SEANK.H.LIAO

single node envoy gateway

https traffic plz

envoy-gateway on a single node

I run a single node k8s cluster for experiments, and I need some way to route HTTP(S) traffic to different pods. These days, it's something that implements Gateway API, and Envoy Gateway doesn't look too bad, i.e. locks features behind paywall like most open core software or is too complex to run like Istio.

If you follow through their instructions, you'll end up with a Gateway like this:

 1apiVersion: gateway.networking.k8s.io/v1
 2kind: Gateway
 3metadata:
 4  name: http-gateway
 5  namespace: envoy-gateway-system
 6spec:
 7  gatewayClassName: http-gateway
 8  listeners:
 9    - name: http
10      protocol: HTTP
11      port: 80
12      allowedRoutes:
13        namespaces:
14          from: All
15    - name: https
16      protocol: HTTPS
17      port: 443
18      tls:
19        mode: Terminate
20        certificateRefs:
21          - kind: Secret
22            name: http-gateway
23      allowedRoutes:
24        namespaces:
25          from: All

But how do you get traffic into the Gateway? By default it creates a Service of type LoadBalancer and I don't have that. So I also have the GatewayClass point to a custom EnvoyProxy config that marks the ports as hostPort.

 1apiVersion: gateway.networking.k8s.io/v1
 2kind: GatewayClass
 3metadata:
 4  name: http-gateway
 5spec:
 6  controllerName: gateway.envoyproxy.io/gatewayclass-controller
 7  parametersRef:
 8    group: gateway.envoyproxy.io
 9    kind: EnvoyProxy
10    namespace: envoy-gateway-system
11    name: http-gateway
12---
13apiVersion: gateway.envoyproxy.io/v1alpha1
14kind: EnvoyProxy
15metadata:
16  name: http-gateway
17  namespace: envoy-gateway-system
18spec:
19  provider:
20    type: Kubernetes
21    kubernetes:
22      envoyService:
23        type: ClusterIP
24      envoyDeployment:
25        strategy:
26          type: Recreate
27        patch:
28          type: StrategicMerge
29          value:
30            spec:
31              template:
32                spec:
33                  containers:
34                    - name: envoy
35                      ports:
36                        - containerPort: 10080
37                          hostPort: 80
38                        - containerPort: 10443
39                          protocol: TCP
40                          hostPort: 443

There is a limitation of this though: when I tried to enable HTTP3 (QUIC), I realized that the ports are keyed only on containerPort which isn't unique when you have both TCP and UDP as protocols. The output after patchhing is only one of the ports will remain.