Revert changes from #852

README.md

@@ -102,7 +102,6 @@ To change the Kourier gateway namespace, you will need to:
 - Cipher Suite
 - External Authorization support.
 - Proxy Protocol (AN EXPERIMENTAL / ALPHA FEATURE)
-- Traffic Isolation (AN EXPERIMENTAL / ALPHA FEATURE)
 
 ## Setup TLS certificate
 
@@ -210,30 +209,6 @@ spec:
   type: LoadBalancer
 ```
 
-
-## Traffic Isolation Configuration
-Note: this is an experimental/alpha feature.
-
-
-To enable the traffic isolation feature, run the following command to patch `config-kourier` ConfigMap:
-```
-kubectl patch configmap/config-kourier \
-  -n knative-serving \
-  --type merge \
-  -p '{"data":{"traffic-isolation":"port"}}'
-```
-
-Ensure that the file was updated successfully:
-```
-kubectl get configmap config-kourier --namespace knative-serving --output yaml
-```
-
-Traffic isolation works by telling the `net-kourier` controller which envoy listener to use for all ingresses
-in a given namespace. When reconciling an ingress, the controller looks for the following annotation on the
-ingress namespace:
-
-- `kourier.knative.dev/listener-port`: the envoy listener port
-
 ## Tips
 Domain Mapping is configured to explicitly use `http2` protocol only. This behaviour can be disabled by adding the following annotation to the Domain Mapping resource
 ```

config/200-config.yaml

@@ -63,17 +63,6 @@ data:
     # The default, 0s, imposes no timeout at all.
     stream-idle-timeout: "0s"
 
-    # Control the desired level of incoming traffic isolation.
-    #
-    # When set to an empty value (default), all incoming traffic flows through
-    # a shared ingress and listeners.
-    #
-    # When set to "port", incoming traffic is isolated by using different
-    # listener ports.
-    #
-    # NOTE: This flag is in an alpha state.
-    traffic-isolation: ""
-
     # Specifies whether to use CryptoMB private key provider in order to
     # acclerate the TLS handshake.
     # NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE.

config/200-serviceaccount.yaml

@@ -41,9 +41,6 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["configmaps"]
-    verbs: [ "get", "list", "watch" ]
-  - apiGroups: [""]
-    resources: ["namespaces"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]

pkg/config/config.go

@@ -31,9 +31,6 @@ const (
 	// InternalServiceName is the name of the internal service.
 	InternalServiceName = "kourier-internal"
 
-	// IsolationServicePrefix is the prefix of the isolated services.
-	IsolationServicePrefix = "kourier-isolation-"
-
 	// ExternalServiceName is the name of the external service.
 	ExternalServiceName = "kourier"
 
@@ -72,10 +69,6 @@ const (
 	// e.g. OpenShift deploys Kourier in different namespace so `system.Namespace()` does not work.
 	ServingNamespaceEnv = "SERVING_NAMESPACE"
 
-	// ListenerPortAnnotationKey is the annotation key for assigning the ingress to a particular
-	// envoy listener port. Only applicable to internal services.
-	ListenerPortAnnotationKey = "kourier.knative.dev/listener-port"
-
 	// trustedHopsCount Configure the number of additional ingress proxy hops from the
 	// right side of the x-forwarded-for HTTP header to trust.
 	trustedHopsCount = "trusted-hops-count"
@@ -96,10 +89,6 @@ func ServiceHostnames() (string, string) {
 		network.GetServiceHostname(InternalServiceName, GatewayNamespace())
 }
 
-func ListenerServiceHostnames(port string) string {
-	return network.GetServiceHostname(IsolationServicePrefix+port, GatewayNamespace())
-}
-
 // GatewayNamespace returns the namespace where the gateway is deployed.
 func GatewayNamespace() string {
 	namespace := os.Getenv(GatewayNamespaceEnv)

pkg/config/configmap.go

@@ -29,9 +29,6 @@ import (
 	cm "knative.dev/pkg/configmap"
 )
 
-// TrafficIsolationType is the type for traffic isolation configuration
-type TrafficIsolationType string
-
 const (
 	// ConfigName is the name of config map for Kourier.
 	ConfigName = "config-kourier"
@@ -50,12 +47,6 @@ const (
 	// for incoming requests. This value is set to "stream_idle_timeout" in Envoy.
 	IdleTimeoutKey = "stream-idle-timeout"
 
-	// trafficIsolation is the config map key for controlling the desire level of incoming traffic isolation
-	trafficIsolation = "traffic-isolation"
-
-	// IsolationIngressPort if the config map value enabling port-level traffic isolation
-	IsolationIngressPort TrafficIsolationType = "port"
-
 	// enableCryptoMB is the config map for enabling CryptoMB private key provider.
 	enableCryptoMB = "enable-cryptomb"
 
@@ -69,7 +60,6 @@ func DefaultConfig() *Kourier {
 		EnableProxyProtocol:        false,
 		ClusterCertSecret:          "",
 		IdleTimeout:                0 * time.Second, // default value
-		TrafficIsolation:           "",
 		TrustedHopsCount:           0,
 		CipherSuites:               nil,
 		EnableCryptoMB:             false,
@@ -85,7 +75,6 @@ func NewConfigFromMap(configMap map[string]string) (*Kourier, error) {
 		cm.AsBool(enableProxyProtocol, &nc.EnableProxyProtocol),
 		cm.AsString(clusterCert, &nc.ClusterCertSecret),
 		cm.AsDuration(IdleTimeoutKey, &nc.IdleTimeout),
-		cm.AsString(trafficIsolation, (*string)(&nc.TrafficIsolation)),
 		cm.AsUint32(trustedHopsCount, &nc.TrustedHopsCount),
 		cm.AsStringSet(cipherSuites, &nc.CipherSuites),
 		cm.AsBool(enableCryptoMB, &nc.EnableCryptoMB),
@@ -157,8 +146,6 @@ type Kourier struct {
 	// this option, for example, the "timeoutSeconds" specified in Knative service is still
 	// valid.
 	IdleTimeout time.Duration
-	// Desire level of incoming traffic isolation
-	TrafficIsolation TrafficIsolationType
 	// TrustedHopsCount configures the number of additional ingress proxy hops from the
 	// right side of the x-forwarded-for HTTP header to trust.
 	TrustedHopsCount uint32

pkg/config/configmap_test.go

@@ -109,18 +109,6 @@ func TestKourierConfig(t *testing.T) {
 			clusterCert:                   "",
 			IdleTimeoutKey:                "200s",
 		},
-	}, {
-		name: "set isolation-traffic to port",
-		want: &Kourier{
-			EnableServiceAccessLogging: true,
-			EnableProxyProtocol:        false,
-			ClusterCertSecret:          "",
-			IdleTimeout:                0 * time.Second,
-			TrafficIsolation:           "port",
-		},
-		data: map[string]string{
-			trafficIsolation: "port",
-		},
 	}, {
 		name: "add 3 trusted hops",
 		want: &Kourier{

pkg/generator/caches.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"os"
-	"strconv"
 	"sync"
 
 	envoyclusterv3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
@@ -51,7 +50,6 @@ const (
 	externalRouteConfigName    = "external_services"
 	externalTLSRouteConfigName = "external_tls_services"
 	internalRouteConfigName    = "internal_services"
-	isolationRouteConfigName   = "isolation_services"
 	internalTLSRouteConfigName = "internal_tls_services"
 )
 
@@ -68,11 +66,6 @@ type Caches struct {
 	kubeClient kubeclient.Interface
 }
 
-type portVHost struct {
-	port  string
-	vhost []*route.VirtualHost
-}
-
 func NewCaches(ctx context.Context, kubernetesClient kubeclient.Interface, extAuthz bool) (*Caches, error) {
 	c := &Caches{
 		translatedIngresses: make(map[types.NamespacedName]*translatedIngress),
@@ -146,18 +139,8 @@ func (caches *Caches) ToEnvoySnapshot(ctx context.Context) (*cache.Snapshot, err
 	externalTLSVHosts := make([]*route.VirtualHost, 0, len(caches.translatedIngresses))
 	snis := sniMatches{}
 
-	localVHostsPerListener := make(map[string]portVHost)
-
 	for _, translatedIngress := range caches.translatedIngresses {
-		if translatedIngress.listenerPort != "" {
-			localVHostsPerListener[translatedIngress.listenerPort] = portVHost{
-				port:  translatedIngress.listenerPort,
-				vhost: append(localVHostsPerListener[translatedIngress.listenerPort].vhost, translatedIngress.internalVirtualHosts...),
-			}
-		} else {
-			localVHosts = append(localVHosts, translatedIngress.internalVirtualHosts...)
-		}
-
+		localVHosts = append(localVHosts, translatedIngress.internalVirtualHosts...)
 		externalVHosts = append(externalVHosts, translatedIngress.externalVirtualHosts...)
 		externalTLSVHosts = append(externalTLSVHosts, translatedIngress.externalTLSVirtualHosts...)
 
@@ -174,7 +157,6 @@ func (caches *Caches) ToEnvoySnapshot(ctx context.Context) (*cache.Snapshot, err
 		externalVHosts,
 		externalTLSVHosts,
 		localVHosts,
-		localVHostsPerListener,
 		snis.list(),
 		caches.kubeClient,
 	)
@@ -231,7 +213,6 @@ func generateListenersAndRouteConfigsAndClusters(
 	externalVirtualHosts []*route.VirtualHost,
 	externalTLSVirtualHosts []*route.VirtualHost,
 	clusterLocalVirtualHosts []*route.VirtualHost,
-	clusterLocalVirtualHostsPerListener map[string]portVHost,
 	sniMatches []*envoy.SNIMatch,
 	kubeclient kubeclient.Interface) ([]cachetypes.Resource, []cachetypes.Resource, []cachetypes.Resource, error) {
 
@@ -245,22 +226,11 @@ func generateListenersAndRouteConfigsAndClusters(
 	externalTLSRouteConfig := envoy.NewRouteConfig(externalTLSRouteConfigName, externalTLSVirtualHosts)
 	internalRouteConfig := envoy.NewRouteConfig(internalRouteConfigName, clusterLocalVirtualHosts)
 
-	internalListenersRouteConfig := make(map[string]*route.RouteConfiguration, len(clusterLocalVirtualHostsPerListener))
-	for listenerPort, portVhosts := range clusterLocalVirtualHostsPerListener {
-		routeName := isolationRouteConfigName + "_" + listenerPort
-		internalListenersRouteConfig[listenerPort] = envoy.NewRouteConfig(routeName, portVhosts.vhost)
-	}
-
 	// Now we setup connection managers, that reference the routeconfigs via RDS.
 	externalManager := envoy.NewHTTPConnectionManager(externalRouteConfig.Name, cfg.Kourier)
 	externalTLSManager := envoy.NewHTTPConnectionManager(externalTLSRouteConfig.Name, cfg.Kourier)
 	internalManager := envoy.NewHTTPConnectionManager(internalRouteConfig.Name, cfg.Kourier)
 
-	internalListenerManagers := make(map[string]*httpconnmanagerv3.HttpConnectionManager, len(internalListenersRouteConfig))
-	for listenerPort, internalListenerRouteConfig := range internalListenersRouteConfig {
-		internalListenerManagers[listenerPort] = envoy.NewHTTPConnectionManager(internalListenerRouteConfig.Name, cfg.Kourier)
-	}
-
 	externalHTTPEnvoyListener, err := envoy.NewHTTPListener(externalManager, config.HTTPPortExternal, cfg.Kourier.EnableProxyProtocol)
 	if err != nil {
 		return nil, nil, nil, err
@@ -274,20 +244,6 @@ func generateListenersAndRouteConfigsAndClusters(
 	routes := []cachetypes.Resource{externalRouteConfig, internalRouteConfig}
 	clusters := make([]cachetypes.Resource, 0, 1)
 
-	for listenerPort, portVhosts := range clusterLocalVirtualHostsPerListener {
-		port, err := strconv.ParseInt(portVhosts.port, 10, 32)
-		if err != nil {
-			return nil, nil, nil, err
-		}
-
-		envoyListener, err := envoy.NewHTTPListener(internalListenerManagers[listenerPort], uint32(port), false)
-		if err != nil {
-			return nil, nil, nil, err
-		}
-		listeners = append(listeners, envoyListener)
-		routes = append(routes, internalListenersRouteConfig[listenerPort])
-	}
-
 	// create probe listeners
 	probHTTPListener, err := envoy.NewHTTPListener(externalManager, config.HTTPPortProb, false)
 	if err != nil {

pkg/generator/caches_test.go

@@ -482,33 +482,3 @@ func getVHostsNames(routeConfigs []*route.RouteConfiguration) []string {
 
 	return res
 }
-
-func TestAddIsolatedIngress(t *testing.T) {
-	kubeClient := fake.Clientset{}
-	ctx := context.Background()
-
-	caches, err := NewCaches(ctx, &kubeClient, false)
-	assert.NilError(t, err)
-
-	translatedIngress := translatedIngress{
-		name: types.NamespacedName{
-			Namespace: "ingress_2_namespace",
-			Name:      "ingress_2",
-		},
-		listenerPort:         "12158",
-		internalVirtualHosts: []*route.VirtualHost{{Name: "internal_host_for_ingress_2", Domains: []string{"internal_host_for_ingress_1"}}},
-	}
-
-	err = caches.addTranslatedIngress(&translatedIngress)
-	assert.NilError(t, err)
-
-	snapshot, err := caches.ToEnvoySnapshot(ctx)
-	assert.NilError(t, err)
-
-	ls := snapshot.GetResources(resource.ListenerType)
-	assert.Assert(t, ls != nil)
-
-	l, ok := ls["listener_12158"].(*listener.Listener)
-	assert.Assert(t, ok)
-	assert.Equal(t, l.GetAddress().GetSocketAddress().GetPortValue(), uint32(12158))
-}

pkg/generator/ingress_translator.go

@@ -48,7 +48,6 @@ import (
 
 type translatedIngress struct {
 	name                    types.NamespacedName
-	listenerPort            string
 	sniMatches              []*envoy.SNIMatch
 	clusters                []*v3.Cluster
 	externalVirtualHosts    []*route.VirtualHost
@@ -60,21 +59,18 @@ type IngressTranslator struct {
 	secretGetter    func(ns, name string) (*corev1.Secret, error)
 	endpointsGetter func(ns, name string) (*corev1.Endpoints, error)
 	serviceGetter   func(ns, name string) (*corev1.Service, error)
-	namespaceGetter func(name string) (*corev1.Namespace, error)
 	tracker         tracker.Interface
 }
 
 func NewIngressTranslator(
 	secretGetter func(ns, name string) (*corev1.Secret, error),
 	endpointsGetter func(ns, name string) (*corev1.Endpoints, error),
 	serviceGetter func(ns, name string) (*corev1.Service, error),
-	namespaceGetter func(name string) (*corev1.Namespace, error),
 	tracker tracker.Interface) IngressTranslator {
 	return IngressTranslator{
 		secretGetter:    secretGetter,
 		endpointsGetter: endpointsGetter,
 		serviceGetter:   serviceGetter,
-		namespaceGetter: namespaceGetter,
 		tracker:         tracker,
 	}
 }
@@ -286,31 +282,12 @@ func (translator *IngressTranslator) translateIngress(ctx context.Context, ingre
 			}
 		}
 	}
-	listenerPort := ""
-
-	if config.FromContextOrDefaults(ctx).Kourier.TrafficIsolation == pkgconfig.IsolationIngressPort {
-		ns, err := translator.namespaceGetter(ingress.Namespace)
-		if err != nil {
-			return nil, err
-		}
-
-		if ns.Annotations != nil {
-			if value, ok := ns.Annotations[pkgconfig.ListenerPortAnnotationKey]; ok {
-				listenerPort = value
-
-				logger.Infof("mapping ingress %s/%s to port %v", ingress.Namespace, ingress.Name, listenerPort)
-			}
-		}
-
-		// REVISIT: When neither labels/annotations if found then default to the default behavior (no isolation)
-	}
 
 	return &translatedIngress{
 		name: types.NamespacedName{
 			Namespace: ingress.Namespace,
 			Name:      ingress.Name,
 		},
-		listenerPort:            listenerPort,
 		sniMatches:              sniMatches,
 		clusters:                clusters,
 		externalVirtualHosts:    externalHosts,