feat: watch resource with selectors#1661
feat: watch resource with selectors#1661Alice-Lilith merged 33 commits intoenvoyproxy:mainfrom den3tsou:watch-resource-with-selector
Conversation
Add namespaceSelectors watch mode for Kubernetes provider. Users will need to specify `EnvoyGateway.Provider.Type` and precisely one of `EnvoyGateway.Provider.Kubernetes.Wach.Namespaces` and `EnvoyGateway.Provider.Kubernetes.Wach.NamespaceSelectors` to set the KuberNtes wach mode. The namespaceSelectors doesn't change the namespace informers watch. The informer still watches all namespaces. The events which have Objects that are not under namesapces with the labels set by `NamespaceSelectors` are filtered out. Signed-off-by: Den Tsou <den3tsou@gmail.com>
| } | ||
|
|
||
| if svr.EnvoyGateway.Provider != nil && | ||
| // TODO: implment config validatoin on the watch mode config |
There was a problem hiding this comment.
There doesn't seem to be any validation in place. Do I need to add it in this PR?
| }, | ||
| ns, | ||
| ); err != nil { | ||
| // Question: what's the common practice to handle error in predicate? |
There was a problem hiding this comment.
Could anyone help me to understand the common practices in Enovy Gateway to handle errors in predicate?
There was a problem hiding this comment.
logging an error and returning false is fine
|
|
||
| // TestGatewayClassHasMatchingNamespaceLabels tests the hasMatchingNamespaceLabels | ||
| // predicate function. | ||
| func TestGatewayClassHasMatchingNamespaceLabels(t *testing.T) { |
There was a problem hiding this comment.
Is this the only place to add tests? Do I need to add tests anywhere else?
There was a problem hiding this comment.
a good end to end test to add would be to implement this example https://gateway-api.sigs.k8s.io/guides/multiple-ns/ in our e2e https://github.com/envoyproxy/gateway/tree/main/test/e2e/tests
and ensure above traffic path works
There was a problem hiding this comment.
Hi @arkodg, would you please help me understand how to test the predicate behaviour with e2e tests? Is there any API I could hit in order to know that certain events are filtered out?
There was a problem hiding this comment.
based on https://gateway-api.sigs.k8s.io/guides/multiple-ns/#shared-gateway you could ensure e2e routing works when default ns has label shared-gateway-access: "true" set and fails when it is not set
There was a problem hiding this comment.
Hi @arkodg, this is doable but difficult. There is no easy way to reconfig Envoy Gateway in the current testing structure inlcuding 1) apply new ConfigMap 2) restart Envoy Gateway which is needed for this test. Adding those changes will make this PR too big. What's your thoughts on this?
There was a problem hiding this comment.
Hi @arkodg This is a bit tricky. I will share what I've found, so you could help me to brainstorm some ideas.
There are two approach available at this moment
- Initialise the k8s client to obtain all namespaces with certain labels
- Pros:
- No complex change for reconciler because configuring Manager is enough
- Cons:
- Users need to restart Envoy Gateway controller every time they add update the namespaces unless there is another goroutine or anything similar to check the namespace regularly and update the Manger config accordingly
- Pros:
- Use predicate and update all of logic inside reconciler to check if the objects' namespaces have certain labels
- Pros:
- Users don't need to redeploy Envoy Gateway controller every time they update namespaces
- Cons:
- All logic inside reconciler uses manager.client needs to have additional logic to check if the objects are under namepsace with certain labels. This may cause performance issue because every object will need to be checked.
- Pros:
These two solutions are what I've found so far. I've checked the controller-runtime to see if it has any features that I could workaround. Unfortunately, I coudln't find any solutions yet. Do you have any ideas?
There was a problem hiding this comment.
Hi @arkodg , any update on this. I am fine to decline this PR and work on other tasks. I've spent fair bit of time finding other solution. But this is more related to how reconciler works, there is no work around for it. All of code related to pull data from api server will need to be updated.
There was a problem hiding this comment.
I vote for Use predicate and update all of logic inside reconciler to check if the objects' namespaces have certain labels . The con here is the extra Get of the Namespace which is hopefully cached and shouldnt be expensive, another con is logic complexity, but counting on you to max code reuse :)
There was a problem hiding this comment.
Thanks 👍 . I will start to implement it :-D
There was a problem hiding this comment.
Hi @arkodg , do you mind having a look and giving some early feedback? I am still working out how to add tests to make sure all places with the namespace labels check are covered.
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Codecov Report
@@ Coverage Diff @@
## main #1661 +/- ##
==========================================
+ Coverage 65.36% 66.06% +0.69%
==========================================
Files 86 86
Lines 12529 12829 +300
==========================================
+ Hits 8190 8475 +285
+ Misses 3822 3821 -1
- Partials 517 533 +16
|
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
* This is a protytpe. Refactoring is required to make the code more readable because the code is getting more complex after adding this logic * Update to check all labels of namespaces of objects returned by client * Fix a bug that wrong type was checked * Don't apply predicate to filter out the event related to GatewayClass because GatewayClass is cluster scoped object * Simple test to check if only certain number of gateway is returned. More test logic is indeed needed to be added Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den <6628668+den3tsou@users.noreply.github.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
| // Type indicates what watch mode to use. KubernetesWatchModeTypeNamespaces and | ||
| // KubernetesWatchModeTypeNamespaceSelectors are currently supported | ||
| // By default, when this field is unset or empty, Envoy Gateway will watch for input namespaced resources | ||
| // from all namespaces. |
There was a problem hiding this comment.
needs a default tag here similar to
There was a problem hiding this comment.
Do I miss anything here? This is an optional field. It has to be defined with either Namespaces or NamespaceSelectors
There was a problem hiding this comment.
Hi @arkodg, do you mind helping me understand this?
There was a problem hiding this comment.
this should be // +kubebuilder:default=Namespaces
| } | ||
|
|
||
| for _, udpRoute := range udpRouteList.Items { | ||
| udpRoutes := udpRouteList.Items |
There was a problem hiding this comment.
can all this code be consolidated/reused across all resource types by using a helper func with a client.Object signature ?
There was a problem hiding this comment.
ahhh. Good catch. I didn't realise that client.Object could be used!
There was a problem hiding this comment.
Unfortunately, AuthenticaionFilter, RateLimitFilterandunstructured.Unstructured` don't implment the common interface. The alternative I could do is to add a NamespaceGetter interface to simplify the code.
There was a problem hiding this comment.
you could use existing code for them, and add a TODO
| ok, err := r.checkNamespaceLabels(ns) | ||
| if err != nil { | ||
| r.log.Error( | ||
| err, "fail to get Namespace", |
There was a problem hiding this comment.
| err, "fail to get Namespace", | |
| err, "failed to get Namespace labels", |
| predicate.ResourceVersionChangedPredicate{}, | ||
| predicate.NewPredicateFuncs(r.hasManagedClass), | ||
| } | ||
| if len(ls) != 0 { |
There was a problem hiding this comment.
why is ls needed here, can't you just use r.namespaceLabels as a way to check
There was a problem hiding this comment.
good catch. updated
* Update hasMatchingNamespaceLabels signature because labels is part of the struct field now * Remove the logic to check namespace of certificate ref because it is not necessary * Refactor the checkNamespaceLabels with new interface, so the code is more readable now Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den <6628668+den3tsou@users.noreply.github.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
Signed-off-by: Den Tsou <den3tsou@gmail.com>
|
Hi @arkodg , I finally complete the integration tests. Would you please have a look again? |
|
lets merge this one after #1534 has merged to reduce conflicts |
What this PR does / why we need it:
This PR is to provides a handy way for users to watch namespaces with certain labels. Envoy Gateway currently only supports specifying namespaces to watch which is not convenient for users.
Add namespaceSelectors watch mode for Kubernetes provider. Users will need to specify
EnvoyGateway.Provider.Typeand precisely one ofEnvoyGateway.Provider.Kubernetes.Wach.NamespacesandEnvoyGateway.Provider.Kubernetes.Wach.NamespaceSelectorsto set the KuberNtes wach mode.The namespaceSelectors doesn't change the namespace informers watch. The informer still watches all namespaces. The events which have Objects that are not under namesapces with the labels set by
NamespaceSelectorsare filtered out.Which issue(s) this PR fixes:
Fixes #1622