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
 ---
 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: test
spec:
  targetRef:
    kind: Gateway
    group: gateway.networking.k8s.io
    name:  my-gateway  

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 12, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 11, 2024
@mlavacca
Copy link
Member

@LiorLieberman here's an example for Istio

Input

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: my-gateway
  namespace: test
spec:
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - test.com
  - port:
      number: 443
      protocol: HTTPS
    hosts:
    - "bookinfo/*.bookinfo.com"
    -  "*"
    tls:
      httpsRedirect: true
      mode: SIMPLE
      # all following tls related fields are ignored as there's no direct mapping to the k8s gateway api
      serverCertificate: /etc/certs/servercert.pem
      privateKey: /etc/certs/privatekey.pem
      credentialName: bookinfo-secret
      caCertificates: /etc/certs/caCertificates
      subjectAltNames: ["v1"]
      verifyCertificateSpki: ["v1"]
      verifyCertificateHash: ["v1"]
      minProtocolVersion: TLSV1_0
      maxProtocolVersion: TLSV1_3
      cipherSuites: ["v1"]
    bind: 1.2.3.4 # is ignored
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: test
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
     istio: ingressgateway   

Output

piVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: test
spec:
  gatewayClassName: istio
  listeners:
  - name: https-protocol-bookinfo-ns-wildcard.bookinfo.com
    hostname: "*.bookinfo.com"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
 ---
 apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-nothing
 namespace: test
spec:
  targetRef:
    kind: Gateway
    group: gateway.networking.k8s.io
    name:  my-gateway  

I think this use case can be addressed by #78, but only when reading from files. With it, it will be possible to output all the input resources that do not belong to the set of converted resources. When it comes to reading resources from a cluster, that flag cannot be used as it is now in the PR.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 13, 2024
@LiorLieberman
Copy link
Member

/reopen

@k8s-ci-robot
Copy link
Contributor

@LiorLieberman: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot reopened this Jul 24, 2024
@LiorLieberman
Copy link
Member

/assign @sawsa307

@sawsa307
Copy link
Contributor

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Aug 21, 2024
@LiorLieberman
Copy link
Member

@sawsa307 as discussed before, support for input and output providers is necessary to close this issue.

@LiorLieberman LiorLieberman reopened this Sep 11, 2024
@sawsa307
Copy link
Contributor

Yes I think #188 merge automatically triggered this since it said Fixes #125, I'll use a different description next time to tag this issue.

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
6 participants