Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Listener Hostnames and associated TLS mode on matching TLSRoutes #2475

Closed
rainest opened this issue May 10, 2022 · 1 comment
Closed

Implement Listener Hostnames and associated TLS mode on matching TLSRoutes #2475

rainest opened this issue May 10, 2022 · 1 comment
Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API
Milestone
KIC v2.5.0

Comments

@rainest
Copy link
Contributor

rainest commented May 10, 2022

Listener includes an optional core Hostname field. When present, Routes must have a hostname set that intersects with the Listener hostname (cardinality 1) set to associate with that Listener.

Because the TLS mode is set by Listener.TLS association with a specific Listener is the only way to specify a TLS mode (terminate or passthrough). We must use parentRefs to set the Kong route protocol (ignoring the hack method of setting it using the protocol annotation).

This probably requires some review of how we determine which Listener to match and what we do if there is ambiguity about which Listener matches. There's probably some stuff in the spec that clarifies how that sorts out and/or what ambiguities are impermissible.

Per conversation with other Gateway API implementers, Listeners permitting only a single Hostname is by design, because matching logic gets way overcomplicated otherwise. While a single match is sufficient, I think this may raise some confusing situations where a single TLSRoute matches multiple Listeners that specify different configurations, e.g. I think it's valid to have:

TLSRoute.Hostnames: foo.example, bar.example, baz.example

ListenerA: Hostname=foo.example, TLS.Mode=Terminate
ListenerB: Hostname=bar.example, TLS.Mode=Passthrough

If that is permitted by the spec (again, need to read it more closely to be certain), which routes do we create? Relevant spec language states that:

  • "It is valid to reference multiple distinct sections within the same parent resource, such as 2 Listeners within a Gateway." from CommonRouteSpec.
  • "If both the Listener and TLSRoute have specified hostnames, any TLSRoute hostnames that do not match the Listener hostname MUST be ignored." from TLSRoute.Hostname.

This suggests that we should create separate routes for foo.example and bar.example, and do nothing for baz.example. I'm not sure then whether we indicate that the TLSRoute is only partially available (and if so, how) or if we reject it altogether.
@rainest rainest added the area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API label May 10, 2022
@rainest rainest mentioned this issue May 10, 2022
Merged
1 task
@shaneutt shaneutt added this to the Gateway API - Milestone 2 milestone May 10, 2022
@rainest rainest mentioned this issue Jul 7, 2022
Closed
3 tasks
@rainest
Copy link
Contributor Author

rainest commented Jul 7, 2022

#2555 handles the Listener/Hostname stuff and various different types of conflicts. It does not handle TLS mode, which has moved to #2662

@rainest rainest closed this as completed Jul 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API
Projects
None yet
Milestone
KIC v2.5.0
Development

No branches or pull requests
4 participants
@rainest @mflendrich @shaneutt @scseanchow