v0.8.0

[shaneutt]

Major Themes

GAMMA (Service Mesh)

Service mesh support per the GAMMA initiative has moved to experimental in
v0.8.0. As an experimental API, it is still possible that this will
change; the working group does not recommend shipping products based on any
experimental API.

When using the Gateway API to configure a service mesh, the Gateway and
GatewayClass resources are not used (as there will typically only be one mesh
in the cluster) and, instead, individual route resources are associated
directly with Service resources. This permits configuring mesh routing while
preserving the Gateway API's overall semantics.

We encourage service mesh implementers and users to try this new support and
we welcome feedback! Once again, though, the working group does not recommend
shipping products based on this or any other experimental API. due to the
possibility of incompatible changes prior to the final release.

CEL Validation

This release marks the beginning of a transition from webhook validation to CEL
validation that is built into the CRDs. That will mean different things
depending on the version of Kubernetes you're using:

Kubernetes 1.25+

CEL validation is fully supported. Most validation is now covered by the
validating webhook, but unfortunately not quite everything.

All but one validation has been translated from the
webhook to CEL. Currently the CRDs only have a case-sensitive uniqueness check
for header names in header modifier filters. The webhook validation is more
thorough, ensuring that the uniqueness is case-insensitive. Unfortunately that
is not possible to represent with CEL today. There is more information in
#2277.

Installing the validating webhook is still recommended for this release to allow
controllers to catch up to cover this gap in CEL validation. We expect this is
the last release we will make this recommendation for, for more information,
refer to #2319.

Kubernetes 1.23 and 1.24

CEL validation is not supported, but Gateway API v0.8.0 CRDs can still be
installed. When you upgrade to Kubernetes 1.25+, the validation included in
these CRDs will automatically take effect. We recommend continuing to install
the validating webhook on these Kubernetes versions.

Kubernetes 1.22 and older

Unfortunately Gateway API v0.8.0 is not supported on these Kubernetes versions.
Gateway API v0.8.0 CRDs include CEL validation and cannot be installed on these
versions of Kubernetes. Note that Gateway API only commits to providing support
for the 5 most recent versions of Kubernetes,
and thus these versions are no longer supported by Gateway API.

API Version Changes

As we prepare for a v1.0 release that will graduate Gateway, GatewayClass, and
HTTPRoute to the v1 API Version from v1beta1, we are continuing the process
of moving away from v1alpha2 for resources that have graduated to v1beta1.
The following changes are included in this release:

• v1alpha2 of Gateway, GatewayClass, and HTTPRoute is no longer served
• v1alpha2 of ReferenceGrant is deprecated
• v1beta1 is now the storage version for ReferenceGrant

Those changes mean that:

• Users and implementations that were reading or writing from v1alpha2 of
  Gateway, GatewayClass, or HTTPRoute MUST upgrade to use v1beta1.
• Users and implementations that were reading or writing from v1alpha2 of
  ReferenceGrant SHOULD upgrade to use v1beta1.

For more information, refer to
#2069.

Supported Features and Conformance Levels

Gateway API conformance tests have a concept of "Supported Features".
Implementations state which features they support, and then all the tests
covering that set of features are run.

Prior to v0.8.0, we had a concept of "StandardCoreFeatures" that represented the
set of features we expected every implementation to implement. Support for the
Gateway and HTTPRoute resources was included in that list.

Alongside that, Gateway API also has a concept of "Support Levels" such as
"Core", "Extended", and "Implementation-Specific". The API had labeled 2
resources as having support levels, but these didn't really make sense with
the modular API model of Gateway API.

In this release, we've simplified the concepts here. Individual resources no
longer have assigned support levels, instead these are represented as "Supported
Features." Implementations can separately claim to support Gateway,
ReferenceGrant, or any other resource. This change helps accommodate incoming
Mesh implementations, many of which do not support one or both of these
resources.

For more information refer to
#2323.

Other Changes

Status

• Add IncompatibleFilters reason for implementations to specify when a route is
  invalid due to an invalid combination of route filters. (Add IncompatibleFilters reason for Accepted condition #2150, @sunjayBhatia)

Validation

• Add CEL validation for GRPCRoute. (Add CEL validation to GRPCRoute #2305, @gnossen)
• HTTPRoute and GRPCRoute CRDs now provide built-in validation that ensures the
  uniqueness of names in Header Modifier "Remove" lists. (Using "Set" list type for "Remove" in Header Modifier Filters #2306, @robscott)

Spec Clarifications

• RequestMirrorFilter: Enhanced the doc string to be explicit about sending the
  mirrored request to a single destination endpoint within the backendRef
  specified. (Add more clarity around RequestMirrorFilter dest #2317, @arkodg)
• HTTPRoute Method matching precedence has been clarified (Add method matching to HTTPRoute matching precedence order #2054,
  @gauravkghildiyal)
• Clarify that implementations must not modify HTTP Host header. Adds
  specificity alongside spec that port in Host header must be ignored when
  matching on host. (apis/v1beta1: Host header must not be modified #2092, @sunjayBhatia)
• Fix typo: rename GatewaReasonUnsupportedAddress ->
  GatewayReasonUnsupportedAddress (Fix typo GatewaReason -> GatewayReason #2149, @panslava)
• HTTPRoute: Clarified that exact path matches are truly exact, both trailing
  slashes and capitalization are meaningful. (Clarifying HTTPRoute exact match behavior #2055, @robscott)
• Implementations MUST ignore any port value specified in the HTTP Host header
  while performing a match against HTTPRoute.Hostnames (Add clarification for ignoring port while matching hostnames and update conformance #1980,
  @gauravkghildiyal)

Conformance

• Add conformance tests against accepting invalid ReferenceGrants in HTTPRoute
  and TLSRoute (conformance against invalid ReferenceGrants in HTTPRoute and TLSRoute #2076, @meyskens)
• Fixed an issues causing conformance tests to fail when using IPv6 addresses
  (conformance: fix ipv6 addresses #2024, @howardjohn)
• HTTPRoute connectivity is in now enforced in conformance tests if a relevant
  ReferenceGrant gets deleted. (conformance: check HTTPRoute connectivity after deleting relevant ReferenceGrant #1853, @pmalek)
• The --skip-tests flag has been added to the conformance CLI to enable tests
  opt-out when using it. (feat: skip-tests flag added to conformance CLI #2170, @mlavacca)
• The experimental conformance profile suite can now be added as a stand-alone
  cli and by means of go test. (conformance profiles CLI #2066, @mlavacca)
• GEPs now must have a Conformance Details section that specifies the feature's
  name for conformance purposes. (Add Conformance Details section to GEP template #2115, @youngnick)
• Better support mesh-only conformance testing (Conformance tweaks for Linkerd and other meshes #2312, @kflynn)
• SupportedFeatures have been restructured to be per-resource (Removing concept of resource-level support levels #2323, @robscott)
• Add SupportedFeature for port 8080 on Gateway (Add SupportedFeature for port 8080 on Gateway #2184, @xtineskim)
• Fixes for IPv6 in Mesh (Mesh Conformance IPv6 fix #2340, @keithmattix)
• Fix leaking TCP connections which can lead to conformance test failures
  (fix leaking TCP connections which leads to consistent conformance test failures #2358, @gauravkghildiyal)

Webhook

• Changed default imagePullPolicy for gateway-api-admission-server to
  IfNotPresent. (enhancement: change default imagePullPolicy for gateway-api-admission-server to IfNotPresent #2215, @networkhermit)
• Webhook config works with PodAdmission restricted (Deploy webhook in pod admission restricted mode #2016, @jcpunk)

Documentation

• Adds support for ParentRef targeting a Kubernetes Service resource for mesh
  implementations. (apis: document ParentRef functionality for GAMMA #2146, @mikemorris)
• Clarify wording on website around Gateway API vs API Gateway (Clarify different between API Gateway and Gateway API #2191,
  @david-martin)
• GEP-1282, Backend Properties, has been declined. (Move GEP-1282 to declined #2132, @youngnick)
• Added missing GEPs. (Add missing geps to mkdocs #2114, @levikobi)

Bug Fixes

• Added the missing ReferenceGrant resource the kustomization.yaml for the
  standard channel (Update kustomization.yaml to include reference grant #2084, @howardjohn)
• Webhook validation now ensures that BackendRefs can not be specified in the
  same HTTPRoute rule as a Redirect filter (fix: Validate requestRedirect with backendrefs #2161, @slayer321)
• GRPCRoute: The default match has been removed as it was invalid (it only
  specified a type of "Exact" without a corresponding Service or Method). Note
  that the match type still defaults to "Exact". (Add CEL validation for GRPCMethodMatch #2311, @gauravkghildiyal)

New Contributors

• @jcpunk made their first contribution in Deploy webhook in pod admission restricted mode #2016
• @evankanderson made their first contribution in Add Knative to integrations #2100
• @spacewander made their first contribution in Fix the issue link in gep-1867 #2130
• @levikobi made their first contribution in Add missing geps to mkdocs #2114
• @mmorel-35 made their first contribution in ci(linter): enable several linters #2138
• @Treenhan made their first contribution in Add conformance tests with requestHeaderModifier #2101
• @meyskens made their first contribution in conformance against invalid ReferenceGrants in HTTPRoute and TLSRoute #2076
• @kflynn made their first contribution in Update GAMMA meetings to every other week, per discussion in the GAMMA meeting. #2182
• @AmaliMatharaarachchi made their first contribution in Add WSO2 APK implementation to docs #2168
• @xtineskim made their first contribution in Add SupportedFeature for port 8080 on Gateway #2184
• @saltbo made their first contribution in docs(site-src): update the example for the matches #2185
• @slayer321 made their first contribution in fix: Validate requestRedirect with backendrefs #2161
• @adleong made their first contribution in Only require a GatewayClass if the gateway suite is being run #2164
• @david-martin made their first contribution in Add Kuadrant to integrations #2201
• @networkhermit made their first contribution in enhancement: change default imagePullPolicy for gateway-api-admission-server to IfNotPresent #2215
• @JackStromberg made their first contribution in Docs - Implementations - Application Gateway for Containers #2240
• @dihmandrake made their first contribution in Use '$(POD_NAMESPACE)' instead of hardcoded namespace #2267
• @whitneygriffith made their first contribution in Update typos in gep-713 #2301
• @uucloud made their first contribution in doc:fix implementations.md typo #2308
• @caroltyk made their first contribution in Add Tyk Implementation progress #2291
• @SpecialYang made their first contribution in Fix doc for allowed namespaces of routes. #2342

Full Changelog: v0.7.0...v0.8.0

---

This discussion was created from the release v0.8.0.