api: support infra deployment in the gateway namespace

[cnvergence]

What type of PR is this?

api: support infra deployment in the gateway namespace

What this PR does / why we need it:

api for supporting gateway namespace for envoy proxy infrastructure pods, there will be two modes, hoping that gateway-api proposal will pass in kubernetes-sigs/gateway-api#3366

This is the first part of #2629 issue

Which issue(s) this PR fixes:

Release Notes: No

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.74%. Comparing base (43621b4) to head (ce9e640).
Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4982      +/-   ##
==========================================
- Coverage   66.75%   66.74%   -0.01%     
==========================================
  Files         209      209              
  Lines       32058    32058              
==========================================
- Hits        21399    21396       -3     
- Misses       9381     9383       +2     
- Partials     1278     1279       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

LGTM thanks !

[kahirokunn]

awesome!!! Thx !!

[HannaManista]

Hi All, @arkodg, I try to introduce the gateway-namespace deployment in my EnvoyGateway configuration, but it seems to fail - resources are still created in the controller's nsp instead of the separate gateway namespaces, what I have is:

 config: 
            envoyGateway:
              gateway:
                controllerName: "gateway.envoyproxy.io/envoy-gatewayclass-controller"   
              provider:
                type: Kubernetes
                kubernetes:
                  deploy: 
                    type: "GatewayNamespace"

What is added in the docs (https://gateway.envoyproxy.io/docs/api/extension_types/#kubernetesdeploymode) seems to pose a doubt for me on where actually this type: GatewayNamespace sohuld be added - under kubernetes? Will you help me figuring this out?
Thanks in advance!

[arkodg]

@HannaManista this feature is still WIP, only the API is merged

[HannaManista]

Thanks for quick asnwer! So it means it is not yet ready to be used? Do you have an estimated time when this will be implemented?

[arkodg]

should be ready by v1.4 ( end April 2025)

[HannaManista]

Hi, I can see that this issue was added in v1.4.0 (#5137 ) by @cnvergence so it should be also available to be used. As I mentioned earlier, I need to enable creating Gateway pods and services in gateway's namespace (not controller's nsp), so based on docs I should set
type: "GatewayNamespace" (https://gateway.envoyproxy.io/v1.3/api/extension_types/#kubernetesdeploymode)
but as of the documentation, it is not clear where the "type" attribute should be placed - directly in provider section? Can you help me out on how to enable this GatewayNamespace mode?

[cnvergence]

Hi @HannaManista, the docs should be added soon, you can take a look already here
#6040
Please note that it is still an alpha feature. If you encounter any issues, we would love to hear from you :)

[cnvergence]

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyGateway
metadata:
  name: envoy-gateway
  namespace: envoy-gateway-system
spec:
  provider:
    type: Kubernetes
    kubernetes:
      deploy:
        type: GatewayNamespace

[HannaManista]

Great! Thanks, I'll try it out :)

[HannaManista]

And did you have opportunity to try out if the change in deploy mode from (default) ControllerNamespace to GatewayNamespace causes gateway's downtime? Taking of course a scenario where the gateway is deployed in different namespace than the controller
Probably yes, because the deployment will have to be recreated in another nsp

[arkodg]

yes its not going to be hitless

[HannaManista]

Hi cnvergence, I tried to switch from version 1.3 to 1.4 and encountered an error on the envoy-gateway pod:
MountVolume.SetUp failed for volume "certs" : configmap references non-existent config key: ca.crt
As of my investigation, in EnvoyGateway v1.3 there is a secret that is mounted to the envoy container:

and contains a ca.crt
In v1.4 the Secret "envoy" is switched to ConfigMap which is mounted to the container:

The problem is it doesn't contain the key "ca.crt" and therefore the Envoy Pod is hanging in a ContainerCreating state.

[cnvergence]

Hi @HannaManista, it is related to #6064. The fix was merged with the main last week and will be released in v1.4.1.
Sorry for the inconvenience.