fix: use unique container ports in deployment

[zetaab]

What type of PR is this?
fix: use unique ports in deployment

What this PR does / why we need it:

Kubernetes requires that container port numbers are unique. So those can exist only once. Current implementation is adding duplicate ports if there are like two listeners listening port 443.

This PR also reduces the amount of restarts needed for deployments #2965 because it will not modify deployment configuration anymore that often when listeners are modifierd.

Which issue(s) this PR fixes:

Fixes #2964

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.65%. Comparing base (4afe12b) to head (22da36a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2973      +/-   ##
==========================================
+ Coverage   64.63%   64.65%   +0.02%     
==========================================
  Files         121      121              
  Lines       21124    21128       +4     
==========================================
+ Hits        13653    13661       +8     
+ Misses       6623     6620       -3     
+ Partials      848      847       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zirain]

/retest

[zetaab]

@zirain fixed

[arkodg]

@cnvergence can you recall why this hash was added ? I think it was to limit the name length, so we want want to change the args we pass, but we still may need to use GetHashedName

[zetaab]

the containerport name should not matter unless there is a kubernetes service which will refer to that name. https://github.com/kubernetes/api/blob/master/core/v1/types.go#L2127-L2130

However, in case of envoy the services (type: loadbalancer) are using targetPort as Number instead of name. So the name is not used at all anywhere by default. https://github.com/kubernetes/api/blob/master/core/v1/types.go#L5410-L5418

I do not see why we should still use GetHashedName. The only reason for that would be that name is going to be too long, but I cannot see that case really. If the name is [protocol]-[port number] the maximum length is going to be SCTP-66666 which equals to 10. That is not too long.

[cnvergence]

We added the hash because we used listener port names as the container port names which could be larger than 15 chars
and in merged gateways we used the format with namespace/gateway/listener

[cnvergence]

this could be a good change for any deployment mode

[arkodg]

• can we instead fix the portName here

  gateway/internal/gatewayapi/listener.go

  Line 146 in 7f5cbe8

  Name: infraPortName,

  in the gatewayapi layer and reuse p.Name here ?
  we'll need to make sure its not being used anywhere else

• and can we define the infraIRListenerPortName()

  gateway/internal/gatewayapi/helpers.go

  Line 375 in 7f5cbe8

sorry for nits, but trying to keep the code simpler to maintain

[zirain]

/retest

[zirain]

Lgtm, defer to @arkodg and @cnvergence

[cnvergence]

test fails are valid, so we are still missing something

[zetaab]

@cnvergence

=== RUN   TestE2E/FileAccessLog/Stdout
    helpers.go:402: error fetching Gateway: client rate limiter Wait returned an error: context deadline exceeded
    accesslog.go:44: 
        	Error Trace:	/home/runner/go/pkg/mod/sigs.k8s.io/gateway-api@v1.0.0/conformance/utils/kubernetes/helpers.go:423
        	            				/home/runner/go/pkg/mod/sigs.k8s.io/gateway-api@v1.0.0/conformance/utils/kubernetes/helpers.go:337
        	            				/home/runner/work/gateway/gateway/test/e2e/tests/accesslog.go:44
        	Error:      	Received unexpected error:
        	            	error fetching Gateway: client rate limiter Wait returned an error: context deadline exceeded
        	Test:       	TestE2E/FileAccessLog/Stdout
        	Messages:   	error waiting for Gateway to have at least one IP address in status

for me this looks like we need better logs from envoy gateway controller, these logs in github actions does not tell much. There is some reason why controller does not populate the Gateway status ip address. It would be much easier to see the issue with logs

[zetaab]

@cnvergence @arkodg @zirain I found the issue, kubernetes deployment container port name can contain only [a-z0-9-] uppercase chars are not allowed. It should work now

edit: e2e tests might be broken because of #3003

[cnvergence]

Thanks for the update @zetaab, I will take a look again

[cnvergence]

looks good, we might need to add this also to service ports to fix the issue
Just thinking, could we maybe check for uniqueness in the infra IR translator?

[zetaab]

we do not need to modify service ports. Service ports are not using names when referring to deployment ports.

[cnvergence]

I am referring to the original issue #2964 and how to fix it, which is more related to the port values, #2964 (comment).
However, I approve of your port name change and I think we should get it merged.

[arkodg]

uname is not needed, you could directly use uniquePorts[port.Name]

[arkodg]

can we also add a comment here e.g. "Only append unique ports"

[cnvergence]

Quickly checked today and the problem now resurfaces in the service

ERROR	watchable	message/watchutil.go:56	observed an error	{"runner": "infrastructure", "error": "failed to create or update service envoy-gateway-system/envoy-eg-internal-7f4ff7e4: for Create: Service \"envoy-eg-internal-7f4ff7e4\" is invalid: [spec.ports[2].nodePort: Duplicate value: 32079, spec.ports[2]: Duplicate value: core.ServicePort{Name:\"\", Protocol:\"TCP\", AppProtocol:(*string)(nil), Port:443, TargetPort:intstr.IntOrString{Type:0, IntVal:0, StrVal:\"\"}, NodePort:0}]"}

So I think it should be fixed in the translator

[arkodg]

shouldn't this existing code in the gateway api translator

gateway/internal/gatewayapi/listener.go

Line 125 in 7f5cbe8

if !containsPort(foundPorts, servicePort) {

already handle the uniquePort case ?

[zetaab]

looks like so, but for some reason these duplicate ports are ending to kubernetes deployment. So the logic is not fully applied to everywhere

[arkodg]

looks like so, but for some reason these duplicate ports are ending to kubernetes deployment. So the logic is not fully applied to everywhere

Worth debugging that and fixing that since there's already existing code that's trying to do the same thing

[cnvergence]

hi @zetaab, I have fixed that logic in the translator, would you like to add this port naming change?