Introduce a CRD for backend details

[pubudu538]

Description:
The HTTPRoute specification states that you can specify a backend service under backendRef and give the service name and port. It also permits creating custom resource definitions in addition to these two fields.
The implementations of the backend services can be secured using basic authentication, OAuth2, MTLS, etc. Along with these configs, backends can set their own timeout limits, retry configurations, etc. In order to cater these requirements I would like to a propose a custom resources definition as follows to hold the backend related information.

Backend CRD

apiVersion: gateway.envoy.io/v1alpha1
kind: Backend
metadata:
  name: order-svc
spec:
  certificateName: order-cert
  http2Enabled: false
  timeout: 2000
  credentials:
    type: Basic
    cred-secret: order-secret
  retryConfig:
    count: 3
    statusCode: 503
  circuitBreakers:
    maxConnections: 4
    maxRequests: 10
    maxPendingRequests: 5
    maxRetries: 4
    maxConnectionPools: 4

HTTPRoute with the Backend CRD

kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2
metadata:
 name: bookinfo
spec:
 parentRefs:
   - name: eg-gw
 hostnames:
   - "bookinfo.com"
 rules:
 - matches:
   - path:
       type: PathPrefix
       value: /orders
     method: GET
   backendRefs:
   - group: gateway.envoy.io
     kind: Backend
     name: order-svc
     port: 8080

I did follow proposed changes in here as well - https://gist.github.com/danehans/30d45d80de58bf63d95fc3542d0ebec7

We would like to contribute to the project and would love to know your thoughts on this.

[arkodg]

hey @pubudu538 thanks for considering to contribute to the project.
There are currently multiple ways to achieve some of the features specified either using the extensionRef field with HTTPRoute or PolicyAttachment and the project plans on leveraging these extension points.
Support for Auth #336 should set the direction for what extensions would look like, I suggest reading the design proposal .
To support other specific features, I recommend raising individual GH issues to track them, and you could drive them to completion. TIA !

[pubudu538]

Hi @arkodg, Thank you for your reply.

I suppose I didn't make my expectations clear enough. Let me reword that. The policy attachment and auth policies are basically apply to the API. Those are applied between the client and gateway. My concern is about the backend and gateway. The backend service can be protected with different security mechanisms and the gateway has to know how to connect to the backend services.

For an example, let's say my backend is secured with Basic Auth, then when specifying the HTTPRoute, I should be able to provide my credentials to the gateway (Using a secret in K8s) so that it can use those credentials to call my backend service. Likewise there can be other authentication mechanisms used to secure the backend services.

Thank you!

[arkodg]

@pubudu538 afaik the policies you want to apply for the specific backend can be described using the policy or filter extensions and can be implemented in a way that is transparent to the backend.
Recommend opening a separate issue to highlight the need for Resilience Policy ( Outlier Detection and Retry

I do agree that the Upstream TLS / TLS Origination feature, to the backend could either be described as an Extension or a custom backend. I would recommend also opening a GH issue to describe this use case.

opening an issue for each feature should make it easier to figure out the WHAT, HOW, WHEN for each of them.

[Amila-Rukshan]

I came across this GEP in gateway-api project, seems it's related to this issue:
https://gateway-api.sigs.k8s.io/geps/gep-1282/
and an opened PR to update the API for it:
https://github.com/kubernetes-sigs/gateway-api/pull/1430/files

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[danehans]

Update: The PR referenced in #492 (comment) is /hold.