EAI 5821 evaluate envoy gateway as unified gateway platform cluster forge#734
Draft
blankdots wants to merge 16 commits into
Draft
EAI 5821 evaluate envoy gateway as unified gateway platform cluster forge#734blankdots wants to merge 16 commits into
blankdots wants to merge 16 commits into
Conversation
Replace the :6443 k8s-passthrough listener on the shared `https` gateway with a dedicated `tls-passthrough` gateway on :443 that owns the external MetalLB LoadBalancer and does SNI-based TLS passthrough: k8s.<domain> -> kube API service, *.<domain> -> apps gateway. The apps gateway moves to ClusterIP behind it. The listener and TLSRoutes carry explicit hostnames: Envoy Gateway TLS passthrough builds SNI filter chains from hostnames, so an empty hostname yields an empty Envoy config that never routes. Listening on :443 instead of :6443 avoids hijacking pod->apiserver traffic where the node IP equals the MetalLB pool IP. Refs: EAI-5821
mramdgh
force-pushed
the
EAI-5821-evaluate-envoy-gateway-as-unified-gateway-platform-cluster-forge
branch
from
87ebc9d to
26e90ed
Compare
Set extensionManager listener.includeAll=false so the AI Gateway xDS translation hook only receives listeners generated for its own resources (AIGatewayRoute/AIServiceBackend/InferencePool). With includeAll=true the hook also received the L4 tls-passthrough listener and tried to insert its request-header-metadata HTTP filter into a TCP filter chain that has no HTTPConnectionManager. That failed xDS translation for the entire GatewayClass, so the passthrough data plane got an empty snapshot and never left initialization.
Revert the debug inversion: the tls-passthrough gateway owns the external MetalLB LoadBalancer on :443 (SNI passthrough) and the apps gateway drops back to ClusterIP behind it. The inversion was a workaround for the passthrough data plane not starting, which is now fixed.
- Bump cluster-auth to 0.6.0-rc2, which injects x-api-key-id and x-auth-username on every authenticated request and supports SecurityPolicy contextExtensions for per-IS group enforcement (required by the ai-gateway-discovery controller) - Add api_key_id and aim_service_id to access log fields so every AI gateway request is attributed to the originating API key and AIM service in structured logs
Set listener.includeAll=true so the AI extension injects the EPP ext_proc filter into the shared https :443 listener. InferencePool routes were returning 503 (no healthy upstream) because nothing set x-gateway-destination-endpoint on that Gateway-owned listener. Add failOpen=true so the extension erroring on the tls-passthrough L4 listener (an HTTP filter can't splice into a TCP chain) no longer fails that proxy's xDS translation and leaves it stuck in init. mergeGateways is off, so each gateway is a separate translation pass: the https proxy gets the filter, the passthrough proxy keeps its original xDS.
….8 and cluster-auth to 0.6.0-rc4
… to v1.0.8 and cluster-auth to 0.6.0-rc4" This reverts commit 28a58c4.
…8 and cluster-auth to 0.6.0-rc4
…ster-auth-rc4 EAI-5821: Add ext-proc metrics scraping and bump cluster-auth to rc4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.