Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Decouple updates to VirtualServerRoute from VirtualServer resource #5293

Open
1 of 2 tasks
brianehlert opened this issue Mar 21, 2024 Discussed in #4092 · 0 comments
Open
1 of 2 tasks

Decouple updates to VirtualServerRoute from VirtualServer resource #5293

brianehlert opened this issue Mar 21, 2024 Discussed in #4092 · 0 comments
Labels
backlog Pull requests/issues that are backlog items refined Issues that are ready to be prioritized
Milestone

Comments

@brianehlert
Copy link
Collaborator

brianehlert commented Mar 21, 2024

Discussed in #4092

See the discussion for complete context and commentary.

Originally posted by brianehlert July 11, 2023
There are many customers that like the master-minion patter of the Ingress Resource.
Specifically the ability to define the Master that represents the hostname and core attributes such as TLS and then allow Minions to be defined that modify the behavior of that hostname by defining paths or other behavior modifiers.
This is also called "mergeable ingress".

Four years ago this project introduced its CRDs as an answer to problems that customers had identified with the Ingress resource, specifically the ability to provide safety guarantees around different portions to the configuration. The K8s RBAC allowed an easy way to secure the different objects as a way to provide that safety.

One point of feedback that has come back repeatedly is that the similarity of the VirtualServer and VirtualServerRoute pattern, while powerful, does not offer the simplicity of the mergeable ingress pattern.
The limitation being that a VirtualServerRoute cannot simply and easily extend a VirtualServer object.

The core problem being that the VirtualServer object must be modified whenever a VirtualServerRoute is added. Thus creating both a two step process that is difficult to automate, but also requiring that the person that adds the VSR also have access to the VS (thus breaking the safety boundary) or that two people in different groups have to orchestrate change with each other.

The end result is that it creates a core piece of friction that limits adoption of the VirtualServer/VirtualServerRoute and related CRD objects - which have already proven themselves more powerful and capable than Ingress with its mergeable and annotation pattern.

I am starting this discussion to explore ideas around how we can address this friction point between VS and VSR and still meet the core intention of creating an RBAC boundary and separation of responsibility that promotes configuration safety for those customers that continue to need that.

Tasks

  1. backlog
    haywoodsh
  2. backlog refined
    haywoodsh jjngx
@brianehlert brianehlert added the epic Issues that need to be broken into smaller issues label Mar 21, 2024
@brianehlert brianehlert added this to the v3.7.0 milestone Mar 21, 2024
@brianehlert brianehlert moved this from Todo ☑ to Prioritized Backlog in NGINX Ingress Controller Mar 21, 2024
@jasonwilliams14 jasonwilliams14 self-assigned this Mar 21, 2024
@shaun-nx shaun-nx changed the title Epic - Make it easier to "attach" a VirtualServerRoute to a VirtualServer without requiring that the VirtualServer be modified Make it easier to "attach" a VirtualServerRoute to a VirtualServer without requiring that the VirtualServer be modified Jun 28, 2024
@shaun-nx shaun-nx modified the milestones: v3.7.0, v3.8.0 Jul 12, 2024
@shaun-nx shaun-nx modified the milestones: v3.8.0, Candidates Sep 5, 2024
@shaun-nx shaun-nx added this to the v4.0.0 milestone Sep 19, 2024
@shaun-nx shaun-nx added backlog Pull requests/issues that are backlog items refined Issues that are ready to be prioritized labels Sep 19, 2024
@shaun-nx shaun-nx changed the title Make it easier to "attach" a VirtualServerRoute to a VirtualServer without requiring that the VirtualServer be modified Decouple updates to VirtualServerRoute from VirtualServer resource Sep 24, 2024
@shaun-nx shaun-nx moved this from Prioritized backlog to In Progress 🛠 in NGINX Ingress Controller Oct 14, 2024
@shaun-nx shaun-nx removed the epic Issues that need to be broken into smaller issues label Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backlog Pull requests/issues that are backlog items refined Issues that are ready to be prioritized
Projects
Status: In Progress 🛠
Development

No branches or pull requests

3 participants