Merge pull request #2680 from robscott/crd-management

Adding new CRD Management Guide

Author: k8s-ci-robot

mkdocs.yml

@@ -27,9 +27,11 @@ plugins:
   - redirects:
       redirect_maps:
         'guides/getting-started.md': 'guides/index.md'
+        'concepts/guidelines.md': 'guides/api-design.md'
         'contributing/community.md': 'contributing/index.md'
         'contributing/gamma.md': 'concepts/gamma.md#contributing'
-        'references/implementers-guide.md': 'reference/implementers-guide.md'
+        'reference/implementers-guide.md': 'guides/implementers.md'
+        'references/implementers-guide.md': 'guides/implementers.md'
         'references/spec.md': 'reference/spec.md'
         'references/policy-attachment.md': 'reference/policy-attachment.md'
   - mermaid2
@@ -58,7 +60,6 @@ nav:
         API Overview: concepts/api-overview.md
         GAMMA: concepts/gamma.md
         Conformance: concepts/conformance.md
-        Implementation Guidelines: concepts/guidelines.md
         Roles and Personas: concepts/roles-and-personas.md
         Service Facets: concepts/service-facets.md
         Security Model: concepts/security-model.md
@@ -68,20 +69,23 @@ nav:
     - FAQ: faq.md
     - Glossary: concepts/glossary.md
   - Guides:
-    - Getting started: guides/index.md
-    - Simple Gateway: guides/simple-gateway.md
-    - HTTP routing: guides/http-routing.md
-    - HTTP redirects and rewrites: guides/http-redirect-rewrite.md
-    - HTTP header modifier: guides/http-header-modifier.md
-    - HTTP traffic splitting: guides/traffic-splitting.md
-    - Cross-Namespace routing: guides/multiple-ns.md
-    - TLS: guides/tls.md
-    - TCP routing: guides/tcp.md
-    - gRPC Routing: guides/grpc-routing.md
-    - Migrating from Ingress: guides/migrating-from-ingress.md
-    - Backend Protocol Selection: guides/backend-protocol.md
+    - User Guides:
+      - Getting started: guides/index.md
+      - Simple Gateway: guides/simple-gateway.md
+      - HTTP routing: guides/http-routing.md
+      - HTTP redirects and rewrites: guides/http-redirect-rewrite.md
+      - HTTP header modifier: guides/http-header-modifier.md
+      - HTTP traffic splitting: guides/traffic-splitting.md
+      - Cross-Namespace routing: guides/multiple-ns.md
+      - TLS: guides/tls.md
+      - TCP routing: guides/tcp.md
+      - gRPC Routing: guides/grpc-routing.md
+      - Migrating from Ingress: guides/migrating-from-ingress.md
+      - Backend Protocol Selection: guides/backend-protocol.md
+    - API Design: guides/api-design.md
+    - CRD Management: guides/crd-management.md
+    - Implementer's Guide: guides/implementers.md
   - Reference:
-    - Implementer's Guide: reference/implementers-guide.md
     - API Types:
       - Gateway: api-types/gateway.md
       - GatewayClass: api-types/gatewayclass.md

requirements.txt

@@ -5,7 +5,7 @@ jsmin==3.0.1
 livereload==2.6.3
 # mkdocs 2.4.1 requires Markdown < 3.4.0
 # https://github.com/kubernetes-sigs/gateway-api/pull/1671#issuecomment-1400586465
-Markdown==3.3.7
+markdown~=3.2
 MarkupSafe==2.1.3
 mkdocs==1.5.3
 mkdocs-awesome-pages-plugin==2.9.2

site-src/concepts/versioning.md

@@ -87,8 +87,8 @@ The resources that already have a beta API version (v1beta1) are:
 * GatewayClass
 * ReferenceGrant
 
-In the upcoming v1.0 release, HTTPRoute, Gateway, and GatewayClass will all
-graduate to a GA API Version (v1).
+In the v1.0 release, HTTPRoute, Gateway, and GatewayClass all graduated to
+include a GA API Version (v1).
 
 ReferenceGrant is a special case since it is in the process of [transitioning
 into an upstream Kubernetes
@@ -166,6 +166,10 @@ consistent upgrade experiences across versions. To accomplish that, we commit to
    a conversion webhook needs to be introduced, it will be supported for the
    lifetime of the API, or at least until an alternative is available.
 
+## CRD Management
+For information on how to manage Gateway API CRDs in your clusters, refer to our
+[CRD Management Guide](/guides/crd-management.md).
+
 ## Out of Scope
 ### Unreleased APIs
 This project will have frequent updates to the main branch. There are no

site-src/concepts/guidelines.md renamed to site-src/guides/api-design.md

@@ -1,4 +1,4 @@
-# Design guidelines
+# API Design Guide
 
 There are some general design guidelines used throughout this API.
 

site-src/guides/crd-management.md

@@ -0,0 +1,110 @@
+# CRD Management
+
+Gateway API is built with CRDs. That comes with a number of significant
+benefits, notably that each release of Gateway API supports the 5 more recent
+minor versions of Kubernetes. That means you likely won't need to upgrade your
+Kubernetes cluster to get the latest version of this API.
+
+Unfortunately, this extra flexibility also adds some room for confusion. This
+guide aims to answer some of the most common questions related to Gateway API
+CRD management.
+
+## Who Should Manage CRDs?
+
+Ultimately CRDs are a highly-privileged cluster-scoped resource. That means that
+either a cluster admin or cluster provider should be responsible for managing
+the CRDs in a cluster.
+
+Practically that means that any of the following are reasonable approaches:
+
+* Cluster admin installs CRDs
+* Cluster provisioning tool or provider installs and manages CRDs
+
+Some implementations may also want to bundle CRDs to simplify installation. This
+is acceptable as long as they never:
+
+1. Overwrite Gateway API CRDs that have unrecognized or newer versions.
+1. Overwrite Gateway API CRDs that have a different release channel.
+1. Remove Gateway API CRDs.
+
+[Issue #2678](https://github.com/kubernetes-sigs/gateway-api/issues/2678)
+explores one possible approach implementations could use to accomplish this.
+
+## Upgrading to a new version
+
+Gateway API releases CRDs in two [release
+channels](/concepts/versioning/#release-channels-eg-experimental-standard).
+Sticking with standard channel CRDs will ensure CRD upgrades are both simpler
+and safer.
+
+### Overall Guidelines
+
+1. Avoid moving backwards. New versions of CRDs can add new fields and features.
+   Rolling back to a previous version of these CRDs could result in a loss of
+   that configuration.
+1. Read the release notes before upgrading. In some cases, they may contain some
+   guidelines you need to follow before upgrading.
+1. Understand the [Gateway API versioning policy](/concepts/versioning) so you
+   know what can change.
+1. Although it is usually safe to upgrade across multiple Gateway API minor
+   versions at once, the safest and most widely tested path will involve
+   upgrading one minor version at a time.
+
+### Validating Webhook
+
+A validating webhook was included with earlier versions of Gateway API. Starting
+in v1.0, that webhook has formally been deprecated in favor of the CEL
+validation included directly within CRDs. In Gateway API v1.1, the webhook will
+be fully removed. That means that the validating webhook is no longer a
+consideration when upgrading to newer Gateway API versions.
+
+### API Version Removal
+
+!!! note
+    This is an advanced use case that is currently only applicable to users that
+    have been using Gateway API since v0.5.0 within the same cluster.
+
+It's possible that a Gateway API release will remove an alpha API version like
+v1alpha2 in CRDs that have newer or more stable API versions. Within the
+Standard Channel, the removal of an API version is spread into at least four
+minor releases:
+
+1. A newer API version is configured as the storage version.
+1. Version is deprecated (will be noted in release notes and via deprecation
+   warning when using deprecated API version).
+1. Version is no longer served but is still included in the CRD for the sake
+   of automatic translation between API versions.
+1. Version is no longer included in the CRD.
+
+If you were using a CRD that went through this process (including the storage
+version migration), it's possible that some of your resources are stuck on the
+older (deprecated) storage version. When a CRD storage version is updated, that
+only takes effect when the individual resources using that CRD are saved again.
+
+For example, if you created a "foo" GatewayClass using Gateway API v0.5.0 CRDs,
+the storage version of that GatewayClass would be v1alpha2. If that "foo"
+GatewayClass had never been modified or updated by the time you would not be
+able to upgrade to Gateway API v1.0.0 CRDs because one of our resources was
+still using v1alpha2 as a storage version and that was no longer included in the
+CRD (step 4 above).
+
+To be able to upgrade, you'd need to take some action that would update any
+GatewayClasses that were using the old storage versions. For example, sending
+an empty kubectl patch to each GatewayClass would have this effect. Fortunately
+there's a tool that can automate this for us -
+[kube-storage-version-migrator](https://github.com/kubernetes-sigs/kube-storage-version-migrator)
+will automatically update resources to ensure they're using the latest storage
+version.
+
+### Experimental Channel
+
+As the name implies, Experimental Channel does not provide the same stability
+guarantees that Standard Channel does. When it comes to a minor release, any of
+the following are possible for Experimental Channel CRDs:
+
+* Breaking changes for existing API fields or resources
+* Removing API fields or resources without prior deprecation
+
+In practice this means that some upgrades to new Experimental versions may
+require you to uninstall and reinstall the Experimental CRDs. If that is ever
+the case, it will be clearly communicated in the release notes.

site-src/reference/implementers-guide.md renamed to site-src/guides/implementers.md

@@ -1,4 +1,4 @@
-# Gateway API Implementer's Guide
+# Implementer's Guide
 
 Everything you wanted to know about building a Gateway API implementation
 but were too afraid to ask.
@@ -57,23 +57,22 @@ the cluster, if any.
 
 [versioning]: /concepts/versioning
 
-### Changes to the Gateway API CRDs are backwards compatible
+### Changes to the Standard Channel CRDs are backwards compatible
 
-Part of the contract for Gateway API CRDs is that changes _within an API version_
-must be _compatible_.
+Part of the contract for Standard Channel CRDs is that changes _within an API
+version_ must be _compatible_. Note that CRDs that are part of Experimental
+Channel do not provide any backwards compatibility guarantees.
 
-"Within an API Version" means changes to a CRD that occur while the same API version
-(`v1alpha2` or `v1` for example) is in use, and "compatible" means that any new
-fields, values, or validation will be added to ensure that _previous_
-objects _will still be valid objects_ after the change.
+Although the [Gateway API versioning policy](/concepts/versioning) largely
+aligns with upstream Kubernetes APIs, it does allow for "corrections to
+validation". For example, if the API spec stated that a value was invalid but
+the corresponding validation did not cover that, it's possible that a future
+release may add validation to prevent that invalid input.
 
-This means that once Gateway API objects move to the `v1` API version, then _all_
-changes must be compatible.
-
-This contract also means that an implementation will not fail with a higher version
-of the API than the version it was written with, because the newer schema being
-stored by Kubernetes will definitely be able to be serialized into the older version
-used in code by the implementation.
+This contract also means that an implementation will not fail with a higher
+version of the API than the version it was written with, because the newer
+schema being stored by Kubernetes will definitely be able to be serialized into
+the older version used in code by the implementation.
 
 Similarly, if an implementation was written with a _higher_ version, the newer
 values that it understands will simply _never be used_, as they are not present
@@ -83,92 +82,9 @@ in the older version.
 
 ### CRD Management
 
-For a Gateway API implementation to work, the Gateway API CRDs must be installed
-in the Kubernetes cluster the implementation is watching.
-
-Implementations have two possible options: installing CRDs themselves (implementation
-controlled) or requiring installation by some other mechanism before working 
-(externally controlled). Both have tradeoffs, but implementation controlled has
-significantly more, and so we DO NOT recommend using implementation controlled
-methods at this time.
-
-Regardless, either way has certain things that SHOULD be true, however:
-
-Whatever method is used, infra and cluster admins SHOULD attempt to ensure that
-the Bundle version of the CRDs is not _downgraded_. Although we ensure that
-API changes are backwards compatible, changing CRD definitions can change the
-storage version of the resource, which could have unforeseen effects. Most of the
-time, things will probably work, but if it doesn't work, it will most likely 
-break in weird ways.
-
-Additionally, older versions of the API may be missing fields or features, which
-could be very disruptive for users.
-
-Try your best to ensure that the bundle version doesn't roll backwards. It's safer.
-
-Implementations SHOULD also handle the Gateway API CRDs _not_ being present in
-the cluster without crashing or panicking. Exiting with a clear fatal error is
-acceptable in this case, as is disabling Gateway API support even if enabled in
-configuration.
-
-Practically, for implementations using tools like `controller-runtime` or
-similar tooling, they may need to check for the _presence_ of the CRDs by 
-getting the list of installed CRDs before attempting to watch those resources.
-(Note that this will require the implementation to have `read` access to those
-resources though.)
-
-#### Implementation-controlled CRD installation
-
-Implementation-controlled CRD installation also includes automatic installation
-mechanisms such as Helm, if the CRDs are included in a Helm chart with the
-implementation's installation.
-
-Because of significant caveats we DO NOT recommend doing implementation-controlled
-CRD management at this time.
-
-However, if you really must, CRD definitions MAY be installed by implementations,
-but if they do, they MUST have a way to ensure:
-
-- there are no other Gateway API CRDs installed in the cluster before starting, or
-- that the CRD definitions are only installed if they are a higher bundle version
-  than any existing Gateway API CRDs. Note that even this may not be safe if there
-  are breaking changes in the experimental channel resources, so implementations
-  should be _very_ careful with doing this.
-
-This avoids problems if another implementation is also installed in the cluster
-and expects a higher version of the CRDs to be installed.
-
-The worst outcome here would be two implementations trying to do automatic install
-of _different_ CRD versions, resulting in the CRD versions flapping between
-versions or channels. This would _not_ produce good outcomes.
-
-The safer method for an automatic installation would require the implementation
-to:
-
-- Check if there are any Gateway API CRDs installed in the cluster.
-- If not, install its most compatible version of the CRDs.
-- If so, only install its version of the CRDs if the bundle version is higher
-  than the existing one, and the mechanism will also need to check if there are
-  incompatible changes included in any versions as well.
-
-This is going to be _very_ difficult to pull off in practice.
-
-It should also be noted that many infra and cluster admins manage CRDs using
-externally controlled methods that will not be visible to a Gateway
-implementation, so if you still proceed with automatic installation, it MUST be
-able to be disabled by the installation owner (whether that is the infra or cluster
-admin).
-
-Because of all these caveats, we DO NOT recommend doing automatic CRD management
-at this time.
-
-#### Externally controlled CRD installation
-
-Because of all of the complexities mentioned in the "Implementation controlled"
-section of this document, we recommend that implementations supply documentation
-on how to check if CRDs are installed and upgrade versions if required.
-
-Additions to this document to add suggested commands here are welcomed.
+For information on how to manage Gateway API CRDs, including when it is
+acceptable to bundle CRD installation with your implementation, refer to our
+[CRD Management Guide](/guides/crd-management.md).
 
 ### Conformance and Version compatibility
 
@@ -270,7 +186,7 @@ Implementations MAY choose only one GatewayClass out of the pool of otherwise
 acceptable GatewayClasses if they can only reconcile one, or, if they are capable
 of reconciling multiple GatewayClasses, they may also choose as many as they like.
 
-If something in the GatewayClass renders it incompatibie (at the time of writing,
+If something in the GatewayClass renders it incompatible (at the time of writing,
 the only possible reason for this is that there is a pointer to a `paramsRef`
 object that is not supported by the implementation), then the implementation
 SHOULD mark the incompatible GatewayClass as not `Accepted`.

site-src/guides/index.md

@@ -69,3 +69,8 @@ resources are in-use or if they were installed by a Gateway controller, then do
 not uninstall them. This will uninstall the Gateway API resources for the entire
 cluster. Do not do this if they might be in-use by someone else as this will
 break anything using these resources.
+
+### More on CRD Management
+This guide only provides a high level overview of how to get started with
+Gateway API. For more on the topic of managing Gateway API CRDs, refer to our
+[CRD Management Guide](/guides/crd-management.md).