gateway-api

Repository for the next iteration of composite service (e.g. Ingress) and load balancing APIs.

APACHE-2.0 License

Stars
1.5K
Committers
226
View Code on GitHub Visit Website
Ecosystems: Kubernetes

Bot releases are hidden (Show)

gateway-api - v1.0.0 Latest Release

Published by robscott 12 months ago

On behalf of Kubernetes SIG Network, we are pleased to announce the v1.0 release!
This release marks a huge milestone for this project. Several key APIs are
graduating to GA (generally available), while other significant features have
been added to the Experimental channel.

It's been four years since this project began, and we would never have gotten
here without the support of a dedicated and active community. The maintainers
would like to thanks everyone who's contributed to Gateway API, whether in the
form of commits to the repo, discussion, ideas, or general support. We literally
couldn't have gotten this far without you.

This project is nowhere near finished, as you can see from the large amount of
features being added into the Experimental Channel. With such a big set of
things still to do, contributors and contributions are more vital than ever.
Please feel welcome to join our community!!

Gateway, GatewayClass, and HTTPRoute are GA 🎉

Gateway, GatewayClass, and HTTPRoute have all graduated to GA with a v1 API
version. Although these APIs will continue to grow with future additions, the
versions of these resources available via the Standard Channel are stable and
recommended for use in production. Many implementations are fully passing
conformance tests that cover the functionality of each of these resources. These
APIs are graduating to GA with only minor spec clarifications since the v0.8.0
release.

CEL Migration

Starting in v0.8.0, Gateway API CRDs now include CEL validation. In this release
the validating webhook is no longer bundled with CRD installation. Instead we
include a separate webhook-install.yaml file as part of the release artifacts.

If you're running Kubernetes 1.25+, we do not recommend installing the webhook
and additionally suggest that you uninstall any previously installed versions of
the webhook.

If you're still running Kubernetes 1.23 or 1.24, we recommend installing the
webhook until you can upgrade to Kubernetes 1.25 or newer.

New Experimental Features

There are several exciting new experimental features in this release:

BackendTLSPolicy

A new BackendTLSPolicy resource has been introduced for configuring TLS
connections from Gateways to Backends. This allows you to configure the Gateway
to validate the certificates served by Backends. For more information, refer to
GEP 1897.

Primary Author: @candita

HTTPRoute Timeouts

HTTPRoute has a new Timeouts field on Route Rules. This allows you to
configure overall Request Timeouts as well as Backend Request Timeouts. For more
information, refer to GEP 1742.

Primary Authors: @frankbu, @SRodi

Gateway Infrastructure Labels

Gateway has a new Infrastructure field that allows you to specify Labels or
Annotations that you'd like to be propagated to each resource generated for a
Gateway. For example, these labels and annotations may be copied to Services and
Deployments provisioned for in-cluster Gateways, or to other
implementation-specific resources, such as Cloud Load Balancers. For more
information, refer to GEP 1762.

Primary Author: @howardjohn

WebSockets, HTTP/2, and More

Some coordinated work across both Gateway API and upstream Kubernetes has
defined 3 new values for the AppProtocol field on Service Ports:

  • kubernetes.io/h2c - HTTP/2 over cleartext as described in
    RFC7540
  • kubernetes.io/ws - WebSocket over cleartext as described in
    RFC6445
  • kubernetes.io/wss - WebSocket over TLS as described in
    RFC6455

These can now be used with Gateway API to describe the protocol to use for
connections to Kubernetes Services. For more information, refer to GEP 1911.

A new CLI tool: gwctl

An experimental new CLI tool and kubectl plugin, gwctl aims to improve the UX
when interacting with Gateway API. Initially it is focused on Policy Attachment,
making it easier to understand which policies are available in a cluster, and
which have been applied. In future releases, we hope to expand the scope of this
tool to provide more detailed responses when getting and describing Gateway API
resources. Note that this tool is still in very early stages and it's very
likely that future releases will include breaking changes for gwctl. For more
information, refer to the gwctl Readme.

Primary Author: @gauravkghildiyal

Everything Else

Of course there's a lot more in this release:

Spec Clarifications

  • Clarify that the Gateway Listener status AttachedRoutes field is a count of
    the number of Routes associated with a Listener regardless of Gateway or Route
    status. (#2396, @sunjayBhatia)
  • Gateway: A new concept called "Listener Isolation" has been introduced to
    describe the recommendation that at most one Listener matches a request, and
    only Routes attached to that Listener are used for routing. (#2465, @robscott)
  • Experimental Channel: For ParentRefs to be considered distinct, they either
    both need to specify a distinct SectionName, both need to specify a distinct
    Port, or both. (#2433, @robscott)
  • Updated rules about Listener uniqueness to use the term distinct (#2436,
    @youngnick)

Status

  • GatewayClass Status: A new experimental supportedFeatures field has been
    added. Implementations should populate this with the features they support.
    (#2461, @Liorlieberman, @robscott)
  • GatewayClass Status: A new SupportedVersion condition has been added that MUST
    be set when a GatewayClass is accepted. (#2384, @robscott)
  • Route Status: A new "PartiallyInvalid" condition has been added for all Route
    types. This condition also includes guidance for how partially invalid states
    should be handled with Gateway API. (#2429, @robscott)
  • The condition reason GatewayReasonUnsupportedAddress for Accepted now ONLY
    applies when an address type is provided for a Gateway which it does not
    support.
    (#2412 @shaneutt)
  • The condition reason GatewayReasonAddressNotAssigned for Programmed now
    ONLY applies to problems with dynamic address allocation.
    (#2412 @shaneutt)
  • The condition reason GatewayReasonAddressNotUsable for Programmed has been
    added to deal with situations where a static address has been provided for a
    Gateway which is of a supported type, and is syntactically valid, but for some
    reason it can not be used for this Gateway (e.g. the address is already in use
    on the network).
    (#2412 @shaneutt)

Documentation

  • A guide for Gateway API implementers is now included in the specification.
    (#2454, @youngnick)
  • Gateway API versioning will continue to rely on two release channels -
    Standard and Experimental. New resources will start in the Experimental
    Channel with an alpha API Version and then graduate to the Standard Channel
    with a GA API version. Resources that already have Beta API versions will
    continue to have them, but no additional Gateway API resources will get a Beta
    API version. (#2446, @robscott)

Cleanup

  • Validating Webhook logs now use Errorf instead of Fatalf. (#2361, @yylt)

Bug Fixes

  • CEL validation for BackendTLSPolicy was fixed with corresponding tests added
    (#2491, @ygnas)
  • Fixes the API version for ReferenceGrant from v1 to v1beta1 in the
    GatewaySecretInvalidReferenceGrant conformance test YAML (#2494, @arkodg)
  • Gateway infrastructure field is now a pointer (#2508, @danehans)

Conformance Tests

  • h2c Backend Protocol conformance tests were added (#2456, @dprotaso)
  • WebSocket Backend Protocol conformance tests were added (#2495, @dprotaso)
  • New conformance test for Gateway Status AttachedRoutes (#2477, @danehans)
  • Implemented the ExemptFeatures field for Experimental Conformance Profiles
    (#2515, @arkodg)

Other (Cleanup or Flake)

  • Resources related to the validating webhook such as the gateway-system
    namespace and the gateway-api-admission-server deployment have been removed
    from the installation manifests, in favor of CEL based Validations that are
    built into the CRD definition. These are still available in
    webhook-install.yaml in case you would like to optionally install them.
    (#2401, @arkodg)
gateway-api - v1.0.0-rc2

Published by youngnick 12 months ago

The working group expects that this release candidate is quite close to the
final v0.8.0 release. However, breaking API changes are still possible.

This release candidate is suitable for implementors, but the working group does
not recommend shipping products based on a release candidate API due to the
possibility of incompatible changes prior to the final release. The following
represents the changes since v1.0.0-rc1:

Bug Fixes

  • CEL validation for BackendTLSPolicy was fixed with corresponding tests added
    (#2491, @ygnas)
  • Fixes the API version for ReferenceGrant from v1 to v1beta1 in the
    GatewaySecretInvalidReferenceGrant conformance test YAML (#2494, @arkodg)
  • Gateway infrastructure field is now a pointer (#2508, @danehans)

Conformance Tests

  • h2c Backend Protocol conformance tests were added (#2456, @dprotaso)
  • WebSocket Backend Protocol conformance tests were added (#2495, @dprotaso)
  • New conformance test for Gateway Status AttachedRoutes (#2477, @danehans)
  • Implemented the ExemptFeatures field for Experimental Conformance Profiles
    (#2515, @arkodg)
gateway-api - v1.0.0-rc1

Published by robscott about 1 year ago

The working group expects that this release candidate is quite close to the
final v0.8.0 release. However, breaking API changes are still possible.

This release candidate is suitable for implementors, but the working group does
not recommend shipping products based on a release candidate API due to the
possibility of incompatible changes prior to the final release. The following
represents the changes since v0.8.0-rc1:

Gateway, GatewayClass, and HTTPRoute are GA 🎉

Gateway, GatewayClass, and HTTPRoute have all graduated to GA with a v1 API
version. Although these APIs will continue to grow with future additions, the
versions of these resources available via the Standard Channel are stable and
recommended for use in production. Many implementations are fully passing
conformance tests that cover the functionality of each of these resources. These
APIs are graduating to GA with only minor spec clarifications since the v0.8.0
release.

CEL Migration

Starting in v0.8.0, Gateway API CRDs now include CEL validation. In this release
the validating webhook is no longer bundled with CRD installation. Instead we
include a separate webhook-install.yaml file as part of the release artifacts.

If you're running Kubernetes 1.25+, we do not recommend installing the webhook
and additionally suggest that you uninstall any previously installed versions of
the webhook.

If you're still running Kubernetes 1.23 or 1.24, we recommend installing the
webhook until you can upgrade to Kubernetes 1.25 or newer.

New Experimental Features

There are several exciting new experimental features in this release:

BackendTLSPolicy

A new BackendTLSPolicy resource has been introduced for configuring TLS
connections from Gateways to Backends. This allows you to configure the Gateway
to validate the certificates served by Backends. For more information, refer to
GEP 1897.

Primary Author: @candita

HTTPRoute Timeouts

HTTPRoute has a new Timeouts field on Route Rules. This allows you to
configure overall Request Timeouts as well as Backend Request Timeouts. For more
information, refer to GEP 1742.

Primary Authors: @frankbu, @SRodi

Gateway Infrastructure Labels

Gateway has a new Infrastructure field that allows you to specify Labels or
Annotations that you'd like to be propagated to each resource generated for a
Gateway. For example, these labels and annotations may be copied to Services and
Deployments provisioned for in-cluster Gateways, or to other
implementation-specific resources, such as Cloud Load Balancers. For more
information, refer to GEP 1762.

Primary Author: @howardjohn

WebSockets, HTTP/2, and More

Some coordinated work across both Gateway API and upstream Kubernetes has
defined 3 new values for the AppProtocol field on Service Ports:

  • kubernetes.io/h2c - HTTP/2 over cleartext as described in
    RFC7540
  • kubernetes.io/ws - WebSocket over cleartext as described in
    RFC6445
  • kubernetes.io/wss - WebSocket over TLS as described in
    RFC6455

These can now be used with Gateway API to describe the protocol to use for
connections to Kubernetes Services. For more information, refer to GEP
1911.

A new CLI tool: gwctl

An experimental new CLI tool and kubectl plugin, gwctl aims to improve the UX
when interacting with Gateway API. Initially it is focused on Policy Attachment,
making it easier to understand which policies are available in a cluster, and
which have been applied. In future releases, we hope to expand the scope of this
tool to provide more detailed responses when getting and describing Gateway API
resources. Note that this tool is still in very early stages and it's very
likely that future releases will include breaking changes for gwctl. For more
information, refer to the gwctl Readme.

Primary Author: @gauravkghildiyal

Everything Else

Of course there's a lot more in this release:

Spec Clarifications

  • Clarify that the Gateway Listener status AttachedRoutes field is a count of
    the number of Routes associated with a Listener regardless of Gateway or Route
    status. (#2396, @sunjayBhatia)
  • Gateway: A new concept called "Listener Isolation" has been introduced to
    describe the recommendation that at most one Listener matches a request, and
    only Routes attached to that Listener are used for routing. (#2465, @robscott)
  • Experimental Channel: For ParentRefs to be considered distinct, they either
    both need to specify a distinct SectionName, both need to specify a distinct
    Port, or both. (#2433, @robscott)
  • Updated rules about Listener uniqueness to use the term distinct (#2436,
    @youngnick)

Status

  • GatewayClass Status: A new experimental supportedFeatures field has been
    added. Implementations should populate this with the features they support.
    (#2461, @Liorlieberman, @robscott)
  • GatewayClass Status: A new SupportedVersion condition has been added that MUST
    be set when a GatewayClass is accepted. (#2384, @robscott)
  • Route Status: A new "PartiallyInvalid" condition has been added for all Route
    types. This condition also includes guidance for how partially invalid states
    should be handled with Gateway API. (#2429, @robscott)
  • The condition reason GatewayReasonUnsupportedAddress for Accepted now ONLY
    applies when an address type is provided for a Gateway which it does not
    support.
    (#2412 @shaneutt)
  • The condition reason GatewayReasonAddressNotAssigned for Programmed now
    ONLY applies to problems with dynamic address allocation.
    (#2412 @shaneutt)
  • The condition reason GatewayReasonAddressNotUsable for Programmed has been
    added to deal with situations where a static address has been provided for a
    Gateway which is of a supported type, and is syntatically valid, but for some
    reason it can not be used for this Gateway (e.g. the address is already in use
    on the network).
    (#2412 @shaneutt)

Documentation

  • A guide for Gateway API implementers is now included in the specification.
    (#2454, @youngnick)
  • Gateway API versioning will continue to rely on two release channels -
    Standard and Experimental. New resources will start in the Experimental
    Channel with an alpha API Version and then graduate to the Standard Channel
    with a GA API version. Resources that already have Beta API versions will
    continue to have them, but no additional Gateway API resources will get a Beta
    API version. (#2446, @robscott)

Cleanup

  • Validating Webhook logs now use Errorf instead of Fatalf. (#2361, @yylt)

Other (Cleanup or Flake)

  • Resources related to the validating webhook such as the gateway-system
    namespace and the gateway-api-admission-server deployment have been removed
    from the installation manifests, in favor of CEL based Validations that are
    built into the CRD definition. These are still available in
    webhook-install.yaml in case you would like to optionally install them.
    (#2401, @arkodg)
gateway-api - v0.8.1

Published by youngnick about 1 year ago

v0.8.1

This is a patch release that includes small bug fixes and a new conformance test
as a follow up to the v0.8.0 release.

Changes by Kind

Bug Fixes

  • Fix CEL validation not handling missing listener hostname correctly. (#2370, @frankbu)
  • Fix IPv6 parsing in conformance tests (#2375, @keithmattix)

Conformance Tests

  • Add conformance test for multiple mirror filters. (#2359, @levikobi)
gateway-api - v0.8.0

Published by shaneutt about 1 year ago

Major Themes

GAMMA (Service Mesh)

Service mesh support per the GAMMA initiative has moved to experimental in
v0.8.0. As an experimental API, it is still possible that this will
change; the working group does not recommend shipping products based on any
experimental API.

When using the Gateway API to configure a service mesh, the Gateway and
GatewayClass resources are not used (as there will typically only be one mesh
in the cluster) and, instead, individual route resources are associated
directly with Service resources. This permits configuring mesh routing while
preserving the Gateway API's overall semantics.

We encourage service mesh implementers and users to try this new support and
we welcome feedback! Once again, though, the working group does not recommend
shipping products based on this or any other experimental API. due to the
possibility of incompatible changes prior to the final release.

CEL Validation

This release marks the beginning of a transition from webhook validation to CEL
validation that is built into the CRDs. That will mean different things
depending on the version of Kubernetes you're using:

Kubernetes 1.25+

CEL validation is fully supported. Most validation is now covered by the
validating webhook, but unfortunately not quite everything.

All but one validation has been translated from the
webhook to CEL. Currently the CRDs only have a case-sensitive uniqueness check
for header names in header modifier filters. The webhook validation is more
thorough, ensuring that the uniqueness is case-insensitive. Unfortunately that
is not possible to represent with CEL today. There is more information in
#2277.

Installing the validating webhook is still recommended for this release to allow
controllers to catch up to cover this gap in CEL validation. We expect this is
the last release we will make this recommendation for, for more information,
refer to #2319.

Kubernetes 1.23 and 1.24

CEL validation is not supported, but Gateway API v0.8.0 CRDs can still be
installed. When you upgrade to Kubernetes 1.25+, the validation included in
these CRDs will automatically take effect. We recommend continuing to install
the validating webhook on these Kubernetes versions.

Kubernetes 1.22 and older

Unfortunately Gateway API v0.8.0 is not supported on these Kubernetes versions.
Gateway API v0.8.0 CRDs include CEL validation and cannot be installed on these
versions of Kubernetes. Note that Gateway API only commits to providing support
for the 5 most recent versions of Kubernetes,
and thus these versions are no longer supported by Gateway API.

API Version Changes

As we prepare for a v1.0 release that will graduate Gateway, GatewayClass, and
HTTPRoute to the v1 API Version from v1beta1, we are continuing the process
of moving away from v1alpha2 for resources that have graduated to v1beta1.
The following changes are included in this release:

  • v1alpha2 of Gateway, GatewayClass, and HTTPRoute is no longer served
  • v1alpha2 of ReferenceGrant is deprecated
  • v1beta1 is now the storage version for ReferenceGrant

Those changes mean that:

  • Users and implementations that were reading or writing from v1alpha2 of
    Gateway, GatewayClass, or HTTPRoute MUST upgrade to use v1beta1.
  • Users and implementations that were reading or writing from v1alpha2 of
    ReferenceGrant SHOULD upgrade to use v1beta1.

For more information, refer to
#2069.

Supported Features and Conformance Levels

Gateway API conformance tests have a concept of "Supported Features".
Implementations state which features they support, and then all the tests
covering that set of features are run.

Prior to v0.8.0, we had a concept of "StandardCoreFeatures" that represented the
set of features we expected every implementation to implement. Support for the
Gateway and HTTPRoute resources was included in that list.

Alongside that, Gateway API also has a concept of "Support Levels" such as
"Core", "Extended", and "Implementation-Specific". The API had labeled 2
resources as having support levels, but these didn't really make sense with
the modular API model of Gateway API.

In this release, we've simplified the concepts here. Individual resources no
longer have assigned support levels, instead these are represented as "Supported
Features." Implementations can separately claim to support Gateway,
ReferenceGrant, or any other resource. This change helps accommodate incoming
Mesh implementations, many of which do not support one or both of these
resources.

For more information refer to
#2323.

Other Changes

Status

  • Add IncompatibleFilters reason for implementations to specify when a route is
    invalid due to an invalid combination of route filters. (#2150, @sunjayBhatia)

Validation

  • Add CEL validation for GRPCRoute. (#2305, @gnossen)
  • HTTPRoute and GRPCRoute CRDs now provide built-in validation that ensures the
    uniqueness of names in Header Modifier "Remove" lists. (#2306, @robscott)

Spec Clarifications

  • RequestMirrorFilter: Enhanced the doc string to be explicit about sending the
    mirrored request to a single destination endpoint within the backendRef
    specified. (#2317, @arkodg)
  • HTTPRoute Method matching precedence has been clarified (#2054,
    @gauravkghildiyal)
  • Clarify that implementations must not modify HTTP Host header. Adds
    specificity alongside spec that port in Host header must be ignored when
    matching on host. (#2092, @sunjayBhatia)
  • Fix typo: rename GatewaReasonUnsupportedAddress ->
    GatewayReasonUnsupportedAddress (#2149, @panslava)
  • HTTPRoute: Clarified that exact path matches are truly exact, both trailing
    slashes and capitalization are meaningful. (#2055, @robscott)
  • Implementations MUST ignore any port value specified in the HTTP Host header
    while performing a match against HTTPRoute.Hostnames (#1980,
    @gauravkghildiyal)

Conformance

  • Add conformance tests against accepting invalid ReferenceGrants in HTTPRoute
    and TLSRoute (#2076, @meyskens)
  • Fixed an issues causing conformance tests to fail when using IPv6 addresses
    (#2024, @howardjohn)
  • HTTPRoute connectivity is in now enforced in conformance tests if a relevant
    ReferenceGrant gets deleted. (#1853, @pmalek)
  • The --skip-tests flag has been added to the conformance CLI to enable tests
    opt-out when using it. (#2170, @mlavacca)
  • The experimental conformance profile suite can now be added as a stand-alone
    cli and by means of go test. (#2066, @mlavacca)
  • GEPs now must have a Conformance Details section that specifies the feature's
    name for conformance purposes. (#2115, @youngnick)
  • Better support mesh-only conformance testing (#2312, @kflynn)
  • SupportedFeatures have been restructured to be per-resource (#2323, @robscott)
  • Add SupportedFeature for port 8080 on Gateway (#2184, @xtineskim)
  • Fixes for IPv6 in Mesh (#2340, @keithmattix)
  • Fix leaking TCP connections which can lead to conformance test failures
    (#2358, @gauravkghildiyal)

Webhook

  • Changed default imagePullPolicy for gateway-api-admission-server to
    IfNotPresent. (#2215, @networkhermit)
  • Webhook config works with PodAdmission restricted (#2016, @jcpunk)

Documentation

  • Adds support for ParentRef targeting a Kubernetes Service resource for mesh
    implementations. (#2146, @mikemorris)
  • Clarify wording on website around Gateway API vs API Gateway (#2191,
    @david-martin)
  • GEP-1282, Backend Properties, has been declined. (#2132, @youngnick)
  • Added missing GEPs. (#2114, @levikobi)

Bug Fixes

  • Added the missing ReferenceGrant resource the kustomization.yaml for the
    standard channel (#2084, @howardjohn)
  • Webhook validation now ensures that BackendRefs can not be specified in the
    same HTTPRoute rule as a Redirect filter (#2161, @slayer321)
  • GRPCRoute: The default match has been removed as it was invalid (it only
    specified a type of "Exact" without a corresponding Service or Method). Note
    that the match type still defaults to "Exact". (#2311, @gauravkghildiyal)

New Contributors

Full Changelog: https://github.com/kubernetes-sigs/gateway-api/compare/v0.7.0...v0.8.0

gateway-api - v0.8.0-rc2

Published by shaneutt about 1 year ago

The working group expects that this release candidate is quite close to the final
v0.8.0 release. However, breaking API changes are still possible.

This release candidate is suitable for implementors, but the working group does
not recommend shipping products based on a release candidate API due to the
possibility of incompatible changes prior to the final release. The following
represents the changes since v0.8.0-rc1:

Changes by Kind

Validation

  • Add CEL validation for GRPCRoute. (#2305, @gnossen)
  • HTTPRoute and GRPCRoute CRDs now provide built-in validation that ensures the
    uniqueness of names in Header Modifier "Remove" lists. (#2306, @robscott)

Bug Fixes

  • GRPCRoute: The default match has been removed as it was invalid (it only
    specified a type of "Exact" without a corresponding Service or Method). Note
    that the match type still defaults to "Exact". (#2311, @gauravkghildiyal)

Spec Clarifications

  • RequestMirrorFilter: Enhanced the doc string to be explicit about sending the
    mirrored request to a single destination endpoint within the backendRef
    specified. (#2317, @arkodg)
  • Resources no longer have support levels, implementations can choose to support
    whichever set of resources they want (#2323, @robscott)

Conformance

  • Better support mesh-only conformance testing (#2312, @kflynn)
  • SupportedFeatures have been restructured to be per-resource (#2323, @robscott)

New Contributors

Full Changelog: https://github.com/kubernetes-sigs/gateway-api/compare/v0.8.0-rc1...v0.8.0-rc2

gateway-api - v0.8.0-rc1

Published by robscott about 1 year ago

The working group expects that this release candidate is quite close to the final
v0.8.0 release. However, breaking API changes are still possible.

This release candidate is suitable for implementors, but the working group does
not recommend shipping products based on a release candidate API due to the
possibility of incompatible changes prior to the final release.

Major Themes

GAMMA (Service Mesh)

Service mesh support per the GAMMA initiative has moved to experimental in
v0.8.0. As an experimental API, it is still possible that this will
change; the working group does not recommend shipping products based on any
experimental API.

When using the Gateway API to configure a service mesh, the Gateway and
GatewayClass resources are not used (as there will typically only be one mesh
in the cluster) and, instead, individual route resources are associated
directly with Service resources. This permits configuring mesh routing while
preserving the Gateway API's overall semantics.

We encourage service mesh implementers and users to try this new support and
we welcome feedback! Once again, though, the working group does not recommend
shipping products based on this or any other experimental API. due to the
possibility of incompatible changes prior to the final release.

CEL Validation

This release marks the beginning of a transition from webhook validation to CEL
validation that is built into the CRDs. That will mean different things
depending on the version of Kubernetes you're using:

Kubernetes 1.25+

CEL validation is fully supported. Most validation is now covered by the
validating webhook, but unfortunately not quite everything.

Standard Channel: All but one validation has been translated from the
webhook to CEL. Currently the CRDs only have a case-sensitive uniqueness check
for header names in header modifier filters. The webhook validation is more
thorough, ensuring that the uniqueness is case-insensitive. Unfortunately that
is not possible to represent with CEL today. There is more information in
#2277.

Experimental Channel: TCPRoute, TLSRoute, and UDPRoute are fully covered by
CEL validation. GRPCRoute still has some significant gaps in CEL validation that
will be covered in a future release.

Kubernetes 1.23 and 1.24

CEL validation is not supported, but Gateway API v0.8.0 CRDs can still be
installed. When you upgrade to Kubernetes 1.25+, the validation included in
these CRDs will automatically take effect. We recommend continuing to install
the validating webhook on these Kubernetes versions.

Kubernetes 1.22 and older

Unfortunately Gateway API v0.8.0 is not supported on these Kubernetes versions.
Gateway API v0.8.0 CRDs include CEL validation and cannot be installed on these
versions of Kubernetes. Note that Gateway API only commits to providing support
for the 5 most recent versions of
Kubernetes,
and thus these versions are no longer supported by Gateway API.

API Version Changes

As we prepare for a v1.0 release that will graduate Gateway, GatewayClass, and
HTTPRoute to the v1 API Version from v1beta1, we are continuing the process
of moving away from v1alpha2 for resources that have graduated to v1beta1.
The following changes are included in this release:

  • v1alpha2 of Gateway, GatewayClass, and HTTPRoute is no longer served
  • v1alpha2 of ReferenceGrant is deprecrated
  • v1beta1 is now the storage version for ReferenceGrant

Those changes mean that:

  • Users and implementations that were reading or writing from v1alpha2 of
    Gateway, GatewayClass, or HTTPRoute MUST upgrade to use v1beta1.
  • Users and implementations that were reading or writing from v1alpha2 of
    ReferenceGrant SHOULD upgrade to use v1beta1.

For more information, refer to
#2069.

Other Changes

Status

  • Add IncompatibleFilters reason for implementations to specify when a route is
    invalid due to an invalid combination of route filters. (#2150, @sunjayBhatia)

Spec Clarifications

  • HTTPRoute Method matching precedence has been clarified (#2054,
    @gauravkghildiyal)
  • Clarify that implementations must not modify HTTP Host header. Adds
    specificity alongside spec that port in Host header must be ignored when
    matching on host. (#2092, @sunjayBhatia)
  • Fix typo: rename GatewaReasonUnsupportedAddress ->
    GatewayReasonUnsupportedAddress (#2149, @panslava)
  • HTTPRoute: Clarified that exact path matches are truly exact, both trailing
    slashes and capitalization are meaningful. (#2055, @robscott)
  • Implementations MUST ignore any port value specified in the HTTP Host header
    while performing a match against HTTPRoute.Hostnames (#1980,
    @gauravkghildiyal)

Conformance

  • Add conformance tests against accepting invalid ReferenceGrants in HTTPRoute
    and TLSRoute (#2076, @meyskens)
  • Fixed an issues causing conformance tests to fail when using IPv6 addresses
    (#2024, @howardjohn)
  • HTTPRoute connectivity is in now enforced in conformance tests if a relevant
    ReferenceGrant gets deleted. (#1853, @pmalek)
  • The --skip-tests flag has been added to the conformance CLI to enable tests
    opt-out when using it. (#2170, @mlavacca)
  • The experimental conformance profile suite can now be added as a stand-alone
    cli and by means of go test. (#2066, @mlavacca)
  • GEPs now must have a Conformance Details section that specifies the feature's
    name for conformance purposes. (#2115, @youngnick)

Webhook

  • Changed default imagePullPolicy for gateway-api-admission-server to
    IfNotPresent. (#2215, @networkhermit)
  • Webhook config works with PodAdmission restricted (#2016, @jcpunk)

Documentation

  • Adds support for ParentRef targeting a Kubernetes Service resource for mesh
    implementations. (#2146, @mikemorris)
  • Clarify wording on website around Gateway API vs API Gateway (#2191,
    @david-martin)
  • GEP-1282, Backend Properties, has been declined. (#2132, @youngnick)
  • Added missing GEPs. (#2114, @levikobi)

Bug Fixes

  • Added the missing ReferenceGrant resource the kustomization.yaml for the
    standard channel (#2084, @howardjohn)
  • Webhook validation now ensures that BackendRefs can not be specified in the
    same HTTPRoute rule as a Redirect filter (#2161, @slayer321)
gateway-api - v0.7.1

Published by robscott over 1 year ago

This is a patch release that includes small fixes, clarifications, and
conformance tests as a follow up to the v0.7.0 release.

Changes by Kind

Conformance Tests

  • Fixed an issues causing conformance tests to fail when using IPv6 addresses.
    (#2024, @howardjohn)
  • HTTPRoute connectivity is in now enforced in conformance tests if a relevant
    ReferenceGrant gets deleted. (#1853, @pmalek)
  • New: Conformance tests for HTTP request mirroring. (#1912, @liorlieberman)
  • Fixes to port and scheme redirect tests: Tests now send HTTPS requests with
    consistent SNI and Host, Gateway now has the correct SANs. (#2039, @sunjaybhatia)
  • TLSRoute test now waits for namespaces to be ready. (#2067, @skriss)

Validating Webhook

  • Webhook config works with "restricted" Pod Security level. (#2016, @jcpunk)

Clarifications

  • HTTPRoute Method matching precedence has been clarified. (#2054,
    @gauravkghildiyal)
  • Implementations MUST ignore any port value specified in the HTTP Host header
    while performing a match against HTTPRoute.Hostnames. (#1980,
    @gauravkghildiyal)
  • HTTPRoute: Clarified that exact path matches are truly exact, both trailing
    slashes and capitalization are meaningful. (#2055, @robscott)
  • Gateway: Clarified that AttachedRoutes should only consider Routes that have
    been accepted. (#2050, @mlavacca)
gateway-api - v0.7.0

Published by robscott over 1 year ago

The v0.7.0 release focuses on refining and stabilizing existing APIs. This
included a focus on both conformance tests and clarifying ambiguous parts of the
API spec.

Features Graduating to Standard

In addition to those broad focuses, 2 features are graduating to the
standard channel:

  • GEP-1323: Response Header Modifiers (#1905, @robscott)
  • GEP-726: Path Redirects and Rewrites (#1874, @robscott)

GEPs

There are a lot of interesting GEPs in the pipeline right now, but only some of
these GEPs have made it to experimental status in time for v0.7.0. The GEPs
highlighted below are both in an experimental state and are either entirely new
(GEP-1748) or had significant new concepts introduced (GEP-713):

GEP-713: Policy Attachment

This GEP received a major update, splitting policy attachment into two
categories "Direct" and "Inherited". The new "Direct" mode enables a simplified
form of policy attachment for targeting a single resource (#1565, @youngnick).

GEP-1748: Gateway API Interaction with Multi-Cluster Services

A new GEP was introduced to define how Gateway API interacts with Multi-Cluster
Services. At a high level, this states that ServiceImports have "Extended"
support and can be used anywhere Services can throughout the API. There's a lot
more nuance here, so for the full details, refer to the GEP. (#1843, @robscott)

Other Changes by Kind

Status Changes

  • The "Ready" Gateway and Listener condition has been reserved for future use.
    (#1888, @howardjohn)
  • The UnsupportedAddress Listener condition reason has been moved to a Gateway
    condition reason. (#1888, @howardjohn)
  • The AddressNotAssigned Gateway condition reasons has moved from Accepted to
    Programmed. (#1888, @howardjohn)
  • The NoResources Gateway condition reasons has moved from Ready to Programmed.
    (#1888, @howardjohn)

Spec Cleanup

  • Clarification that port redirects should not add port number to Location
    header for HTTP and HTTPS requests on 80 and 443. (#1908, @robscott)
  • Port redirect when empty will depend on the configured Redirect scheme (#1880,
    @gauravkghildiyal)
  • Updated spec to clarify that Exact matches have precedence over Prefix matches
    and RegularExpression matches have implementation specific precedence. (#1855,
    @Xunzhuo)
  • The gateway-exists-finalizer.gateway.networking.k8s.io finalizer is no
    longer required and is now just recommended. (#1917, @howardjohn)

Validation Fixes

  • Removes GRPCRoute method match defaulting to allow for matching all requests,
    or matching only by header. (#1753, @skriss)
  • Update route validation to comply with RFC-3986 "p-char" characters. (#1644,
    @jackstine)
  • Illegal names like " " will be not allowed for query param name in
    HTTPQueryParamMatch. (#1796, @gyohuangxin)
  • Webhook: Port is now considered when validating that ParentRefs are unique
    (#1995, @howardjohn)

Conformance

  • No conformance tests run by default anymore, including tests for GatewayClass
    and Gateway. A new SupportGateway feature must be opted into in order to run
    those tests (similar to what we've done previously for ReferenceGrant and
    HTTPRoute). Also with this release, EnableAllSupportedFeatures enables all
    Gateway AND Mesh features (where previously that was just Gateway). (#1894,
    @shaneutt)
  • Gateways must publish the "Programmed" condition. (#1732, @robscott)
  • Add all-features flag to enable all supported feature conformance tests.
    (#1642, @gyohuangxin)
  • A new SkipTests field has been added to the conformance test options to
    opt-out of specific tests. (#1578, @mlavacca)
  • Added: conformance tests for http rewrite host and path filters. (#1622,
    @LiorLieberman)
  • In Conformance tests, when a Route references a gateway having no listener
    whose allowedRoutes criteria permit the route, the reason
    NotAllowedByListeners should be used for the accepted condition. (#1669,
    @mlavacca)
  • Support configurable timeout for GatewayObservedGenerationBump (#1887,
    @Xunzhuo)
  • The conformance test HTTPRouteInvalidCrossNamespaceParentRef now requires the
    HTTPRoute accepted condition to be failing with the ParentRefNotPermitted
    reason. (#1694, @mlavacca)
  • The conformance tests always check that the HTTPRoute ResolvedRefs condition
    is enforced, even when the status is true. (#1668, @mlavacca)
  • Checks for the NotAllowedByListeners reason on the HTTPRoute's Accepted: false
    condition in the HTTPRouteInvalidCrossNamespaceParentRef conformance test.
    (#1714, @skriss)
  • Added conformance test to verify that path matching precedence is
    implemented correctly. (#1855, @Xunzhuo)
  • Remove a test that only covered redirect status without any other changes.
    (#2007, @robscott)
  • Port redirect when empty will depend on the configured Redirect scheme (#1880,
    @gauravkghildiyal)
  • Fixes for mesh conformance tests (#2017, @keithmattix)

Documentation

  • Updated outdated content on list of resources in installation guide page.
    (#1857, @randmonkey)
  • Fix description of ReferenceGrant example in documentation by making it use
    the correct resources. (#1864, @matteoolivi)
  • Fix grammar mistake in ReferenceGrant implementation guidelines. (#1865,
    @matteoolivi)
gateway-api - v0.7.0-rc2

Published by robscott over 1 year ago

We expect this to be our final release candidate before launching v0.7.0. This
release candidate includes a variety of clarifications and conformance updates.
The changelog below represents the changes since v0.7.0-rc1.

Changes by Kind

Spec Clarification

  • Port redirect when empty will depend on the configured Redirect scheme (#1880,
    @gauravkghildiyal)

Conformance

  • Remove a test that only covered redirect status without any other changes.
    (#2007, @robscott)
  • Port redirect when empty will depend on the configured Redirect scheme (#1880,
    @gauravkghildiyal)

Validation Fixes

  • Webhook: Port is now considered when validating that ParentRefs are unique
    (#1995, @howardjohn)
gateway-api - v0.7.0-rc1

Published by robscott over 1 year ago

Changes by Kind

Graduating to Standard

  • GEP-1323: Response Header Modifier has graduated to standard (#1905,
    @robscott)
  • GEP-726: Path Redirects and Rewrites has graduated to the standard channel.
    (#1874, @robscott)

Experimental GEPs

  • The Policy Attachment GEP received a major update, splitting policy attachment
    into two categories "Direct" and "Inherited". The new "Direct" mode enables a
    simplified form of policy attachment for targeting a single resource (#1565,
    @youngnick)
  • A new GEP was introduced to define how Gateway API interacts with
    Multi-Cluster Services (#1843, @robscott)

Status Changes

  • The "Ready" Gateway and Listener condition has been reserved for future use.
    (#1888, @howardjohn)
  • The UnsupportedAddress Listener condition reason has been moved to a Gateway
    condition reason. (#1888, @howardjohn)
  • The AddressNotAssigned Gateway condition reasons has moved from Accepted to
    Programmed. (#1888, @howardjohn)
  • The NoResources Gateway condition reasons has moved from Ready to Programmed.
    (#1888, @howardjohn)

Spec Cleanup

  • Clarification that port redirects should not add port number to Location
    header for HTTP and HTTPS requests on 80 and 443. (#1908, @robscott)
  • Updated spec to clarify that Exact matches have precedence over Prefix matches
    and RegularExpression matches have implementation specific precedence. (#1855,
    @Xunzhuo)
  • The gateway-exists-finalizer.gateway.networking.k8s.io finalizer is no
    longer required and is now just recommended. (#1917, @howardjohn)

Validation Fixes

  • Removes GRPCRoute method match defaulting to allow for matching all requests,
    or matching only by header. (#1753, @skriss)
  • Update route validation to comply with RFC-3986 "p-char" characters. (#1644,
    @jackstine)
  • Illegal names like " " will be not allowed for query param name in
    HTTPQueryParamMatch. (#1796, @gyohuangxin)

Conformance

  • No conformance tests run by default anymore, including tests for GatewayClass
    and Gateway. A new SupportGateway feature must be opted into in order to run
    those tests (similar to what we've done previously for ReferenceGrant and
    HTTPRoute). Also with this release, EnableAllSupportedFeatures enables all
    Gateway AND Mesh features (where previously that was just Gateway). (#1894,
    @shaneutt)
  • Gateways must publish the "Programmed" condition. (#1732, @robscott)
  • Add all-features flag to enable all supported feature conformance tests.
    (#1642, @gyohuangxin)
  • A new SkipTests field has been added to the conformance test options to
    opt-out of specific tests. (#1578, @mlavacca)
  • Added: conformance tests for http rewrite host and path filters. (#1622,
    @LiorLieberman)
  • In Conformance tests, when a Route references a gateway having no listener
    whose allowedRoutes criteria permit the route, the reason
    NotAllowedByListeners should be used for the accepted condition. (#1669,
    @mlavacca)
  • Support configurable timeout for GatewayObservedGenerationBump (#1887,
    @Xunzhuo)
  • The conformance test HTTPRouteInvalidCrossNamespaceParentRef now requires the
    HTTPRoute accepted condition to be failing with the ParentRefNotPermitted
    reason. (#1694, @mlavacca)
  • The conformance tests always check that the HTTPRoute ResolvedRefs condition
    is enforced, even when the status is true. (#1668, @mlavacca)
  • Checks for the NotAllowedByListeners reason on the HTTPRoute's Accepted: false
    condition in the HTTPRouteInvalidCrossNamespaceParentRef conformance test.
    (#1714, @skriss)
  • Added conformance test to verify that path matching precedence is
    implemented correctly. (#1855, @Xunzhuo)

Documentation

  • Updated outdated content on list of resources in installation guide page.
    (#1857, @randmonkey)
  • Fix description of ReferenceGrant example in documentation by making it use
    the correct resources. (#1864, @matteoolivi)
  • Fix grammar mistake in ReferenceGrant implementation guidelines. (#1865,
    @matteoolivi)
gateway-api - v0.6.2

Published by shaneutt over 1 year ago

API versions: v1beta1, v1alpha2

This is a patch release that predominantly includes updated conformance tests
for implementations to implement.

For all major changes since the v0.5.x release series, please see the
v0.6.0 release notes.

Maintenance

Bug Fixes

  • Fix invalid HTTP redirect/rewrite examples.
    (#1787, @Xunzhuo)

Conformance Test Updates

  • The HTTPRouteInvalidCrossNamespaceParentRef conformance test now checks for
    the NotAllowedByListeners reason on the HTTPRoute's Accepted: false
    condition to better indicate why the route was note accepted.
    (#1714, @skriss)
  • A conformance test was added for HTTPRoute to cover the behavior of a
    non-matching SectionName similar to what was already present for
    ListenerPort.
    (#1719, @zaunist)
  • Fixed an issue where tests may fail erroneously on the removal of resources
    that are already removed.
    (#1745, @mlavacca)
  • Logging in conformance utilities related to resource's ObservedGeneration
    has been improved to emit the `ObservedGenerations that are found for the
    purpose of making it easier to debug test failures and be more verbose about
    the objects in question.
    (#1761, @briantkennedy)
    (#1763, @briantkennedy)
  • Patch instead of update in some places in conformance tests to reduce noise
    in logs.
    (#1760, @michaelbeaumont)
  • Added AttachedRoutes testing to conformance tests.
    (#1624, @ChaningHwang)
  • The conformance tests always check that the HTTPRoute ResolvedRefs condition
    is enforced, even when the status is true.
    (#1668, @mlavacca)
gateway-api - v0.6.1

Published by shaneutt over 1 year ago

API versions: v1beta1, v1alpha2

This is a patch release that predominantly includes updated conformance tests
for implementations to implement.

For all major changes since the v0.5.x release series, please see the
v0.6.0 release notes.

Bug Fixes

  • Our regex for validating path characters was updated to accurately identify
    "p-chars" as per RFC-3986.
    (#1644, @jackstine)
  • An erroneous "namespace" field was present in our webhook ClusterRoleBindings
    and has been removed.
    (#1684, @tao12345666333)

New Features

  • Conditions for Policies have been added to the Golang library, enabling
    Go-based implementations to re-use those for their downstream Policies.
    (#1682, @mmamczur)

Conformance Test Updates

  • Added conformance tests for checking Port, Scheme and Path to the extended and
    experimental features.
    (#1611, @LiorLieberman)
  • Added conformance tests for HTTP rewrite
    (#1622, #1628, @LiorLieberman)
  • Added more conformance tests for path matching to catch known edge cases.
    (#1627, @sunjayBhatia)
  • Added some initial conformance tests for TLSRoute passthrough.
    (#1579, @candita)
  • Added conformance tests that exercise NotAllowedByListeners reason.
    (#1669, @mlavacca)
  • Loosen the Accepted check in GatewayClass observed generation tests to
    provide a more realistic test for implementations.
    (#1655, @arkodg)
  • A "SkipTests" field has been added to accomodate implementations in
    running subsets of the tests as needed, this can be particularly helpful
    for new implementations that want to add conformance iteratively.
    (#1578, @mlavacca)
  • Fixed a broken test for GRPCRoute that caused an erronous failure.
    (#1692, @arkodg)
  • Added "all-features" flag to conformance test to enable all supported
    features on test runs.
    (#1642, @gyohuangxin)
  • Fixed usage of net/http default client in conformance test suite
    (#1617, @howardjohn)
  • Fixed missing reference to NoMatchingParent in godoc
    (#1671, @mlavacca)

Full Changelog: https://github.com/kubernetes-sigs/gateway-api/compare/v0.6.0...v0.6.1

gateway-api - v0.6.0

Published by shaneutt almost 2 years ago

API versions: v1beta1, v1alpha2

Major Changes

ReferenceGrant moves to v1beta1, ReferencePolicy removed

With more implementations now supporting ReferenceGrant (and more conformance coverage of the resource), we've moved ReferenceGrant to v1beta1 in this release. Note that moving to beta also moves the object to the Standard channel (it was Experimental previously).

We've also removed the already-deprecated ReferencePolicy resource, so please move over to the shiny new ReferenceGrant, which has all the same features.

  • Promotes ReferenceGrant to the v1beta1 API and the standard release channel
    (#1455, @nathancoleman)
  • ReferencePolicy has been removed from the API in favor of ReferenceGrant.
    (#1406, @robscott)

Introduce GRPCRoute

The GRPCRoute resource has been introduced in order to simplify the routing of GRPC requests.
Its design is described in GEP-1016.
As it is a new resource, it is introduced in the experimental channel.

Thanks to @gnossen for pushing this ahead.

  • Introduce GRPCRoute resource. (#1115, @gnossen)

Status updates

As described in GEP-1364, status conditions have been updated within the Gateway resource to make it more consistent with the rest of the API. These changes, along with some other status changes, are detailed below.

Gateway:

  • New Accepted and Programmed conditions introduced.
  • Scheduled condition deprecated.
  • Core Conditions now Accepted and Programmed.
  • Moves to Extended: Ready.

Gateway Listener:

  • New Accepted and Programmed conditions introduced.
  • Detached condition deprecated.
  • Core Conditions now Accepted, Programmed, ResolvedRefs, and Conflicted.
  • Moves to Extended: Ready.

All Resources:

  • The Accepted Condition now has a Pending reason, which is the default until
    the condition is updated by a controller.

Route resources:

  • The Accepted Condition now has a NoMatchingParent reason, to be set on routes
    when no matching parent can be found.

The purpose of these changes is to make the status flows more consistent across objects, and to provide a clear pattern for new objects as we evolve the API.

Note: This change will require updates for implementations to be able to pass conformance tests. Implementations may choose to publish both new and old conditions, or only new conditions.

  • Adds Accepted and deprecates Detached Listener conditions and reasons (#1446, @mikemorris)
  • Adds Accepted and deprecates Scheduled Gateway conditions and reasons (#1447, @mikemorris)
  • Adds Pending reason for use with all Accepted conditions throughout the API (#1453, @youngnick)
  • Adds Programmed Gateway and Listener conditions, moves Ready to extended
    conformance (#1499, @LCaparelli)
  • Add RouteReasonNoMatchingParent reason for Accepted condition. (#1516, @pmalek)

Other Changes by type

Deprecations

  • GatewayClass, Gateway, and HTTPRoute are now only supported with the v1beta1
    version of the API. The v1alpha2 API versions of these resources will be fully
    removed in a future release. Additionally, v1alpha2 is marked as deprecated
    everywhere. (#1348 and #1405, @robscott)

API Changes

  • A new field responseHeaderModifier is added to .spec.rules.filters, which
    allows for modification of HTTP response headers (#1373, @aryan9600)
  • Display the Programmed condition instead of the Ready condition in the output
  • HTTPRoute: Validating webhook now ensures that Exact and Prefix path match
    values can now only include valid path values per RFC-3986. (RegularExpression
    path matches are not affected by this change). (#1599, @robscott)
  • RegularExpression type selectors have been clarified to all be
    ImplementationSpecific conformance. (#1604, @youngnick)

Documentation

  • Clarify that BackendObjectReference's Port field specifies a service port, not
    a target port, for Kubernetes Service backends. (#1332, @Miciah)
  • HTTPRequestHeaderFilter and HTTPResponseHeaderFilter forbid configuring
    multiple actions for the same header. (#1497, @rainest)
  • Changes "custom" conformance level to "implementation-specific" (#1436,
    @LCaparelli)
  • Clarification that changes to ReferenceGrants MUST be reconciled (#1429,
    @robscott)

Conformance Tests

  • ExemptFeatures have been merged into SupportedFeatures providing implementations
    a uniform way to specify the features they support.
    (#1507, @robscott) (#1394, @gyohuangxin)
  • To be conformant with the API, if there is no ReferenceGrant that grants a
    listener to reference a secret in another namespace, the
    ListenerConditionReason for the condition ResolvedRefs must be set to
    RefNotPermitted instead of InvalidCertificateRef. (#1305, @mlavacca)
  • A new test has been added to cover HTTP Redirects (#1556, @LiorLieberman)
  • Fix Gateway reference in HTTPRouteInvalidParentRefNotMatchingListenerPort
    (#1591, @sayboras)

Build Changes

  • We now provide a multi-arch
    image including new support for arm64 in addition to amd64 for our
    validating webhook.
    (#627, @wilsonwu & @Xunzhuo)

Developer Notes

  • Deprecated v1alpha2 Go types are now aliases to their v1beta1 versions
    (#1390, @howardjohn)

New Contributors

Full Changelog: https://github.com/kubernetes-sigs/gateway-api/compare/v0.5.0...v0.6.0

gateway-api - v0.6.0-rc2

Published by shaneutt almost 2 years ago

What's Changed

We expect this to be our final release candidate before launching v0.6.0. This
release candidate includes a variety of cleanup and documentation updates. The
changelog below represents the changes since v0.6.0-rc1.

Conformance Tests

  • A new test has been added to cover HTTP Redirects (#1556, @LiorLieberman)
  • Fix Gateway reference in HTTPRouteInvalidParentRefNotMatchingListenerPort
    (#1591, @sayboras)

General Cleanup

  • Display the Programmed condition instead of the Ready condition in the output
    of kubectl get gateways. (#1602, @skriss)
  • GRPCRoute: Regex validation for Method and Service has been tightened to match
    GRPC spec. (#1599, @robscott)
  • GRPCRoute: Webhook validation of GRPCRoute has been expanded to closely match
    HTTPRoute validation. (#1599, @robscott)
  • HTTPRoute and Gateway: Gaps between webhook validation for v1alpha2 and
    v1beta1 have been closed. (#1599, @robscott)
  • HTTPRoute: Validating webhook now ensures that Exact and Prefix path match
    values can now only include valid path values per RFC-3986. (RegularExpression
    path matches are not affected by this change). (#1599, @robscott)
  • The Gateway default conditions list now includes the Programmed condition.
    (#1604, @youngnick)
  • RegularExpression type selectors have been clarified to all be
    ImplementationSpecific conformance. (#1604, @youngnick)

New Contributors

Full Changelog: https://github.com/kubernetes-sigs/gateway-api/compare/v0.6.0-rc1...v0.6.0-rc2

gateway-api - v0.6.0-rc1

Published by youngnick almost 2 years ago

Major Changes

ReferenceGrant moves to v1beta1, ReferencePolicy removed

With more implementations now supporting ReferenceGrant (and more conformance coverage of the resource), we've moved ReferenceGrant to v1beta1 in this release. Note that moving to beta also moves the object to the Standard channel (it was Experimental previously).

We've also removed the already-deprecated ReferencePolicy resource, so please move over to the shiny new ReferenceGrant, which has all the same features.

  • Promotes ReferenceGrant to the v1beta1 API and the standard release channel
    (#1455, @nathancoleman)
  • ReferencePolicy has been removed from the API in favor of ReferenceGrant.
    (#1406, @robscott)

Introduce GRPCRoute

The GRPCRoute resource has been introduced in order to simplify the routing of GRPC requests.
Its design is described in GEP-1016.
As it is a new resource, it is introduced in the experimental channel.

Thanks to @gnossen for pushing this ahead.

  • Introduce GRPCRoute resource. (#1115, @gnossen)

Status updates

As described in GEP-1364, status conditions have been updated within the Gateway resource to make it more consistent with the rest of the API. These changes, along with some other status changes, are detailed below.

Gateway:

  • New Accepted and Programmed conditions introduced.
  • Scheduled condition deprecated.
  • Core Conditions now Accepted and Programmed.
  • Moves to Extended: Ready.

Gateway Listener:

  • New Accepted and Programmed conditions introduced.
  • Detached condition deprecated.
  • Core Conditions now Accepted, Programmed, ResolvedRefs, and Conflicted.
  • Moves to Extended: Ready.

All Resources:

  • The Accepted Condition now has a Pending reason, which is the default until
    the condition is updated by a controller.

Route resources:

  • The Accepted Condition now has a NoMatchingParent reason, to be set on routes
    when no matching parent can be found.

The purpose of these changes is to make the status flows more consistent across objects, and to provide a clear pattern for new objects as we evolve the API.

Note: This change will require updates for implementations to be able to pass conformance tests. Implementations may choose to publish both new and old conditions, or only new conditions.

  • Adds Accepted and deprecates Detached Listener conditions and reasons (#1446, @mikemorris)
  • Adds Accepted and deprecates Scheduled Gateway conditions and reasons (#1447, @mikemorris)
  • Adds Pending reason for use with all Accepted conditions throughout the API (#1453, @youngnick)
  • Adds Programmed Gateway and Listener conditions, moves Ready to extended
    conformance (#1499, @LCaparelli)
  • Add RouteReasonNoMatchingParent reason for Accepted condition. (#1516, @pmalek)

Other Changes by type

Deprecations

  • GatewayClass, Gateway, and HTTPRoute are now only supported with the v1beta1
    version of the API. The v1alpha2 API versions of these resources will be fully
    removed in a future release. Additionally, v1alpha2 is marked as deprecated
    everywhere. (#1348 and #1405, @robscott)

API Changes

  • A new field responseHeaderModifier is added to .spec.rules.filters, which
    allows for modification of HTTP response headers (#1373, @aryan9600)

Conformance Tests

  • ExemptFeatures have been merged into SupportedFeatures providing implementations
    a uniform way to specify the features they support.
    (#1507, @robscott) (#1394, @gyohuangxin)
  • To be conformant with the API, if there is no ReferenceGrant that grants a
    listener to reference a secret in another namespace, the
    ListenerConditionReason for the condition ResolvedRefs must be set to
    RefNotPermitted instead of InvalidCertificateRef. (#1305, @mlavacca)

Developer Notes

  • Deprecated v1alpha2 Go types are now aliases to their v1beta1 versions
    (#1390, @howardjohn)
  • Moved type translation helpers from the utils package to a new package named
    translator. (#1337, @carlisia)

Documentation

  • Clarify that BackendObjectReference's Port field specifies a service port, not
    a target port, for Kubernetes Service backends. (#1332, @Miciah)
  • HTTPRequestHeaderFilter and HTTPResponseHeaderFilter forbid configuring
    multiple actions for the same header. (#1497, @rainest)
  • Changes "custom" conformance level to "implementation-specific" (#1436,
    @LCaparelli)
  • Clarification that changes to ReferenceGrants MUST be reconciled (#1429,
    @robscott)

v0.5.1

API versions: v1beta1, v1alpha2

This release includes a number of bug fixes and clarifications:

API Spec

  • The spec has been clarified to state that the port specified in BackendRef
    refers to the Service port number, not the target port, when a Service is
    referenced. #1332
  • The spec has been clarified to state that "Accepted" should be used instead of
    "Attached" on HTTPRoute.
    #1382

Webhook:

  • The duplicate gateway-system namespace definitions have been removed.
    #1387
  • The webhook has been updated to watch v1beta1.
    #1365

Conformance:

  • The expected condition for a cross-namespace certificate reference that has
    not been allowed by a ReferenceGrant has been changed from
    "InvalidCertificateRef" to "RefNotPermitted" to more closely match the spec.
    #1351
  • A new test has been added to cover when a Gateway references a Secret that
    does not exist
    #1334
gateway-api - v0.5.1

Published by robscott about 2 years ago

API versions: v1beta1, v1alpha2

This release includes a number of bug fixes and clarifications:

API Spec

  • The spec has been clarified to state that the port specified in BackendRef
    refers to the Service port number, not the target port, when a Service is
    referenced. #1332
  • The spec has been clarified to state that "Accepted" should be used instead of
    "Attached" on HTTPRoute.
    #1382

Webhook:

  • The duplicate gateway-system namespace definitions have been removed.
    #1387
  • The webhook has been updated to watch v1beta1.
    #1365

Conformance:

  • The expected condition for a cross-namespace certificate reference that has
    not been allowed by a ReferenceGrant has been changed from
    "InvalidCertificateRef" to "RefNotPermitted" to more closely match the spec.
    #1351
  • A new test has been added to cover when a Gateway references a Secret that
    does not exist
    #1334
gateway-api - v0.5.0

Published by shaneutt over 2 years ago

API versions: v1beta1, v1alpha2

This release is all about stability.

Changes in this release can largely be divided into the following categories:

  • Release Channels
  • Resources graduating to beta
  • New experimental features
  • Bug Fixes
  • General Improvements
  • Breaking Changes
    • Validation improvements
    • Internal type cleanup

Note: This release is largely identical to v0.5.0-rc2, this changelog tracks
the difference between v0.5.0 and v0.4.3.

Release channels

In this release, we've made two release channels available, experimental and
standard.

The experimental channel contains all resources and fields, while standard
contains only resources that mave moved to beta status.

We've also added a way to flag particular fields within a resource as
experimental, and any fields marked in this way are only present in the
experimental channel. Please see the versioning docs for a more
detailed explanation.

One caveat for the standard channel - due to work on the new ReferenceGrant
resource: conformance tests may not pass with the standard set of CRDs.

Resources graduating to beta

The following APIs have been promoted to a v1beta1 maturity:

  • GatewayClass
  • Gateway
  • HTTPRoute

New Experimental Features

  • Routes can now select Gateway listeners by port number
    #1002
  • Gateway API now includes "Experimental" release channel. Consequently, CRDs now
    include gateway.networking.k8s.io/bundle-version and
    gateway.networking.k8s.io/channel annotations.
    #945
  • URL Rewrites and Path redirects have been added as new "Experimental" features
    #945

Bug Fixes

  • Fixes a problem that would cause webhook deployment to fail on Kubernetes
    v1.22 and greater.
    #991
  • Fixes a bug where the Namespace could be unspecified in ReferencePolicy
    #964
  • Fixes a bug where v1alpha2 GatewayClass controller names were not being
    shown in the output of kubectl get gatewayclasses
    #909

General Improvements

  • Conformance tests were introduced with GEP-917 and multiple
    conformance tests were added from a variety of contributors under the
    conformance/ directory.
  • The status of the GatewayClass "Accepted" condition for the GatewayClass
    is now present in kubectl get output.
    #1168
  • New RouteConditionReason types RouteReasonNotAllowedByListeners and
    RouteReasonNoMatchingListenerHostname were added.
    #1155
  • New RouteConditionReason type added with RouteReasonAccepted,
    RouteReasonResolvedRefs and RouteReasonRefNotPermitted constants.
    #1114
  • Introduced PreciseHostname which prevents wildcard characters in relevant
    Hostname values.
    #956

Validation Improvements

  • Webhook validation now ensures that a path match exists when required by path
    modifier in filter.
    #1171
  • Webhook validation was added to ensure that only type-appropriate fields are
    set in HTTPPathModifier.
    #1124
  • The Gateway API webhook is now deployed in a gateway-system namespace
    instead of gateway-api.
    #1051
  • Adds webhook validation to ensure that no HTTP header or query param is
    matched more than once in a given route rule. (#1230, @skriss)

Breaking Changes

  • The v1alpha1 API version was deprecated and removed.
    #1197
    #906
  • The NamedAddress value for Gateway's spec.addresses[].type field has
    been deprecated, and support for domain-prefixed values (like
    example.com/NamedAddress) has been added instead to better represent the
    custom nature of this support.
    #1178
  • Implementations are now expected to use 500 instead of 503 responses when
    the data-plane has no matching route.
    #1151,
    #1258

UX and Status Improvements

The following are breaking changes related to status updates and end-user
experience changes.

  • The UnsupportedExtension named ListenerConditionReason has been removed.
    #1146
  • The RouteConflict named ListenerConditionReason has been removed.
    #1145

Internal Type Cleanup

These changes will only affect implementations. Implementors will need to adjust
for the type changes when updating the Gateway API dependency in their projects.

NOTE: These kinds of changes are not always present in the CHANGELOG so
please be aware that the CHANGELOG is not an exhaustive list of Go
type changes. In this case there were a significant number of changes
in a single release, so we included them for extra visibility for
implementors.

  • ReferencePolicy has been renamed to ReferenceGrant.
    #1179
  • GatewayTLSConfig's CertificateRefs field is now a slice of pointers to
    structs instead of the structs directly.
    #1176
  • HTTPPathModifer field Absolute renamed to ReplaceFullPath
    #1124
  • the ParentRef type was renamed to ParentReference
    #982
  • Types ConditionRouteAccepted and ConditionRouteResolvedRefs are now
    deprecated in favor of RouteConditionAccepted & RouteConditionResolvedRefs
    #1114
gateway-api - v0.5.0-rc2

Published by robscott over 2 years ago

API versions: v1beta1, v1alpha2

We expect this to be our final release candidate before launching v0.5.0. This
release candidate includes a variety of cleanup and documentation updates.

Webhook

  • Adds webhook validation to ensure that no HTTP header or query param is
    matched more than once in a given route rule. (#1230, @skriss)

Documentation

  • Add examples and documentation for v1beta1 (#1238, @EmilyShepherd)
  • Add policy attachment example (#1233, @keithmattix)
  • Add warning headers for experimental resources/concepts (#1234, @keithmattix)
  • All Enum API fields have had updates to clarify that we may add values at any
    time, and that implementations must handle unknown Enum values. (#1258,
    @youngnick)
  • Spacing has been improved around the documentation of feature-level
    core/extended support for better readability and clarity. (#1241, @acnodal-tc)
  • Update ReferenceGrant docs to include Gateways that reference a Secret in a
    different namespace (#1181, @nathancoleman)

Cleanup

  • ReferencePolicyList Items is an array of ReferencePolicy again (#1239,
    @dprotaso)
  • This release of experimental-install.yaml will apply successfully. Previous
    releases had some extraneous yaml. (#1232, @acnodal-tc)
  • The NamedAddress type is back to support backwards compatibility but it is
    still formally deprecated. (#1252, @robscott)
gateway-api - v0.5.0-rc1

Published by robscott over 2 years ago

The working group expects that this release candidate is quite close to the final v0.5.0
release. However, breaking API changes are still possible.

This release candidate is suitable for implementors, but the working group does not
recommend shipping products based on a release candidate API due to the possibility
of incompatible changes prior to the final release.

API versions: v1beta1, v1alpha2

Changes in this release can largely be divided into the following categories:

  • Release Channels
  • Resources graduating to beta
  • New experimental features
  • Bug Fixes
  • General Improvements
  • Breaking Changes
    • Validation improvements
    • Internal type cleanup

Release channels

In this release, we've made two release channels available, experimental and
standard.

The experimental channel contains all resources and fields, while standard
contains only resources that mave moved to beta status.

We've also added a way to flag particular fields within a resource as
experimental, and any fields marked in this way are only present in the
experimental channel. Please see the versioning docs for a more
detailed explanation.

One caveat for the standard channel - due to work on the new ReferenceGrant
resource: conformance tests may not pass with the standard set of CRDs.

Resources Graduating to BETA

The following APIs have been promoted to a v1beta1 maturity:

  • GatewayClass
  • Gateway
  • HTTPRoute

#1192

New Experimental Features

  • Routes can now select Gateway listeners by port number
    #1002
  • Gateway API now includes "Experimental" release channel. Consequently, CRDs now
    include gateway.networking.k8s.io/bundle-version and
    gateway.networking.k8s.io/channel annotations.
    #945
  • URL Rewrites and Path redirects have been added as new "Experimental" features
    #945

Bug Fixes

  • Fixes a problem that would cause webhook deployment to fail on Kubernetes
    v1.22 and greater.
    #991
  • Fixes a bug where the Namespace could be unspecified in ReferencePolicy
    #964
  • Fixes a bug where v1alpha2 GatewayClass controller names were not being
    shown in the output of kubectl get gatewayclasses
    #909

General Improvements

  • Conformance tests were introduced with GEP-917 and multiple
    conformance tests were added from a variety of contributors under the
    conformance/ directory.
  • The status of the GatewayClass "Accepted" condition for the GatewayClass
    is now present in kubectl get output.
    #1168
  • New RouteConditionReason types RouteReasonNotAllowedByListeners and
    RouteReasonNoMatchingListenerHostname were added.
    #1155
  • New RouteConditionReason type added with RouteReasonAccepted,
    RouteReasonResolvedRefs and RouteReasonRefNotPermitted constants.
    #1114
  • Introduced PreciseHostname which prevents wildcard characters in relevant
    Hostname values.
    #956

Validation Improvements

  • Webhook validation now ensures that a path match exists when required by path
    modifier in filter.
    #1171
  • Webhook validation was added to ensure that only type-appropriate fields are
    set in HTTPPathModifier.
    #1124
  • The Gateway API webhook is now deployed in a gateway-system namespace
    instead of gateway-api.
    #1051

Breaking Changes

  • The v1alpha1 API version was deprecated and removed.
    #1197
    #906
  • The NamedAddress value for Gateway's spec.addresses[].type field has
    been deprecated, and support for domain-prefixed values (like
    example.com/NamedAddress) has been added instead to better represent the
    custom nature of this support.
    #1178
  • Implementations are now expected to use 500 instead of 503 responses when
    the data-plane has no matching route.
    #1151

UX and Status Improvements

The following are breaking changes related to status updates and end-user
experience changes.

  • The UnsupportedExtension named ListenerConditionReason has been removed.
    #1146
  • The RouteConflict named ListenerConditionReason has been removed.
    #1145

Internal Type Cleanup

These changes will only affect implementations. Implementors will need to adjust
for the type changes when updating the Gateway API dependency in their projects.

NOTE: These kinds of changes are not always present in the CHANGELOG so
please be aware that the CHANGELOG is not an exhaustive list of Go
type changes. In this case there were a significant number of changes
in a single release, so we included them for extra visibility for
implementors.

  • ReferencePolicy has been renamed to ReferenceGrant.
    #1179
  • GatewayTLSConfig's CertificateRefs field is now a slice of pointers to
    structs instead of the structs directly.
    #1176
  • HTTPPathModifer field Absolute renamed to ReplaceFullPath
    #1124
  • the ParentRef type was renamed to ParentReference
    #982
  • Types ConditionRouteAccepted and ConditionRouteResolvedRefs are now
    deprecated in favor of RouteConditionAccepted & RouteConditionResolvedRefs
    #1114
Package Rankings
Top 0.85% on Proxy.golang.org
Related Projects
kind

Kubernetes IN Docker - local clusters for testing Kubernetes

12 Sep 2018 13,392
kubernetes

Production-Grade Container Scheduling and Management

06 Jun 2014 107,341
sig-testing

Home for SIG Testing discussion and documents.

23 Feb 2021 6
dashboard

General-purpose web UI for Kubernetes clusters

15 Oct 2015 14,164
kueue

Kubernetes-native Job Queueing

16 Feb 2022 1,347
Istio-Made-Easy

Istio Series

03 Aug 2024 2
kubeadm

Aggregator for issues filed against kubeadm

22 Nov 2016 3,747
contributor-site

Code for kubernetes.dev

30 Jul 2018 64
metrics

Kubernetes metrics-related API types and clients

15 Feb 2017 485
ingress-nginx

Ingress-NGINX Controller for Kubernetes

04 Nov 2016 16,089
k8s.io

Code and configuration to manage Kubernetes project infrastructure, including various *.k8s.io sites

22 Aug 2016 674
application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure...

29 Aug 2018 676
kubernetes-ingress-controller

Kong for Kubernetes: The official Ingress Controller for Kubernetes.

02 Apr 2018 2,130
kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes

10 Mar 2016 4,641
sig-security

Process documentation, non-code deliverables, and miscellaneous artifacts of Kubernetes SIG Security

13 Sep 2021 167