mlavacca
commented
5 months ago Hi @arkodg , thanks for creating this issue! It looks reasonable to me 👍
Open arkodg opened 5 months ago
mlavacca
commented
5 months ago Hi @arkodg , thanks for creating this issue! It looks reasonable to me 👍
arkodg
commented
5 months ago cool, I think istio is a good one to start off with and a use case would be to translate existing Istio resources in native istio type to Gateway API + Gateway API extensions defined in istio
we probably need an explicit flag ( e.g. --out-provider=istio) to opt into this
does this sgty @LiorLieberman @howardjohn ?
LiorLieberman
commented
5 months ago Thanks @arkodg. Can you provide a bit more details? Like maybe the full example you had in mind for a real scenario where a native Istio resource is translated to GW API resource Plus Extension?
Also I did not fully understand what --out-provider should represent?
arkodg
commented
4 months ago @LiorLieberman here's an example for Istio
Input
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: my-gateway
namespace: test
spec:
selector:
app: istio-ingressgateway
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- test.com
- port:
number: 443
protocol: HTTPS
hosts:
- "bookinfo/*.bookinfo.com"
- "*"
tls:
httpsRedirect: true
mode: SIMPLE
# all following tls related fields are ignored as there's no direct mapping to the k8s gateway api
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
credentialName: bookinfo-secret
caCertificates: /etc/certs/caCertificates
subjectAltNames: ["v1"]
verifyCertificateSpki: ["v1"]
verifyCertificateHash: ["v1"]
minProtocolVersion: TLSV1_0
maxProtocolVersion: TLSV1_3
cipherSuites: ["v1"]
bind: 1.2.3.4 # is ignored
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: test
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway Output
piVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: my-gateway
namespace: test
spec:
gatewayClassName: istio
listeners:
- name: https-protocol-bookinfo-ns-wildcard.bookinfo.com
hostname: "*.bookinfo.com"
port: 443
protocol: HTTPS
tls:
mode: Terminate
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-nothing
namespace: test
spec:
targetRef:
kind: Gateway
group: gateway.networking.k8s.io
name: my-gateway 
k8s-triage-robot
commented
1 month ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle stale/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
k8s-triage-robot
commented
3 weeks ago The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale is appliedlifecycle/stale was applied, lifecycle/rotten is appliedlifecycle/rotten was applied, the issue is closedYou can:
/remove-lifecycle rotten/closePlease send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
mlavacca
commented
3 weeks ago @LiorLieberman here's an example for Istio
Input
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: my-gateway namespace: test spec: selector: app: istio-ingressgateway istio: ingressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - test.com - port: number: 443 protocol: HTTPS hosts: - "bookinfo/*.bookinfo.com" - "*" tls: httpsRedirect: true mode: SIMPLE # all following tls related fields are ignored as there's no direct mapping to the k8s gateway api serverCertificate: /etc/certs/servercert.pem privateKey: /etc/certs/privatekey.pem credentialName: bookinfo-secret caCertificates: /etc/certs/caCertificates subjectAltNames: ["v1"] verifyCertificateSpki: ["v1"] verifyCertificateHash: ["v1"] minProtocolVersion: TLSV1_0 maxProtocolVersion: TLSV1_3 cipherSuites: ["v1"] bind: 1.2.3.4 # is ignored --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-nothing namespace: test spec: selector: matchLabels: app: istio-ingressgateway istio: ingressgatewayOutput
piVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-gateway namespace: test spec: gatewayClassName: istio listeners: - name: https-protocol-bookinfo-ns-wildcard.bookinfo.com hostname: "*.bookinfo.com" port: 443 protocol: HTTPS tls: mode: Terminate --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-nothing namespace: test spec: targetRef: kind: Gateway group: gateway.networking.k8s.io name: my-gateway
I think this use case can be addressed by https://github.com/kubernetes-sigs/ingress2gateway/pull/78, but only when reading from files. With it, it will be possible to output all the input resources that do not belong to the set of converted resources. When it comes to reading resources from a cluster, that flag cannot be used as it is now in the PR.
What would you like to be added:
Add the ability to translate
providerspecific APIs into implementation specific Gateway API extensions (output providers) for fields not currently supported in the Gateway APIWhy this is needed: Adding ability to translate all input provider specific intent without losing any functionality For e.g. the current ingress-nginx translation only translates a subset of the API (annotations) https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#annotations Without this feature, its unlikely that the user will migrate to Gateway API until all the input provider features are supported in the Gateway API APIs If this tool supports the notion of output providers, the input API could be translated to various implementation specific Gateway API extensions