Gateway deployment failing for empty tcp/http config.

[mgrabarz]

Gateway deployments with no tcp/http ingress rules fail constantly. Error is the same as reported in #324.

Repro steps:

1. Use e.g. HelloWorld sample template.
2. Remove entire "tcp": [...] property from Gateway resource.
3. Deploy template.

After deployment failure Gateway resource seems to be working properly, with expected egress traffic from containers to public Internet.

[arturenault]

The egress traffic would work even if you didn't have a gateway resource (in fact you don't really, since the deployment failed). The gateway resource is used to configure ingress traffic (i.e. accessing your containers from outside the cluster).

There is an ongoing discussion internally about whether or not gateways without an ingress configuration should be supported, as it is unclear whether there is a scenario for them. I'll update this thread once we have a conclusion.

[mgrabarz]

Thanks Artur, That raises another questions.

1. Why gateway resource is then mandatory for mesh network? Currently to perform successful deploymet both gateway and gateway http/tcp config are mandatory.
2. I was under impression that egress goes via gateway IP, if not, then we probably need routing rules in the future, especally in BYOVN scenarios.

[mgrabarz]

Just to explain my use case:

1. We noticed that as for today the only option to expose services outside of Mesh is to use GW with public IP and open ports.
2. There is no option for IP restriction, firewall, rate limiting, or even TLS.

To securely expose services from Mesh we started to experiment with Cloudflare's Argo tunnels. We run cloudflare deamon as sidecar to establish encrypted tunnel (initiated from Mesh side) with Cloudflare. Thanks of this solution all traffic goes using Cloudflare's anti-DDos, WAF, TLS, tunnel load balancers etc. If there are no ingress rules on GW, nothing can get in but through the tunnel.