Skip to content

Design: support Gateway API's new ListenerSet #7839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Design: support Gateway API's new ListenerSet #7839

wants to merge 4 commits into from
+507 −0

Conversation

maelvls
Copy link
Member

@maelvls maelvls commented Jul 3, 2025
edited
Loading

Design file: 20250703.gatewayapi-listenerset.md

Pull Request Motivation

I'd like to propose a design to address:

This design supersedes two designs:

/kind design

Release Note

NONE

@cert-manager-prow cert-manager-prow bot added kind/design Categorizes issue or PR as related to design. release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 3, 2025
@maelvls maelvls mentioned this pull request Jul 3, 2025
Open
@cert-manager-prow cert-manager-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 7, 2025
@maelvls maelvls changed the title Proposal: support Gateway API's new ListenerSet Design: support Gateway API's new ListenerSet Jul 8, 2025
@maelvls maelvls requested a review from wallrj July 8, 2025 16:22
wallrj
wallrj approved these changes Jul 9, 2025
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @maelvls

This looks great.

I haven't tried the Gateway API examples myself, but I will. I'd like to try updating the getting started tutorials to use Gateway API instead of Ingress so that I can understand all this better.

design/20250703.gatewayapi-listenerset.md
- **Using a wildcard certificate as hostname on the Gateway:** this solution introduces risks associated with wildcard certificates (cf. [OWASP notes](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html#carefully-consider-the-use-of-wildcard-certificates) on using wildcard certificates).
- **Letting developers edit the Gateway resource:** this solution increases the attack surface and breaks Gateway API's goal of being an API boundary between cluster operators and application developers.

ListenerSet provides a mechanism allowing developers to manage TLS configurations, restoring self-service capabilities akin to Ingress. The following diagram illustrates the fact that developers must now coordinate with cluster operrators to configure the `tls` block (in green):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ListenerSet provides a mechanism allowing developers to manage TLS configurations, restoring self-service capabilities akin to Ingress. The following diagram illustrates the fact that developers must now coordinate with cluster operrators to configure the `tls` block (in green):
ListenerSet provides a mechanism allowing developers to manage TLS configurations, restoring self-service capabilities akin to Ingress. The following diagram illustrates the fact that developers must now coordinate with cluster operators to configure the `tls` block (in green):

design/20250703.gatewayapi-listenerset.md

#### Locking down Gateway resources

The reason cluster operators want to lock down the Gateway resource because some implementations of Gateway API create costly resource. In the below table, the ListenerSet use-case would fix the four first entries for which it would be unsafe for developers to be able to create Gateway objects:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The reason cluster operators want to lock down the Gateway resource because some implementations of Gateway API create costly resource. In the below table, the ListenerSet use-case would fix the four first entries for which it would be unsafe for developers to be able to create Gateway objects:
The reason cluster operators want to lock down the Gateway resource is because some implementations of Gateway API create costly resource. In the below table, the ListenerSet use-case would fix the four first entries for which it would be unsafe for developers to be able to create Gateway objects:

@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj approved these changes

Assignees

@wallrj wallrj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/design Categorizes issue or PR as related to design. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maelvls @wallrj