Configurations of Envoy Proxy service and deployment

[sadovnikov]

We'd prefer to create a separate Gateway for every host with a dedicated TLS certificate. First of all, the different hosts are managed by different teams and they should not update the same object by adding certificateRefs. Secondly, the "external DNS" annotations of the generated Service can be used to create DNS records for these hosts.

However, the service configuration is linked to the single GatewayClass, meaning services of all Gateway will have the same annotations and it won't be possible to alternate external-dns.alpha.kubernetes.io/hostname

  provider:
    kubernetes:
      envoyService:
        annotations:
          external-dns.alpha.kubernetes.io/hostname: np-test-dvaz-envoygate-eg.platform-staging.xxx.yyy
          networking.gke.io/internal-load-balancer-allow-global-access: 'true'
          networking.gke.io/load-balancer-type: Internal
        externalTrafficPolicy: Local
        type: LoadBalancer

Secondly, different hosts are expected to receive very different traffic load. But the deployments' configuration with replicas and resources is again linked to the GatewayClass.

This will become more flexible after the Support multiple GatewayClass is implemented. However, the GatewayClasses are meant to be managed by infrastructure providers, not the teams.

Should support for spec.parametersRef be added to Gateways too?

[arkodg]

@sadovnikov the idea of adding spec.parametersRef to Gateway was included in the upstream API and then rejected.
creating multiple GatewayClasses is what we'd recommend once the feature has been added

[arkodg]

this is now added back and will be supported soon #3317