Add Hostname concept and explanation document#4516
Add Hostname concept and explanation document#4516k8s-ci-robot merged 1 commit intokubernetes-sigs:mainfrom
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
the
approved
kflynn
left a comment
kflynn
left a comment
There was a problem hiding this comment.
@youngnick This is great, thanks! I made some suggestions, but with one exception (my question about "suffix match" at one point), these are minor. (The biggest diff is mostly reordering what you wrote. 🙂)
youngnick
force-pushed
the
add-hostnames-doc
branch
from
5b2fd2f to
8614a64
Compare
|
|
||
| The main rule in this case is straightforward: | ||
|
|
||
| **All _intersected hostnames_ represented in all Listeners on the Gateway MUST resolve to all addresses in that Gateway's `status.addresses`**. |
There was a problem hiding this comment.
Is there a description of the algorithm used for intersecting hostnames? A pointer to actual code would be helpful.
There was a problem hiding this comment.
This the closest thing we have today. There is no supplied-by-the-project implementation of hostname intersection, it's just implied by how the spec and the conformance tests work.
I acknowledge this is not ideal, I've started roughing out what some library functions to handle this would look like.
youngnick
force-pushed
the
add-hostnames-doc
branch
2 times, most recently
from
ac25a1e to
a438a53
Compare
site-src/concepts/hostnames.md
Outdated
|
|
||
| There are a number of places you can configure a hostname in Gateway API, each of which with a different purpose. They are used for a number of purposes, including both **hostname intersection** between Routes and Gateways, which is used to determine if the Routes can attach, and also as a **routing discriminator**, to choose which Listener and Route should accept a particular request (more on both of these later in this document). | ||
|
|
||
| Each `hostname` field can accept either _precise_ hostnames (that is, a hostname like `www.example.com`), or _wildcard_ hostnames (that is, a hostname like `*.example.com`). The level of precision in a hostname also affects its effective order in the process of choosing which Listener will match particular traffic, with more precise beating less precise hostnames. |
There was a problem hiding this comment.
This line is maybe a little confusing because "precise" hostnames were just defined as e.g. "www.example.com", but there's no more precise version of that hostname, and any less precise would make it a wildcard hostname, right? It feels like the precision of any wildcard hostnames can be ordered, with the most-precise exact match (true "precise" hostname) being a winner over any wildcard.
There was a problem hiding this comment.
I added a little more explanation - this is intended to guide folks a little bit in implementation.
When sorting a list of hostnames:
- hostnames with no wildcards sort before hostnames with wildcards
- Precise Hostnames with more labels sort before precise hostnames with less labels (that is
sub.domain.example.comis beforewww.example.com). - The special hostname
*is always last.
There was a problem hiding this comment.
Still aiming to add some helpers to the types to handle this, but this should help in the meantime.
youngnick
force-pushed
the
add-hostnames-doc
branch
from
a438a53 to
83f695a
Compare
rostislavbobo
left a comment
rostislavbobo
left a comment
There was a problem hiding this comment.
Thanks @youngnick for clarifying this long-standing ambiguity! My main concern is introducing a breaking change if we force *.com TLS listeners to reject www.example.com SNI hostnames (whether for passthrough or termination using certificates with, for instance, both *.example.com, *.com SANs listed).
youngnick
force-pushed
the
add-hostnames-doc
branch
from
83f695a to
6dc69b1
Compare
|
|
||
| ### Expected match examples | ||
|
|
||
| | Listener Hostname | TLS Mode| Route Type | Route hostname | Attached? | Intersected Hostname | SNI | SNI Match? | Host header | Host header match? | Notes | |
There was a problem hiding this comment.
A heads up this table is not rendered fine on the page (you need to scroll left/right), not sure how to improve it tho
There was a problem hiding this comment.
Yeah, I didn't like that either, but I couldn't think of a better way to represent all this information at once.
youngnick
force-pushed
the
add-hostnames-doc
branch
from
6dc69b1 to
181454a
Compare
youngnick
force-pushed
the
add-hostnames-doc
branch
from
181454a to
c4df641
Compare
youngnick
force-pushed
the
add-hostnames-doc
branch
from
c4df641 to
b742386
Compare
krishicks
left a comment
krishicks
left a comment
There was a problem hiding this comment.
Some additional feedback after viewing the netlify preview, but otherwise it looks good to me!
| * Find all ListenerSets that point those Gateways that have `Accepted` Conditions with `status: true`. | ||
| (Remember also that `hostname` fields must be unique across all Listeners attached to a Gateway, | ||
| whether those are in the Gateway or in attached ListnerSets. | ||
| The implementation should handle this by setting ListenerSets to `Accepted` `status: false` for duplicates.) |
There was a problem hiding this comment.
nit (do as a followup): it is slightly confusing if implementation here is the Gateway API implementation (which I know it is) or the controller integrating with Gateway API
There was a problem hiding this comment.
I've tried to be consistent in using "implementation" for the actual Gateway API reconciler, and "integration" for things that consume Gateway API - that's what we call it on the implementations page as well.
Maybe I should explain that at the top of the page as well?
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott, youngnick The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
youngnick
force-pushed
the
add-hostnames-doc
branch
from
b742386 to
70e8428
Compare
k8s-ci-robot
removed
the
lgtm
Signed-off-by: Nick Young <nick@isovalent.com>
youngnick
force-pushed
the
add-hostnames-doc
branch
from
70e8428 to
327d360
Compare
|
/unhold Next LGTM should merge this one, we can iterate from here. |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm Thanks Nick! |
k8s-ci-robot
added
the
lgtm
8 participants
This adds a document that further explains how the various
hostnamefields in Gateway API work together, and how integrations should consume them./kind documentation