Gateway API using Istio for Cluster Ingress (Dev Preview)

Feature Goal: Unify the management of cluster ingress with a common, open, expressive, and extensible API.

Why is this Important? Gateway API is the evolution of upstream Kubernetes Ingress APIs. The upstream project is part of Kubernetes, working under SIG-NETWORK. OpenShift is contributing to the development, building a leadership position, and preparing OpenShift to support Gateway API, with Istio as our supported implementation.

The plug-able nature of the implementation of Gateway API enables support for additional and optional 3rd-party Ingress technologies.

Functional Requirements

• Add support for Istio as a Gateway API implementation.
  • NE-1105 Management by an operator (possibly cluster-ingress-operator, OSSM operator, or a new operator)
    • Including DNS, LoadBalancer, and other operations
    • NE-999, NE-1016 , NE-1107
  • Feature parity with OpenShift Router, where appropriate.
    • NE-1096    Provide a solution to support re-encrypt in Gateway API
    • NE-1097    Provide a solution to support passthrough in Gateway API
    • NE-1098    Research and select OSSM Istio image that provides enough features
  • Performance parity evaluation of Envoy and HAProxy.
    • NE-995, NE-1088, NE-1089
  • NE-1102    Add oc command line support for Gateway API objects
  • NE-1103    Evaluate idling support for Gateway API
• Avoid conflict with partner solutions (such as F5). 
  • Provide a solution that partners could integrate with (reduce dependencies on Istio by assuming plugins)
• Avoid conflict with integrations (such as GKE) for hybrid cloud use cases.
• NE-1106 Advanced routing capabilities currently unavailable in OCP.
  • More powerful path-based routing.
  • Header-based routing
  • Traffic mirroring
  • Traffic splitting (single and multi cluster)
  • Other features, based on time constraints
    • NE-1000 Understand Gateway API listener collapsing and how Istio Gateway implements
    • NE-1016 Investigate and document External DNS integration with Gateway API
    • Non-HTTP types of traffic (arbitrary TCP/UDP).
       
       

• Add Gateway API support with OSSM service mesh.
  • Avoid conflict between Istio for ingress use-cases and Istio for mesh use-cases.
  • NE-1074 and NE-1095 Enable a unified control plane for ingress and mesh. 
  • NE-1035 Determine what OSSM release (based on what Istio release)...
• Add Gateway API support for serverless.

Non-Functional Requirements:

• NE-1034 Installation
• NE-1110 Documentation
• Release technical enablement
• OCP CI integration
• Continued upstream development to mature Gateway API and Istio support for the same.

Open Questions:

• Integration with HAProxy?
• Gateway is more than Ingress 2.0, how do we align with other platform components such as serverless and service mesh to ensure we're providing a complete solution?

Documentation Considerations:

• Explain the resource model
• Explain roles and how they align to Gateway API resources
• Explain the extension points and provide extension point examples.
• Xref upstream docs.