-
Notifications
You must be signed in to change notification settings - Fork 677
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canary deployments with Gateway API between namespaces is not working #3806
Comments
Thanks for the issue! For your first attempt, I believe currently the behavior you are seeing makes sense for the current state of Contour as we haven't completed our Gateway API implementation and HTTPRoute conflict resolution is not finished. Currently the latest processed HTTPRoute will "win" if multiple try to program the same route match, but with #3608 and #3636 we should start fully implementing what the spec defines, which would actually mean that the HTTPRoute created second would not be admitted b/c it has a route match conflict. https://gateway-api.sigs.k8s.io/references/spec/#networking.x-k8s.io/v1alpha1.HTTPRouteRule describes that merging route rules between HTTPRoute objects is not currently allowed in the spec, and as you know in your second attempt, service references are local to the namespace of the HTTPRoute. I believe your second attempt should have worked, just a sanity check, |
This is an interesting use case to bring up upstream potentially, since the spec forces you into operating within a single namespace, maybe b/c it is focused around the idea that a single team managing a route in an org. will do all their work within a single ns, rather than multiple? |
Thanks for the issue @arapulido. There's a few things to talk about here, mainly to give you some background on why things are this way, and where they are going. The tl;dr is we can't help you... yet. Firstly, the behavior you're using with Ingress is a bit of an accident on ingress-nginx's part, that everyone ended up copying. There's nothing in the Ingress spec that says what should happen if two Ingress objects specify the same config, this is what the ingress-nginx team picked, and everyone just did the same, so it became a de facto standard. However, yhe behavior is also a huge operational risk for a cluster, as anyone who has access to create an Ingress object in their own namespace can interfere with any domain name pointed at that cluster, causing the traffic to be routed onto their service. Most often, I've seen this accidentally create issues when people make mistakes rather than because they're malicious, but both are concerns. I understand that it can be used for good (like you are here), but it's very easy to accidentally break something. Because of this, the Gateway API requires that you specifically associate Routes with a certain Gateway. There's some stuff that will get you part of the way: In the Gateway object, by default, you can only choose Routes from the same namespace, but you may set the But you'll still run up against what @sunjayBhatia mentioned about HTTPRoute conflict resolution behavior, since the Gateway API mandates that only a single HTTPRoute object can match a request. I'm a part of the upstream working group, and we haven't really spent a lot of time yet covering traffic-splitting/weighted load balancing use cases (which I think this would come under, as a simple use case)., I really appreciate the detailed example though, and will make sure I take this back upstream. I'm sorry I can't give you better news yet! |
Yes, my mistake, as I was copying (and making it generic) the definitions, I made a mistake and copied the DNS instead, the service is called |
Yes, it seems that the spec is expecting that, which may be a bit restricting |
Thanks for the detailed response! Are the upstream workgroup meetings public? I would be happy to attend and explain my use case. Or shall I file an issue upstream? Thanks again! |
Absolutely. The community page for the Gateway API project is at https://gateway-api.sigs.k8s.io/contributing/community/, and you can file an issue at https://github.com/kubernetes-sigs/gateway-api/issues/new/choose . There's also #sig-network-gateway-api on Kubernetes Slack. |
Thanks! I opened this issue upstream: kubernetes-sigs/gateway-api#695 and joined the Slack channel. Thanks again! |
The upstream issue has been resolved and the v1alpha2 API now supports cross-namespace route->service refs (using a |
What steps did you take and what happened:
Sometimes is very useful to have canary deployments by deploying the new version in a different namespace, as it allows to have the same service names (first dot) in both deployments. Something like this:
This is possible to do using Nginx ingress controller with annotations. I created the following two Ingress objects in each of the namespaces:
This worked well, and 50% of the traffic was sent to the services in
ns2
.I tried to do something similar with Contour and the new Gateway API, but this doesn't seem to work.
I tried two different things:
Two HTTPRoute objects, each one in each of the namespaces
I created two HTTPRoute objects:
When I apply the first configuration, I get 100% of the traffic to the app running on
ns1
, but once I apply the second configuration, then I get 100% of the traffic to the app running onns2
.Creating an external service
The second thing I tried was creating an External service for the service in
ns2
and create a single HTTPRoute object inns1
that points to this external service, something like:I created the following
HTTPRoute
object:My external service looks like this:
When I apply it, I get the following error:
But the service exists and it works correctly:
This doesn't work either
What did you expect to happen:
To be able to split traffic between different namespaces, to ease canary deployments. Is there a way to do this? If not, should this be implemented?
Environment:
kubectl version
): 1.20The text was updated successfully, but these errors were encountered: