Improve some ListenetSet gep descriptions

[rikatz]

What type of PR is this?
/kind gep

What this PR does / why we need it:
This PR is a review of ListenerSet GEP, fixing some manifests and adding some comments to be further discussed

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rikatz
Once this PR has been reviewed and has the lgtm label, please assign thockin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• geps/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rikatz]

this was made to reflect the current implementation

[LiorLieberman]

I may be out of context, wdym here? are we moving away from the Same as default?

[rikatz]

on the API definition Same is not the default, None is:

gateway-api/apis/v1/gateway_types.go

Line 306 in fb75360

// +kubebuilder:default={from: None}

[LiorLieberman]

Thanks!

[LiorLieberman]

I may be out of context, wdym here? are we moving away from the Same as default?

[LiorLieberman]

I guess no real change here, just order, right?

[rikatz]

right, I wrote on my self review why I did the change. The example of the attachment of Gateway AND ListenerSet is more clear on this order, then we can go to the invalid examples :)

[dprotaso]

To make this invalid the kind needs to be a ListenerSet in the parentRef

[LiorLieberman]

/cc @dprotaso

[rikatz]

per the api spec, not having an allowedListener means "None" which would make this invalid, so I am fixing the example for at least same namespace

[rikatz]

allowedListeners is not an array, so changing here to reflect the current implemented API

[rikatz]

I have changed the order of examples here to make it clear what means using two parentRefs, before the next example which is an invalid example

[dprotaso]

Reading this now it is a duplicate of Routes MUST be able to attach to a ListenerSetand it's parentGatewayby having multipleparentRefs eg:

I saw we replace the above yaml

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httproute-example
spec:
  parentRefs:
  - name: second-workload-listeners
    kind: ListenerSet
    sectionName: second

with the yaml containing two parent refs

[rikatz]

@dprotaso the example above is a bit confusing for me, probably because the API changed from when it was implemented.

I was wondering what it means for an HTTPRoute to try to attach a listener defined on a Gateway, using a section name foo. If this section name exists on the Gateway it is valid, right? eg.:

  listeners:
  - name: foo
    port: 80
    protocol: HTTP

So how can the situation above be invalid? Maybe we can get the full yaml definition, with Gateway, ListenerSet and HTTPRoute for clarification here?

Thanks!

[dprotaso]

See: https://github.com/kubernetes-sigs/gateway-api/pull/3978/files#r2267789208

[rikatz]

One extra question I have on ListenerSet that is not clear for me, is the deduplication of listeners from different namespaces.

Let me add an example:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: parent-gateway
  namespace: infra
spec:
  allowedListeners:
    namespaces:
      from: All
---
apiVersion: gateway.networking.x-k8s.io/v1alpha1
kind: ListenerSet
metadata:
  name: listener01
  namespace: user01
spec:
  parentRef:
    name: parent-gateway
    namespace: infra
    kind: Gateway
    group: gateway.networking.k8s.io
  listeners:
  - name: something
    hostname: something.foo.com
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: cert
---
apiVersion: gateway.networking.x-k8s.io/v1alpha1
kind: ListenerSet
metadata:
  name: listener01
  namespace: user02
spec:
  parentRef:
    name: parent-gateway
    namespace: infra
    kind: Gateway
    group: gateway.networking.k8s.io
  listeners:
  - name: something
    hostname: something.foo.com
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        group: ""
        name: othercert

Who owns something.foo.com here? because in this case, if we are not explicitly deduplicating, we may have a situation where 2 listeners for the same host and different cert are set.

[rikatz]

on ListenerSet conflict management: at some point on this GEP there is a mention to it:

Listeners in a Gateway and their attached ListenerSets are concatenated as a list when programming the underlying infrastructure

Listeners should be merged using the following precedence:

    "parent" Gateway
    ListenerSet ordered by creation time (oldest first)
    ListenerSet ordered alphabetically by "{namespace}/{name}".

This is the statement for conflict management, but it is not really clear on what a conflict means. This way, during a discussion on gateway-api channel, we've reached the consensus of writing some conflict examples and how to deal with them, as part of the GEP, to make it easier on implementation and conformance.

[youngnick]

Thanks @rikatz.

To bring the comments I had in the Slack thread here:

I think there should be two rules:

• ListenerSets cannot be Accepted unless all Listeners are distinct (see the Gateway Spec listeners field for an exact definition).
• If Listeners within a group of ListenerSets are not distinct (that is, if Listeners in different ListenerSet objects that attach to the same Gateway are not distinct), then the Listeners are conflicting, and the Listener from the oldest ListenerSet object wins and is Accepted. ListenerSets containing conflicting Listeners MUST set the Conflicted Condition to true and clearly indicate which Listeners are conflicted.

Examples that illustrate those rules would be awesome.

[rikatz]

@youngnick added some examples and a whole section for conflict management, let me know wdyt :)

[dprotaso]

Should we add this new clause to the API types godoc?

Also we might want to call out sectionName behaves a bit differently where sibling ListenerSets can have the same sectionName.

[dprotaso]

tab instead of space maybe?

[dprotaso]

Suggested change

	The following example shows a `Gateway` with an HTTP listener and two child HTTPS `ListenerSets` with unique hostnames and certificates.
	Only `ListenerSets` from the same namespace of the `Gateway` will be accepted:
	The following example shows a `Gateway` with an HTTP listener and two child HTTPS `ListenerSets` with unique hostnames and certificates. Only `ListenerSets` from the same namespace of the `Gateway` will be accepted:

[dprotaso]

We should combine this section into ListenerConditions within a ListenerSet so that conflicts are covered in one section.

[dprotaso]

this language needs to exclude sectionName when comparing it across sibling Listeners

[dprotaso]

Or refer to 'Optional Section Name'

[dprotaso]

using a tab here instead of spaces

[dprotaso]

There's a bunch of these places - just view the GitHub rendering of the GEP and you'll see broken syntax formatting

[dprotaso]

Suggested change

	have a listener definition called `foo` that conflicts with the ListenetSet definition
	The ListenerSet `user-listenerset` should be marked as Conflicted, as the `parent-gateway`
	has a listener definition called `foo` that conflicts with the ListenerSet definition
	called `myapp`, as the following:

Can we also update this (the paragraph not the condition message) to highlight that it is a conflict because the host name is the same but they use different termination TLS certificates

[dprotaso]

Would we want to highlight the listener name in the error message?