Also port 9080?

Which port on the reviews service?

Requests to the gateway port 80 redirects to https, right?
Requests to the gateway port 443 go where?
Requests to the gateway port 9080 go where?

In the actual Bookinfo example, we want gateway port 80 to forward to reviews:9080, right? I don't see anything in the config that specifies that. Maybe it's just a matter of making the example consistent end-to-end?

Clarified.. I think the internal port is implicit. IOW, if reviews has only one HTTP port, it goes to that port, irrespective of that port. But if reviews has multiple HTTP ports, then the behavior is undefined. The undefined behavior is a bug and we need to fix. cc @ZackButcher @kyessenov

s/be responded with/respond with/

Does this redirect all ports (80, 443) to 7777/

Yep. 80 to 443. 443, 9080 to 7777

Can you please add source port selection then? This seems rather uncommon example to conflate all ports into one.

Why is this strange? The service port need not be the same as target port right? I agree that this example seems contrived, but it was there to illustrate the fact that you can have plaintext http ports in teh gateway.

Is this meant to uniquely identify a service, or just match addressing? E.g. if client addresses through reviews, does this rule kick in?

Good question. I think this should not apply if client simply says reviews.

That would be counter intuitive. DNS resolution is identical for reviews and reviews.prod under the same context, so the existing application may use either of those names. You would need to enumerate all choices here:

destination:
- name: reviews
- name: reviews.prod
- name: reviews.prod.svc
- name: reviews.prod.svc.cluster
- name: reviews.prod.svc.cluster.local
- name: uk.bookinfo.com
- name: eu.bookinfo.com

Then the question still remains that reviews is actually different in another namespace:

destination:
- name: reviews
- name: reviews.qa

Yes and this is what I was trying to avoid. I just discovered few more ambiguities here. Per @louiscryan 's PR,
if we infer the namespace from the namespace the gateway is running on, then we could get away with just reviews. That said, inheriting the top level destination into route.destination seems intuitive if and only if we are talking about just internal routing. From a gateway's perspective, it definitely needs some backend. i.e.

destination:
 domains:
   - uk.bookinfo.com
http:
  route:
   destination:
      name: reviews.prod
   rewrite:
     uri: /foo

works but

destination:
 domains:
   - uk.bookinfo.com
http:
  route:
   rewrite:
       uri: /foo

does not work, eventhough its a valid config. IF we decide to consider the above config as invalid, then internal route rules will become more verbose, i.e.

destination:
 name: reviews
http:
  route:
   destination: 
      name: reviews
   rewrite:
      uri: /foo

A similar complication arises when we start using destination.port.

destination:
 name: reviews
 domains:
   - uk.bookinfo.com
 port:
   - 6666
http:
  route:
   destination: reviews.prod

In the above rule, does 6666 apply to the gateway port or to the reviews service's port? If I want to write a rule1 against gateway port 9080 and a rule2 against gateway port 80, I need to make sure that I don't co mingle the rule with internal service names as the internal service might be using that port for some other purpose.

Thoughts? @ZackButcher / @louiscryan / @kyessenov ?
One option is to restrict the destination to have either name or domains. Another is to enforce the constraint that if destination has only domains, route.destination is mandatory. Along with these, we need to impose the constraint that port cannot be used when both name and domains are used in the destination.
This seems rather clunky.

To clarify.

I think the match should occur on 'addressing' but we can decide to be permissive (destination name contextualized into FQDN matches application provided name contextualized into FQDN) or strict (names must match explicitly). I strongly suspect that permissive is pretty much what folks want universally.

'Destinations' are always internal though this can cover public hosts & IPs.

Binding a route rule to a gateway with no default destination is likely to be a mistake but it might not be worthwhile to reject it for the marginal value such validation would provide.

A route rule with no destination at all is definitely invalid, regardless of whether it's bound to a gateway or not.

I don't get why destination port is a problem, its just a refinement on the internal destination selection.

What's the purpose of this constraints? Can we inherit all domains from the gateway?

Multiple route rules for the same gateway server?

Assume gateway wants multiple route rules. Assume some of those rules care about the host header. Why not add a HTTP match condition on URI then?

But what part of the gateway? It defines multiple virtual hosts on different ports.

How do we associate a TLS cert with a server listener? Based on domain suffix match? Since this is already a reference to a cert, should we put that reference into the server instead?

Can’t the same cert be applicable across servers?

Normally, one domain name = one cert. But you can have a wildcard cert for multiple listeners. I don't understand the benefit of the extra indirection listener -> TLS config -> certs. Why not just listener (server) -> certs.

I simplified it.. PTAL

As I'm sitting down and writing code to generate listeners from Gateways, having the TLS config embedded in the server is way more convenient. I like this improvement.

It seems like this is capturing two names reviews.prod.svc.cluster.local and eu.bookinfo.com. What if we make destination an array and match on EITHER of name field values?

That is not a bad idea. The only thing is to interpolate namespace. Also destination needs to be renamed to hosts for clarity. There are too many destinations.

Destination is a mixer attribute namespace. We want consistent vocabulary. I'm fine either way, but then mixer needs to adopt host as the primary attribute space.

Destinations are names inside of the mesh, domains are names outside of the mesh. I think the distinction is important if we're talking about gateways bridging the external and internal worlds. If we conflate internal and external names I think it'll wind up more confusing than it needs to be (do I write a RouteRule for destination reviews.prod.svc.cluster.local, or eu.bookinfo.com? Are both valid?).

What this is actually doing is not capturing two names; it's capturing that Host: eu.bookinfo.com (an external name) routes to the service reviews.prod (an internal name).

What does it mean to apply a gateway in a rule?

That the rule selects itself to apply at the gateway. I am conflicted about this. @louiscryan seemed to think that this option was better than gateway selecting the rules. It seemed fine until I started describing the model.

Is this source matching? What about the original source match clause?

No, all this is doing is instructing Pilot to include these route rules in the config of ingress proxies exposing Gateway "my-gateway". From there, we use the domain to map from the external name to a destination with an internal name.

Here's how IMO things should work:
Gateway a exposes domains eu.bookinfo.com and us.bookinfo.com. Gateway b exposes us.bookinfo.com.

Then we define a RouteRule like:

metadata:
  name: route-reviews
spec:
  destination:
    name: reviews.prod
    domains:
    - eu.bookinfo.com
    - us.bookinfo.com
  gateways:
  - a
  ...

A request with Host: us.bookinfo.com that hits Gateway a will be routed according to the rule route-reviews. The same request hitting Gateway b results in a 404 because Gateway b has no routes for us.bookinfo.com; route-reviews only applies to Gateway a. A request inside of the mesh with a destination.service == reviews.prod has destination selected according the route-reviews as normal, the Gateway portion doesn't come in to play.

Why declare protocol at this level? To facilitate some API pattern.

Most properties at the gateway level are common among protocols unlike routing rules.

That was a leftover from old version.. removing..

redundant file?

Its intentional.. I just wanted to retain the comments, so that I don't forget the comments. But this won't be merged in, until the routing is refined..

What is the reason to not make "server" by the top-level config unit?
Logically, the configuration state is subdivided by domains, but it's three levels nested in the Gateway.

Don't you want to refer to the gateway as a whole by its name, in the routing rule ?

Are we assigning gateways to edge proxies? If all proxies run all gateways, then I want to bind a rule to a domain, not a gateway.

Don't we want to assign gateways to proxies? For e.g., I won't want to expose the set of servers exposed by my internal gateway to the external gateway.

Yup, I think we'll have use cases for tying gateways to specific sets of proxies.

What's the model for binding gateways to proxies? Can we bind rules to those proxies instead of gateways?

service

How does this work for non-namespaced components (e.g. cloud-provided ingress controllers)?

I'm not quite sure if you're asking about? The gateway in totality or just namespaced vs non-namespaced domains ?

There seems to be some implicit DNS context depending where the rule is applied. Since some k8s components run out of cluster, we want to make sure the rule can apply there too.

missing kind and version

fixed

out of date example

Why?

s/This/The

We really need to rationalize our usage of port, the current egress rule's port definition is a subset of this.

Not blocking, but in a follow on we should extract this port definition out and share it across rules.

I think at most we need two definitions: a source port definition (here) and a destination port definition (used in egress, and in a few other places in this PR, typically in the form of a oneof).

I tried doing this earlier. It’s not clean. Egress rule port is a spec. Same as gateway. But route rule port is a match. So some fields like protocol don’t make sense.

fixed

Same as above, why can't we just extract out and re-use a single Port message. Having this many ways to specify the same concept is going to cause user confusion and inconsistencies in our implementations.

So in this example, which reviews service does this rule apply to, if there are multiple namespaces with reviews service?

local namespace of the pod where this rule is being applied.

I think the comment needs some refinement for sure but its fair to start with the requirement that the host name is unique and relax it later.

If a name is unqualified we can try to qualify it in context (i.e namespace) before enforcing the uniqueness rule

I don't understand this explanation. Do you mean I have to use reviews.sales.svc.cluster.local as FQDN? What happens if I move my deployment to a different cluster suffix?

clarified

Are gateways namespaced? All Istio config resources are currently namespaced