Conversation
Codecov Report
@@ Coverage Diff @@
## main #1410 +/- ##
=======================================
Coverage 61.40% 61.40%
=======================================
Files 79 79
Lines 11459 11459
=======================================
Hits 7036 7036
Misses 3962 3962
Partials 461 461 |
|
cc @howardjohn @costinm in case you see any reuse/overlap w Istio w Gateway API |
There was a problem hiding this comment.
This seems like it will tank performance. Each resource will need to be marshalled to json, patched, then unmarshalled (?).
When we used to do similar it was 90% CPU cost of Istio (which took a ton of cpu) on just json. And we were only doing marshalling, not the other 2 steps
There was a problem hiding this comment.
it won't be each resource, name of the resource here is mandatory, so we would need to find (guessing its O(N) based on
There was a problem hiding this comment.
picked json over proto because it has an RFC and more commonly used in the ecosystem (k8s, kustomize) and REST APIs
There was a problem hiding this comment.
thanks for outlining the CPU cost, we should quantity this performance hit and highlight it in docs
There was a problem hiding this comment.
one note - I think you will need to import every single proto in envoy into the control plane. Unless you have some tricks. Istio does it - not too bad, but bloats the binary
There was a problem hiding this comment.
Also means you could never use non-upsteam extensions to envoy
There was a problem hiding this comment.
yeah we autogenerate and import today in the client side (egctl)
with this PR we will need to do it in server side too
https://github.com/envoyproxy/gateway/blob/main/internal/xds/extensions/extensions.gen.go
There was a problem hiding this comment.
👍 one minor suggestion: don't import the v2 stuff. One less headache to deal with down the line... and in only sort of works IME
There was a problem hiding this comment.
thanks, will rm them
There was a problem hiding this comment.
@zhaohuabing I dont think we'll be able to handle your use case if we purely relied on protojson tooling
There was a problem hiding this comment.
It would be a headache for any user who adds their own custom filters to envoy since EG can't recognize the APIs of these filters.
There was a problem hiding this comment.
I understand your sentiment, and it is something we should support, which can be tracked with a GH issue, for now, it doesnt require any changes to the API, or am I missing something ?
There was a problem hiding this comment.
Yes, it's an implementation concern rather than API.
I don't personally. Patching APIs are impossible to support, I don't think anything like this should be standardized in GW API |
@howardjohn I was referring to a common Gateway Extension API across the projects. |
There was a problem hiding this comment.
Given that we can already configure rate limiting using the native Envoy Gateway ratelimit API, I'd like to see some other examples:
-
You have three different upstream services, each of which needs to use a specific certificate to originate TLS.
- The current Gateway API doesn't have a lot of support for upstream TLS origination. There's ongoing work to support it natively, but until that's accepted, this would be a reasonable use for an extension mechanism.
- Obviously you don't know the routes involved, you just know that you happen to have three upstream services that need certificates.
-
You need to allow the HTTP listener, but not the HTTPS listener, to route traffic to the path prefix
/.well-known/acme-challenge/over to themy-acme-serverService. (Other traffic may arrive on the HTTP listener too, but that traffic should be unaffected.)- This is the path used by the HTTP-01 ACME challenge, which always arrives over HTTP and must not be redirected to HTTPS. If a vendor wants to do custom ACME work, this might be a thing they'd need to do.
There was a problem hiding this comment.
can you share some raw xds Config for the examples ?
There was a problem hiding this comment.
This was pretty fascinating to read. I agree with the sentiment and I feel compelled to note that if even the author acknowledges that it must forever remain experimental because it's too fragile to promote to stable, we should all but certainly not implement this in the first place unless there's a truly compelling reason to do so. I haven't seen that yet.
|
@howardjohn writes:
It's kind of rare for me to unequivocally agree with John (😉), but I do here. I'm extremely concerned with how support for this API would play out in the long term. Emissary used to offer a much more constrained capability to do something similar, and it caused us more than a few problems. |
kflynn
left a comment
There was a problem hiding this comment.
GitHub says I'm reviewing rather than just commenting, so, uh, OK. 🙂 I definitely want to see some more example uses, and I think we should probably further discuss in the Envoy Gateway meetings before proceeding.
There was a problem hiding this comment.
Does this imply that in order to apply a patch, a user need to know the absolute path of a listener/route/cluster from the configuration root?
There was a problem hiding this comment.
yes, they could easily add to the beginning using 0 or end using -.If they want to insert somewhere in the middle , they would need to rely on egctl to make sure their config works correctly. This experience is identical to kubectl patch e.g. https://gateway.envoyproxy.io/v0.4.0/user/secure-gateways.html#tls-certificates. This experience might not be extremely use friendly, but its based on a known RFC/spec and is not meant to be a common case
There was a problem hiding this comment.
"EnvoyPatch" seems clear enough to me. Do we need to add "Policy" here?
There was a problem hiding this comment.
previous reviewers for the RateLimit feature had requested RateLimit to suffix with Filter so we could differentiate Filter and Policy
There was a problem hiding this comment.
Is there a "all" target or similar mechanism by which we can apply an EnvoyFilter to multiple targets? There might be scenarios multiple gateway resources need to be apply the same EnvoyFilters.
There was a problem hiding this comment.
prefer if we started off with 1:1 mappings, since policy attachment UX is already perceived as complex, the use case can be satisfied today by creating another identical PolicyAttachment and applying it to another TargetRef. In the future we could make TargetRef plural, note this definition is taken from upstream
Relates to envoyproxy#24 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
|
/retest |
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
| * This API will always be an experimental API and cannot be graduated into a stable API because Envoy Gateway cannot garuntee | ||
| * that the naming scheme for the generated resources names will not change across releases | ||
| * that the underlying Envoy Proxy API will not change across releases | ||
| * This API needs to be explicitly enabled using the [EnvoyGateway][] API |
There was a problem hiding this comment.
I did not see the EnvoyGateway API changes ? Do I miss anything?
There was a problem hiding this comment.
ive raised a separate issue to track this #1468
| semantics. | ||
|
|
||
| ## Design Decisions | ||
| * This API will only support a single `targetRef` and can bind to only a `Gateway` resource. This simplifies reasoning of how |
There was a problem hiding this comment.
A EnvoyPatchPolicy can be only binded to one Gateway, right ? But can a Gateway be binded with multiple different EnvoyPatchPolicy APIs ?
There was a problem hiding this comment.
yes, ive added a priority field with PolicyAttachment so user can optionally order the Policiies that are being bind to a Gateway
Relates to #24