From 36555d68277d02042ab6d030ee042113a066b558 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:24:51 -0400 Subject: [PATCH 01/12] add envoy gateway --- hack/test-env.sh | 3 ++ test/e2e-common.sh | 40 ++++++++++++++++++---- third_party/envoy-gateway/external.yaml | 27 +++++++++++++++ third_party/envoy-gateway/internal.yaml | 44 +++++++++++++++++++++++++ 4 files changed, 108 insertions(+), 6 deletions(-) create mode 100644 third_party/envoy-gateway/external.yaml create mode 100644 third_party/envoy-gateway/internal.yaml diff --git a/hack/test-env.sh b/hack/test-env.sh index 28eb799ad..3f3de3455 100755 --- a/hack/test-env.sh +++ b/hack/test-env.sh @@ -19,3 +19,6 @@ export ISTIO_VERSION="1.22.0" export ISTIO_UNSUPPORTED_E2E_TESTS="retry,httpoption" export CONTOUR_VERSION="v1.29.0" export CONTOUR_UNSUPPORTED_E2E_TESTS="httpoption" + +export ENVOY_GATEWAY_VERSION="latest" +export ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS="httpoption" diff --git a/test/e2e-common.sh b/test/e2e-common.sh index c3b2c7357..3dc974642 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -53,6 +53,14 @@ function parse_flags() { readonly UNSUPPORTED_E2E_TESTS="${CONTOUR_UNSUPPORTED_E2E_TESTS}" return 1 ;; + --envoy-gateway) + readonly INGRESS=envoy-gateway + readonly GATEWAY_OVERRIDE= + readonly GATEWAY_NAMESPACE_OVERRIDE= + readonly GATEWAY_CLASS=eg-external + readonly UNSUPPORTED_E2E_TESTS="${ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS}" + return 1 + ;; --kind) readonly KIND=1 return 1 @@ -106,6 +114,8 @@ function setup_networking() { if [[ "${INGRESS}" == "contour" ]]; then setup_contour + elif [[ "${INGRESS}" == "envoy-gateway" ]]; then + setup_envoy_gateway else setup_istio fi @@ -116,16 +126,22 @@ function teardown_networking() { kubectl delete -f "${REPO_ROOT_DIR}/third_party/gateway-api/gateway-api.yaml" if [[ "$INGRESS" == "contour" ]]; then - for file in ${CONTOUR_FILES[@]}; do - kubectl delete -f \ - "https://raw.githubusercontent.com/projectcontour/contour/${CONTOUR_VERSION}/${file}" - done + teardown_contour + elif [[ "${INGRESS}" == "envoy-gateway" ]]; then + teardown_envoy_gateway else - istioctl uninstall -y --purge - kubectl delete namespace istio-system + teardown_istio fi } +function setup_envoy_gateway() { + kubectl apply --server-side -f https://github.com/envoyproxy/gateway/releases/download/${ENVOY_GATEWAY_VERSION}/install.yaml +} + +function teardown_envoy_gateway() { + kubectl delete -f https://github.com/envoyproxy/gateway/releases/download/${ENVOY_GATEWAY_VERSION}/install.yaml +} + function setup_contour() { # Version is selected is in $REPO_ROOT/hack/test-env.sh for file in ${CONTOUR_FILES[@]}; do @@ -142,6 +158,18 @@ function setup_contour() { fi } +function teardown_contour() { + for file in ${CONTOUR_FILES[@]}; do + kubectl delete -f \ + "https://raw.githubusercontent.com/projectcontour/contour/${CONTOUR_VERSION}/${file}" + done +} + +function teardown_istio() { + istioctl uninstall -y --purge + kubectl delete namespace istio-system +} + function setup_istio() { # Version is selected by ISTIO_VERSION that's source in $REPO_ROOT/hack/test-env.sh curl -L https://istio.io/downloadIstio | sh - && \ diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml new file mode 100644 index 000000000..ee821d643 --- /dev/null +++ b/third_party/envoy-gateway/external.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eg-external +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg-external +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg-external + namespace: eg-external +spec: + gatewayClassName: eg-external + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All diff --git a/third_party/envoy-gateway/internal.yaml b/third_party/envoy-gateway/internal.yaml new file mode 100644 index 000000000..d9b5d8f48 --- /dev/null +++ b/third_party/envoy-gateway/internal.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eg-internal +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: internal-config + namespace: eg-internal +spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + type: ClusterIP +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg-internal +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: internal-config + namespace: eg-internal +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: eg-internal + namespace: eg-internal +spec: + gatewayClassName: eg-internal + listeners: + - name: http + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All From 7e47dd26587bd02aa84788818f40493b995cd823 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:28:11 -0400 Subject: [PATCH 02/12] set gateway svc namespace --- test/e2e-common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 3dc974642..f5737ec64 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -56,7 +56,7 @@ function parse_flags() { --envoy-gateway) readonly INGRESS=envoy-gateway readonly GATEWAY_OVERRIDE= - readonly GATEWAY_NAMESPACE_OVERRIDE= + readonly GATEWAY_NAMESPACE_OVERRIDE=envoy-gateway-system readonly GATEWAY_CLASS=eg-external readonly UNSUPPORTED_E2E_TESTS="${ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS}" return 1 From 621c2ba1cf8e955e8f70e72d369eac90ea2a77dc Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:38:46 -0400 Subject: [PATCH 03/12] set the svc name of the gateway for testing reasons --- test/e2e-common.sh | 2 +- third_party/envoy-gateway/external.yaml | 21 +++++++++++++++++++++ third_party/envoy-gateway/internal.yaml | 12 ++++++++---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index f5737ec64..5cb31129b 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -55,7 +55,7 @@ function parse_flags() { ;; --envoy-gateway) readonly INGRESS=envoy-gateway - readonly GATEWAY_OVERRIDE= + readonly GATEWAY_OVERRIDE=knative-external readonly GATEWAY_NAMESPACE_OVERRIDE=envoy-gateway-system readonly GATEWAY_CLASS=eg-external readonly UNSUPPORTED_E2E_TESTS="${ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS}" diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml index ee821d643..496ba9a8a 100644 --- a/third_party/envoy-gateway/external.yaml +++ b/third_party/envoy-gateway/external.yaml @@ -4,12 +4,33 @@ kind: Namespace metadata: name: eg-external --- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: knative-external-config + namespace: envoy-gateway-system +spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + type: ClusterIP + patch: + value: + metadata: + name: knative-external +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: eg-external spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: knative-external-config + namespace: envoy-gateway-system --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway diff --git a/third_party/envoy-gateway/internal.yaml b/third_party/envoy-gateway/internal.yaml index d9b5d8f48..7438b5511 100644 --- a/third_party/envoy-gateway/internal.yaml +++ b/third_party/envoy-gateway/internal.yaml @@ -7,14 +7,18 @@ metadata: apiVersion: gateway.envoyproxy.io/v1alpha1 kind: EnvoyProxy metadata: - name: internal-config - namespace: eg-internal + name: knative-internal-config + namespace: envoy-gateway-system spec: provider: type: Kubernetes kubernetes: envoyService: type: ClusterIP + patch: + value: + metadata: + name: knative-internal --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass @@ -25,8 +29,8 @@ spec: parametersRef: group: gateway.envoyproxy.io kind: EnvoyProxy - name: internal-config - namespace: eg-internal + name: knative-internal-config + namespace: envoy-gateway-system --- apiVersion: gateway.networking.k8s.io/v1 kind: Gateway From 6808ea336040c9f6e12eaedb67f8f36e188fb001 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:43:53 -0400 Subject: [PATCH 04/12] test in kind --- .github/workflows/kind-e2e.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/kind-e2e.yaml b/.github/workflows/kind-e2e.yaml index 3f11d9d44..765b196a4 100644 --- a/.github/workflows/kind-e2e.yaml +++ b/.github/workflows/kind-e2e.yaml @@ -16,6 +16,7 @@ jobs: ingress: - istio - contour + - envoy-gateway env: KO_DOCKER_REPO: kind.local From 5e13b7fb1ed5554686af07295668860cd73b7225 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:50:47 -0400 Subject: [PATCH 05/12] external gateway needs LB --- third_party/envoy-gateway/external.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml index 496ba9a8a..5418a56e4 100644 --- a/third_party/envoy-gateway/external.yaml +++ b/third_party/envoy-gateway/external.yaml @@ -14,7 +14,6 @@ spec: type: Kubernetes kubernetes: envoyService: - type: ClusterIP patch: value: metadata: From 73a4156c4d7004814c9f67ce59ceb3f04ace4941 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 16:58:01 -0400 Subject: [PATCH 06/12] install envoy-gateway gateways --- test/e2e-common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/e2e-common.sh b/test/e2e-common.sh index 5cb31129b..2fb434920 100755 --- a/test/e2e-common.sh +++ b/test/e2e-common.sh @@ -136,6 +136,7 @@ function teardown_networking() { function setup_envoy_gateway() { kubectl apply --server-side -f https://github.com/envoyproxy/gateway/releases/download/${ENVOY_GATEWAY_VERSION}/install.yaml + kubectl apply -f "${REPO_ROOT_DIR}/third_party/envoy-gateway" } function teardown_envoy_gateway() { From dad7db5b0db68c996a5423d3f6b3462cd3268bd4 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 17:18:16 -0400 Subject: [PATCH 07/12] include config to use the right gateways --- third_party/envoy-gateway/config-gateway.yaml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 third_party/envoy-gateway/config-gateway.yaml diff --git a/third_party/envoy-gateway/config-gateway.yaml b/third_party/envoy-gateway/config-gateway.yaml new file mode 100644 index 000000000..98050a1c2 --- /dev/null +++ b/third_party/envoy-gateway/config-gateway.yaml @@ -0,0 +1,38 @@ +# Copyright 2024 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-gateway + namespace: knative-serving + labels: + app.kubernetes.io/component: net-gateway-api + app.kubernetes.io/name: knative-serving + serving.knative.dev/release: devel +data: + external-gateways: | + - class: eg-external + gateway: eg-external/eg-external + service: envoy-gateway-system/knative-external + supported-features: + - HTTPRouteRequestTimeout + + # local-gateways defines the Gateway to be used for cluster local traffic + local-gateways: | + - class: eg-internal + gateway: eg-internal/eg-internal + service: envoy-gateway-system/knative-internal + supported-features: + - HTTPRouteRequestTimeout From bf47401f5f5db7e76415de8449c3618abb4f74b6 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Fri, 31 May 2024 17:31:46 -0400 Subject: [PATCH 08/12] fix no service test --- test/e2e/gateway_config_test.go | 2 + .../envoy-gateway-no-service-vis.yaml | 37 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 test/e2e/testdata/envoy-gateway-no-service-vis.yaml diff --git a/test/e2e/gateway_config_test.go b/test/e2e/gateway_config_test.go index e5f926fe1..04d6c92c4 100644 --- a/test/e2e/gateway_config_test.go +++ b/test/e2e/gateway_config_test.go @@ -55,6 +55,8 @@ func TestGatewayWithNoService(t *testing.T) { configGateway = ConfigMapFromTestFile(t, "testdata/contour-no-service-vis.yaml") case "istio": configGateway = ConfigMapFromTestFile(t, "testdata/istio-no-service-vis.yaml") + case "envoy-gateway": + configGateway = ConfigMapFromTestFile(t, "testdata/envoy-gateway-no-service-vis.yaml") case "default": t.Fatalf("value for INGRESS (%s) not supported", ingress) } diff --git a/test/e2e/testdata/envoy-gateway-no-service-vis.yaml b/test/e2e/testdata/envoy-gateway-no-service-vis.yaml new file mode 100644 index 000000000..9c9c6b674 --- /dev/null +++ b/test/e2e/testdata/envoy-gateway-no-service-vis.yaml @@ -0,0 +1,37 @@ +# Copyright 2024 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-gateway + namespace: knative-serving + labels: + app.kubernetes.io/component: net-gateway-api + app.kubernetes.io/name: knative-serving + serving.knative.dev/release: devel +data: + external-gateways: | + - class: eg-external + gateway: eg-external/eg-external + supported-features: + - HTTPRouteRequestTimeout + + # local-gateways defines the Gateway to be used for cluster local traffic + local-gateways: | + - class: eg-internal + gateway: eg-internal/eg-internal + service: envoy-gateway-system/knative-internal + supported-features: + - HTTPRouteRequestTimeout From eff3a5ee7a0bf156dcadf1487bd0b184433c6c08 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Mon, 3 Jun 2024 16:34:38 -0400 Subject: [PATCH 09/12] disable host-rewrite - it uses K8s Service type=ExternalName --- hack/test-env.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/test-env.sh b/hack/test-env.sh index 3f3de3455..6e2d261e1 100755 --- a/hack/test-env.sh +++ b/hack/test-env.sh @@ -21,4 +21,4 @@ export CONTOUR_VERSION="v1.29.0" export CONTOUR_UNSUPPORTED_E2E_TESTS="httpoption" export ENVOY_GATEWAY_VERSION="latest" -export ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS="httpoption" +export ENVOY_GATEWAY_UNSUPPORTED_E2E_TESTS="httpoption,host-rewrite" From a6804cc2ba5ba74c74647b2464a19168417a6e07 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Fri, 7 Jun 2024 13:35:29 -0400 Subject: [PATCH 10/12] update envoy config to work with latest --- third_party/envoy-gateway/external.yaml | 5 +---- third_party/envoy-gateway/internal.yaml | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml index 5418a56e4..9f6d5b863 100644 --- a/third_party/envoy-gateway/external.yaml +++ b/third_party/envoy-gateway/external.yaml @@ -14,10 +14,7 @@ spec: type: Kubernetes kubernetes: envoyService: - patch: - value: - metadata: - name: knative-external + name: knative-external --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass diff --git a/third_party/envoy-gateway/internal.yaml b/third_party/envoy-gateway/internal.yaml index 7438b5511..c786c94d6 100644 --- a/third_party/envoy-gateway/internal.yaml +++ b/third_party/envoy-gateway/internal.yaml @@ -15,10 +15,7 @@ spec: kubernetes: envoyService: type: ClusterIP - patch: - value: - metadata: - name: knative-internal + name: knative-internal --- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass From 0d57fe140ef7be4fe0e0ac9295df4df9f3790431 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Tue, 18 Jun 2024 13:22:18 -0400 Subject: [PATCH 11/12] add port 443 to the listener --- third_party/envoy-gateway/external.yaml | 11 +++++++++++ third_party/istio/300-gateway.yaml | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/third_party/envoy-gateway/external.yaml b/third_party/envoy-gateway/external.yaml index 9f6d5b863..12c5cd716 100644 --- a/third_party/envoy-gateway/external.yaml +++ b/third_party/envoy-gateway/external.yaml @@ -42,3 +42,14 @@ spec: allowedRoutes: namespaces: from: All + # We've observed when adding and removing a listener on port 443 this + # causes the GKE LB to have downtime. By adding this tls listener + # we keep that LB port open. + - name: tls + port: 443 + protocol: TLS + tls: + mode: Passthrough + allowedRoutes: + namespaces: + from: All diff --git a/third_party/istio/300-gateway.yaml b/third_party/istio/300-gateway.yaml index bfc9d7326..6d0885ef6 100644 --- a/third_party/istio/300-gateway.yaml +++ b/third_party/istio/300-gateway.yaml @@ -29,3 +29,14 @@ spec: allowedRoutes: namespaces: from: All + # We've observed when adding and removing a listener on port 443 this + # causes the GKE LB to have downtime. By adding this tls listener + # we keep that LB port open. + - name: tls + port: 443 + protocol: TLS + tls: + mode: Passthrough + allowedRoutes: + namespaces: + from: All From 2d6aa8e7851f903741576b7e3e70cd8d44e49957 Mon Sep 17 00:00:00 2001 From: dprotaso Date: Tue, 18 Jun 2024 14:15:07 -0400 Subject: [PATCH 12/12] include a test for the config changes --- third_party/envoy-gateway/config_test.go | 44 ++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 third_party/envoy-gateway/config_test.go diff --git a/third_party/envoy-gateway/config_test.go b/third_party/envoy-gateway/config_test.go new file mode 100644 index 000000000..9628c24b5 --- /dev/null +++ b/third_party/envoy-gateway/config_test.go @@ -0,0 +1,44 @@ +/* +Copyright 2024 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "os" + "testing" + + corev1 "k8s.io/api/core/v1" + "sigs.k8s.io/yaml" + + "knative.dev/net-gateway-api/pkg/reconciler/ingress/config" +) + +func TestFromConfigMap(t *testing.T) { + bytes, err := os.ReadFile(config.GatewayConfigName + ".yaml") + if err != nil { + t.Fatalf("failed to read %q: %s", config.GatewayConfigName, err) + } + + cm := &corev1.ConfigMap{} + err = yaml.Unmarshal(bytes, cm) + if err != nil { + t.Fatalf("failed to unmarshal %q: %s", config.GatewayConfigName, err) + } + + if _, err := config.FromConfigMap(cm); err != nil { + t.Error("FromConfigMap(actual) =", err) + } +}