Ben HardillFeb 17

I'm trying to map my K8s Ingress understanding to the new Gateway API stuff.

I can make most things work, but I'm struggling to work out how to map an Ingress object for a distinct hostname with it's own TLS certificate. It appears the only place to set TLS certs for HTTPS termination is now in the Gateway, but I don't want a Gateway per hostname (as I'm letting users bring their own hostnames via CNAME)

#kubernetes #https #ingress

Show threadTimFeb 17
@ben yes. It seems to be designed to encourage wildcard TLS which is maddening. But it’s possible. One gateway can have multiple listeners, each with its own hostname and tls cert ref. It’s outstandingly verbose though.
Show threadBen HardillFeb 17

@tico24 But that means I need to dynamically edit the Gateway to remove/add Listensers for each hostname rather than just adding/removing an Ingress object.

This is going to be way more complicated and something that is probably going to require locking to prevent multiple updates at once.

Show threadTimFeb 17
@ben listenersets are coming. Eventually. This is what you (and I!) want.
Show threadBen Hardill

@tico24 So just like session affinity isn't there yet (but coming....)

So the short answer is it's not ready for production use yet, but don't worry we've binned the nginx Ingress controller already so you are going to need to do 2 moves

Feb 17 at 5:09pmWeb
Show threadTimFeb 17
@ben hard agree. Clearly the gateway api team had a roadmap and then the nginx team completely obliterated that by throwing their toys out of the pram early.
Show threadSheogorathFeb 17

@tico24 @ben No, the ingress-nginx team didn't do anything. Since there is no ingress-nginx team anymore.

So it's more like the piler the roadmap was built on disappeared.