Skip to content

feat: add support for ingress backed GlooEdge Gateway #5909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add support for ingress backed GlooEdge Gateway #5909

wants to merge 1 commit into from
+484 −78

Conversation

@cucxabong
Copy link

@cucxabong cucxabong commented Oct 16, 2025
edited
Loading

What does it do ?

fix #5908

More

  • Yes, this PR title follows Conventional Commits
  • Yes, I added unit tests
  • Yes, I updated end user documentation accordingly

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 16, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @cucxabong!

It looks like this is your first PR to kubernetes-sigs/external-dns 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/external-dns has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 16, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @cucxabong. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added source size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 16, 2025
@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch 3 times, most recently from da56738 to c996a08 Compare October 16, 2025 17:01
@AndrewCharlesHay
Copy link
Contributor

lgtm

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from c996a08 to a8c674c Compare October 17, 2025 06:12
ivankatliarchuk
ivankatliarchuk suggested changes Oct 17, 2025
View reviewed changes
Copy link
Member

@ivankatliarchuk ivankatliarchuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was it tested on real cluster? What was your kubernetes manifests and results?

@ivankatliarchuk
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 17, 2025
@coveralls
Copy link

coveralls commented Oct 17, 2025
edited
Loading

Pull Request Test Coverage Report for Build 18816420063

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 48 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.05%) to 78.617%
Files with Coverage Reduction New Missed Lines %
openshift_route.go 1 79.49%
gloo_proxy.go 47 74.18%
Totals Coverage Status
Change from base Build 18815330014: -0.05%
Covered Lines: 15912
Relevant Lines: 20240
💛 - Coveralls

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from a8c674c to f9dec1c Compare October 17, 2025 10:37
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from ivankatliarchuk. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cucxabong
Copy link
Author

@ivankatliarchuk yes, I did a test on our sandbox env in dry-run mode and observed the expected behaviour

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from f9dec1c to 3b2a8e7 Compare October 17, 2025 10:42
mloiseleur
mloiseleur reviewed Oct 20, 2025
View reviewed changes
mloiseleur
mloiseleur reviewed Oct 20, 2025
View reviewed changes
@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from 3b2a8e7 to 1ffb257 Compare October 20, 2025 20:52
ivankatliarchuk
ivankatliarchuk suggested changes Oct 21, 2025
View reviewed changes
@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from 1ffb257 to 02121fe Compare October 22, 2025 17:04
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 22, 2025
@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch 6 times, most recently from a6995f0 to 3045a8d Compare October 22, 2025 18:40
@cucxabong
Copy link
Author

all tests are green, please help to review again. Thank you @ivankatliarchuk

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from 3045a8d to 3b4f28d Compare October 22, 2025 18:55
@mloiseleur
Copy link
Collaborator

@cucxabong For the chart update, the Changelog has to be updated in the unreleased section

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from 3b4f28d to 2c49455 Compare October 23, 2025 16:14
@ivankatliarchuk
Copy link
Member

Could you share similar results for this PR #5085 (comment). Need to make sure it works before we merge, I'll try to smoke test right after as well.

@cucxabong
Copy link
Author

Please find more details below. I tried to run with --dry-run option in our EKS clusters.

  • Deploy external-dns with Helm. Deployment run with args: -log-level=debug --source=gloo-proxy --domain-filter=external-dns-example.com --provider=aws --dry-run --aws-zone-type=public

  • Deploy GlooEdge related resources

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/healthcheck-path: /
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    alb.ingress.kubernetes.io/success-codes: 200-499
    alb.ingress.kubernetes.io/target-type: ip
    meta.helm.sh/release-name: gloo-proxy
    meta.helm.sh/release-namespace: gloo-system
  finalizers:
  - ingress.k8s.aws/resources
  generation: 1
  labels:
    app: gloo
    app.kubernetes.io/managed-by: Helm
    gateway-proxy-id: external-dns-demo-proxy
    gloo: gateway-proxy
  name: external-dns-demo-proxy
  namespace: gloo-system
spec:
  ingressClassName: alb
....
status:
  loadBalancer:
    ingress:
    - hostname: k8s-gloosyst-1ee31790ed-444154078.us-east-1.elb.amazonaws.com
---
apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  labels:
    app: gloo
  name: external-dns-demo-proxy
  namespace: gloo-system
spec:
  bindAddress: '::'
  bindPort: 8080
  httpGateway:
    virtualServiceNamespaces:
    - gloo-system
  proxyNames:
  - external-dns-demo-proxy
  ssl: false
  useProxyProto: false
---
apiVersion: gloo.solo.io/v1
kind: Proxy
metadata:
  labels:
    created_by: gloo-gateway
  name: external-dns-demo-proxy
  namespace: gloo-system
spec:
  listeners:
  - bindAddress: '::'
    bindPort: 8080
    httpListener:
      virtualHosts:
      - domains:
        - example-api.external-dns-example.com
        - example-api.excluded-dns-zone.com
        metadataStatic:
          sources:
          - observedGeneration: "33"
            resourceKind: '*v1.VirtualService'
            resourceRef:
              name: example-api
              namespace: gloo-system
        name: gloo-system.example-api
        routes:
        - matchers:
          - prefix: /
          metadataStatic:
            sources:
            - observedGeneration: "33"
              resourceKind: '*v1.VirtualService'
              resourceRef:
                name: example-api
                namespace: gloo-system
          options:
            extauth:
              customAuth: {}
          routeAction:
            single:
              upstream:
                name: example-api
                namespace: gloo-system
    metadataStatic:
      sources:
      - observedGeneration: "103"
        resourceKind: '*v1.Gateway'
        resourceRef:
          name: external-dns-demo-proxy
          namespace: gloo-system
    name: listener-::-8080
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    meta.helm.sh/release-name: gloo-proxy
    meta.helm.sh/release-namespace: gloo-system
  labels:
    app: gloo
    app.kubernetes.io/managed-by: Helm
    gateway-proxy-id: external-dns-demo-proxy
    gloo: gateway-proxy
  name: external-dns-demo-proxy
  namespace: gloo-system
spec:
  clusterIP: 172.20.190.44
  clusterIPs:
  - 172.20.190.44
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    gateway-proxy: live
    gateway-proxy-id: external-dns-demo-proxy
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
  • ExternalDNS logs
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Refreshing zones list cache","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Considering zone: /hostedzone/Z022760OD8DZQNWIO (domain: external-dns-example.com.)","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"dedupSource: collecting endpoints and removing duplicates","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"multiSource: collecting endpoints from 1 child sources and removing duplicates","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo: Find external-dns-demo-proxy proxy","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"gateway":"external-dns-demo-proxy","level":"warning","msg":"Gloo: Proxy service type not supported","service":{"metadata":{"name":"external-dns-demo-proxy","namespace":"gloo-system","uid":"ab954ce1-3042-454f-a650-615253ab95c5","resourceVersion":"1092588789","creationTimestamp":"2025-10-23T12:18:43Z","labels":{"app":"gloo","app.kubernetes.io/managed-by":"Helm","gateway-proxy-id":"external-dns-demo-proxy","gloo":"gateway-proxy"},"annotations":{"meta.helm.sh/release-name":"gloo-proxy","meta.helm.sh/release-namespace":"gloo-system"},"managedFields":[{"manager":"helm","operation":"Update","apiVersion":"v1","time":"2025-10-23T12:18:43Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:meta.helm.sh/release-name":{},"f:meta.helm.sh/release-namespace":{}},"f:labels":{".":{},"f:app":{},"f:app.kubernetes.io/managed-by":{},"f:gateway-proxy-id":{},"f:gloo":{}}},"f:spec":{"f:internalTrafficPolicy":{},"f:ports":{".":{},"k:{\"port\":8080,\"protocol\":\"TCP\"}":{".":{},"f:name":{},"f:port":{},"f:protocol":{},"f:targetPort":{}}},"f:selector":{},"f:sessionAffinity":{},"f:type":{}}}}]},"spec":{"ports":[{"name":"http","protocol":"TCP","port":8080,"targetPort":8080}],"selector":{"gateway-proxy":"live","gateway-proxy-id":"external-dns-demo-proxy"},"clusterIP":"172.20.190.44","clusterIPs":["172.20.190.44"],"type":"ClusterIP","sessionAffinity":"None","ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","internalTrafficPolicy":"Cluster"},"status":{"loadBalancer":{}}},"time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo[external-dns-demo-proxy]: Find 0 target(s) ()","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo[external-dns-demo-proxy]: Generate 0 endpoint(s)","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Refreshing zones list cache","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Considering zone: /hostedzone/Z022760OD8DZQNWIO (domain: external-dns-example.com.)","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Applying provider record filter for domains: [external-dns-example.com. .external-dns-example.com.]","time":"2025-10-25T19:55:09Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"All records are already up to date","time":"2025-10-25T19:55:09Z"}
  • Adding external-dns.alpha.kubernetes.io/ingress=external-dns-demo-proxy to Gateway object
apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
  annotations:
    external-dns.alpha.kubernetes.io/ingress: external-dns-demo-proxy
....
  • Observing external-dns Pods's logs
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Refreshing zones list cache","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Considering zone: /hostedzone/Z022760OD8DZQNWIO (domain: external-dns-example.com.)","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"dedupSource: collecting endpoints and removing duplicates","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"multiSource: collecting endpoints from 1 child sources and removing duplicates","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo: Find external-dns-demo-proxy proxy","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo[external-dns-demo-proxy]: Find 1 target(s) (k8s-gloosyst-1ee31790ed-444154078.us-east-1.elb.amazonaws.com)","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Gloo[external-dns-demo-proxy]: Generate 2 endpoint(s)","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Modifying endpoint: example-api.external-dns-example.com 0 IN CNAME  k8s-gloosyst-1ee31790ed-444154078.us-east-1.elb.amazonaws.com [], setting alias=true","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Modifying endpoint: example-api.excluded-dns-zone.com 0 IN CNAME  k8s-gloosyst-1ee31790ed-444154078.us-east-1.elb.amazonaws.com [], setting alias=true","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Refreshing zones list cache","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Considering zone: /hostedzone/Z022760OD8DZQNWIO (domain: external-dns-example.com.)","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Applying provider record filter for domains: [external-dns-example.com. .external-dns-example.com.]","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"ignoring record example-api.excluded-dns-zone.com that does not match domain filter","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"ignoring record example-api.excluded-dns-zone.com that does not match domain filter","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Refreshing zones list cache","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Considering zone: /hostedzone/Z022760OD8DZQNWIO (domain: external-dns-example.com.)","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Adding example-api.external-dns-example.com. to zone external-dns-example.com. [Id: /hostedzone/Z022760OD8DZQNWIO]","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Adding example-api.external-dns-example.com. to zone external-dns-example.com. [Id: /hostedzone/Z022760OD8DZQNWIO]","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Adding cname-example-api.external-dns-example.com. to zone external-dns-example.com. [Id: /hostedzone/Z022760OD8DZQNWIO]","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Adding aaaa-example-api.external-dns-example.com. to zone external-dns-example.com. [Id: /hostedzone/Z022760OD8DZQNWIO]","time":"2025-10-25T19:59:11Z"}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Desired change: CREATE aaaa-example-api.external-dns-example.com TXT","profile":"default","time":"2025-10-25T19:59:11Z","zoneID":"/hostedzone/Z022760OD8DZQNWIO","zoneName":"external-dns-example.com."}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Desired change: CREATE cname-example-api.external-dns-example.com TXT","profile":"default","time":"2025-10-25T19:59:11Z","zoneID":"/hostedzone/Z022760OD8DZQNWIO","zoneName":"external-dns-example.com."}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Desired change: CREATE example-api.external-dns-example.com A","profile":"default","time":"2025-10-25T19:59:11Z","zoneID":"/hostedzone/Z022760OD8DZQNWIO","zoneName":"external-dns-example.com."}
external-dns-548c84f74f-6tbwp external-dns {"level":"info","msg":"Desired change: CREATE example-api.external-dns-example.com AAAA","profile":"default","time":"2025-10-25T19:59:11Z","zoneID":"/hostedzone/Z022760OD8DZQNWIO","zoneName":"external-dns-example.com."}
external-dns-548c84f74f-6tbwp external-dns {"level":"debug","msg":"Dry run mode, skipping change submission","profile":"default","time":"2025-10-25T19:59:11Z","zoneID":"/hostedzone/Z022760OD8DZQNWIO","zoneName":"external-dns-example.com."}

mloiseleur
mloiseleur reviewed Oct 26, 2025
View reviewed changes
docs/sources/gloo-proxy.md Outdated
## Gateway Annotation
To support setups where an Ingress resource is used provision an external LB you can add the following annotation to your Gateway
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To support setups where an Ingress resource is used provision an external LB you can add the following annotation to your Gateway
To support setups where an Ingress resource is used to provision an external LB you can add the following annotation to your Gateway

mloiseleur
mloiseleur reviewed Oct 26, 2025
View reviewed changes
go.mod
github.com/prometheus/common v0.65.0
github.com/scaleway/scaleway-sdk-go v1.0.0-beta.34
github.com/sirupsen/logrus v1.9.3
github.com/spf13/cobra v1.9.1
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 Why there are those changes on go.mod ? I see nothing related with changes in go source code.
Would you please explain or remove this change ?

Copy link
Author

@cucxabong cucxabong Oct 26, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's the output after I run go mod tidy (in go version go1.25.3 darwin/arm64)? Should we keep that output?

@cucxabong cucxabong force-pushed the feat/gloo-gateway-ingress-annotation branch from 2c49455 to c71158d Compare October 26, 2025 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mloiseleur mloiseleur mloiseleur left review comments

@szuecs szuecs Awaiting requested review from szuecs

+1 more reviewer

@ivankatliarchuk ivankatliarchuk ivankatliarchuk requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ivankatliarchuk ivankatliarchuk

Labels

chart cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. docs ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. source

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support ingress backed Gloo Proxy

6 participants

@cucxabong @k8s-ci-robot @AndrewCharlesHay @ivankatliarchuk @coveralls @mloiseleur