API Review for v0.6.0 release #1538
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
requested review from
bowei,
howardjohn,
keithmattix,
mikemorris,
shaneutt and
youngnick
k8s-ci-robot
added
cncf-cla: yes
|
/hold forever |
k8s-ci-robot
added
the
do-not-merge/hold
| // non-empty, then the implementation MUST accept exactly one of these two | ||
| // routes, determined by the following criteria, in order: | ||
| // | ||
| // * The oldest Route based on creation timestamp. |
There was a problem hiding this comment.
This is very specific - do we need it to be so specific? What if the implementation intends to prefer GRPC - not allowed?
There was a problem hiding this comment.
I'd rather start with more specific/stringent requirements. Wherever possible, I'd like to have consistent and portable behavior. If in the future an implementation wants to prefer GRPC we could make a carve out for how to do that here (likely something along the lines of "any deviation from this approach must be clearly documented").
There was a problem hiding this comment.
More detail on this decision is in the GEP for GRPCRoute. Originally we wanted to allow a GRPCRoute and HTTPRoute sharing a hostname to coexist in this scenario and to merge their individual rules very similarly to how two HTTPRoutes would do so.
But after investigating what it would take to enable this behavior in a couple of prospective implementations (Traffic Director and Istio), we realized that it would be difficult to accomplish this. In the interest of starting with something simple that we can evolve from, we changed to the resolution mechanism here, which is the same as for two HTTPRoutes with rules with tied precedence. It would be a backward-compatible change to enable this merge behavior in the future.
| // Spec defines the desired state of ReferenceGrant. | ||
| Spec ReferenceGrantSpec `json:"spec,omitempty"` | ||
|
|
||
| // Note that `Status` sub-resource has been excluded at the |
There was a problem hiding this comment.
I think the most likely use of this would be for implementations to publish the references this grant is actually allowing. I think that would be very helpful, but I'm less sure if that would actually scale. As we've found in previous cases, it's much safer to leave room for it than to leave it out altogether.
| // * TCPRoute | ||
| // * TLSRoute | ||
| // * UDPRoute | ||
| Kind Kind `json:"kind"` |
There was a problem hiding this comment.
Required or optional? Can I grant a whole namespace access to a thing? Wouldn't that be the norm if this went upstream?
There was a problem hiding this comment.
I don't think we should make this optional. The purpose of ReferenceGrant is to enable very specific kinds of references, not broad access. I'd be worried that allowing ReferenceGrant to be used to enable such broad access could have unintended consequences. For example, someone might use the broad access with the intent of allowing access for all kinds they currently know about, but in the future a new kind may be added that results in a significant change to the access that an open ReferenceGrant like that would enable.
| // Group is the group of the referent. For example, "networking.k8s.io". | ||
| // When unspecified (empty string), core API group is inferred. | ||
| // Group is the group of the referent. For example, "gateway.networking.k8s.io". | ||
| // When unspecified or empty string, core API group is inferred. |
There was a problem hiding this comment.
This is going to be interesting to see in patch updates. Consider this
create w/ Group: "G"
update other fields w/ Group field value: "G"
Update other fields w/Group field value:"" // which will be defaulted to "" removing "G" which is definitly not the intention. Can we double check the behavior?
There was a problem hiding this comment.
I tried this out with the following transition:
tls:
certificateRefs:
- kind: Secret
group: "g"
name: foo-example-com-cert tls:
certificateRefs:
- kind: Secret
name: foo-example-com-certAs you expected, after applying step 2, the group became "" instead of "g". With that said, I'm not sure why you would remove a group from a manifest, or if you were trying to just update a subset, why you wouldn't use patch. This is likely something we need to more clearly document, but I'm hoping it doesn't represent a typical workflow.
…updates chore: cleanup for #1538
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: gnossen. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/approve /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: khenidak, robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Kal - each bot cmd goes on its own line :) /lgtm See? :) |
k8s-ci-robot
added
the
lgtm
|
Thanks to everyone for the reviews! We've released v0.6.0 and linked to this as where the release was approved. Will close this out. |
What type of PR is this?
/kind api-change
What this PR does / why we need it:
THIS PR WILL NOT MERGE, THIS IS INTENDED FOR REVIEW ONLY.
This is a draft PR to facilitate the review of the v0.6.0 release of Gateway API. This compares the current state of
/apisfrom the main branch with the state in v0.5.Does this PR introduce a user-facing change?:
Changelog will be computed separately.
/cc @bowei @shaneutt @youngnick @howardjohn @keithmattix @mikemorris
/assign @khenidak @thockin