Detecting Gateway hostnames based on attached HTTPRoutes

[tommie]

Is your feature request related to a problem? Please describe.

The Listener.hostname field is optional. The field HTTPRouteSpec.hostnames is normally used to match "virtual" hostnames to backends. If hostnames are not specified in the listener, they may still be known by routes that support hostname matching (which I think is only HTTPRoute and GRPCRoute right now.)

It would be practical if I didn't have to duplicate listeners for cert-manager, when the Gateway API (using Envoy in my case) supports not doing it.

Describe the solution you'd like

Checking supporting routes for additional hostnames, and matching the routes to gateway listeners would be the obvious solution.

This also means that a single listener in a Gateway may serve multiple hostnames, which AFAICT, cert-manager does not currently support. (?)

Describe alternatives you've considered

It is possible that GatewayStatus.addresses contains hostnames that could be used instead. I have yet to investigate that.

Edit: No, it doesn't look like it is populated with information from routes by Envoy.

Almost-duplicating listeners doesn't feel as nice as just adding a route resource. Coming from Traefik using route discovery with Docker labels, this is more tedious.

/kind feature

[tommie]

Some more research... Since routes link to one or more Gateways using a parentRefsarray, I think the way to implement this is

• Copying what the Certificate event handler does to listen to HTTPRoute et al., but queueing the parent refs.
• The gateway lookup is augmented to also list routes with matching parent ref. I don't think there's an efficient way of doing that, but hopefully the cache makes that a non-issue.
• A list of hostnames is built by combining these resources. Then the hostname check looks at the union.
• The assignment of hostnames to certs must also use that list. If a Listener has a list of hostnames, the route hostnames should be ignored for that listener's certificate. (Gateway API says that the intersection of routes and listener hostnames decides routes.)

This seems doable without that much change.

[tommie]

... and here is an untested PoC: https://github.com/cert-manager/cert-manager/compare/master...tommie:cert-manager:httproute?expand=1

[tommie]

Not just HTTPRoute, but also GRPCRoute and TLSRoute. Anyt spec that has a list of hostnames.

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[tommie]

Ok.

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[jetstack-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

[jetstack-bot]

@jetstack-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[oivindoh]

This could perhaps be left open? Seems like a very valid use-case.