docs(design): multi-port routes and streaming for NebariApp#120
Draft
viniciusdc wants to merge 1 commit into
Draft
docs(design): multi-port routes and streaming for NebariApp#120viniciusdc wants to merge 1 commit into
viniciusdc wants to merge 1 commit into
Conversation
9 tasks
7a5ea5b to
71aad60
Compare
78e47b6 to
bdc887b
Compare
bdc887b to
7e1cc69
Compare
Adds a design doc proposing an optional per-route port override on RouteMatch so a single NebariApp can route different path prefixes to different ports on the same backend Service under one hostname. Tightens the same-namespace contract by removing ServiceReference.Namespace, and codifies the "one NebariApp = one hostname = one backend Service" boundary that has been implicit until now. nebari-landing reads the namespace field for in-cluster health-probe DNS construction but has graceful fallback to the NebariApp's own namespace, and the original consumers (Keycloak/ArgoCD as NebariApps in the kind dev cluster) have moved to NIC's foundational Argo-apps layer, so the removal is non-breaking. A follow-up PR on nebari-landing should drop the now-inert ServiceNamespace plumbing. The streaming/BackendTrafficPolicy concern (Envoy SSE timeouts) is covered in a separate design doc (docs/design/streaming-timeouts.md). Filename kept as multi-backend-routes.md for URL stability; the doc explains the rename.
7e1cc69 to
2d096ea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Design document (no code in this PR — multi-port implementation is the stacked PR #121; streaming implementation TBD). Proposes two related routing-contract extensions:
RouteMatch.portoverride so a single NebariApp can route different path prefixes to different ports on the same backend Service under one hostname.routing.streaming: trueflag that makes the operator emit an Envoy GatewayBackendTrafficPolicydisabling the default 15s request timeout and setting a 5-minute idle timeout. Covers SSE, long-poll, gRPC streaming.Plus two contract-tightening items that ride along:
ServiceReference.Namespace. Half-feature on the operator side (cross-namespaceBackendObjectReferenceneeds aReferenceGrantthe operator never creates), but it is still read by nebari-landing for health-probe DNS construction — that dependency is now dormant and falls back gracefully. See the doc's Downstream consumer section.Iteration note
An earlier draft proposed per-route
backend: {name, port}overrides (multi-Service). That was narrowed: a NebariApp targets exactly one Service. Streaming was originally listed as a follow-up; folded into this design after iteration. The doc keeps the original filename for URL stability and explains the rename inline.Why now
routing.routes[].portknob plugs that with a one-line addition toRouteMatch.requestTimeoutcuts off SSE / long-poll / gRPC streams. The downstream PRopenteams-ai/nebari.openteams.ai#12is hand-rolling aBackendTrafficPolicytargeting the operator's HTTPRoute by name — a fragile contract pack authors shouldn't need to learn the Envoy schema for. The proposedrouting.streaming: trueflag makes the operator emit a single owner-referenced policy with canned timeouts (requestTimeout: 0s,connectionIdleTimeout: 300s).nebari-landing dependency
spec.service.namespaceis read by nebari-landing to build in-cluster health-probe URLs that deliberately bypass the gateway. Two reasons removal is non-breaking:unstructured.NestedStringwith a fallback tou.GetNamespace()when the field is absent.Follow-up nebari-landing PR (separate, after this lands) will remove the inert
App.ServiceNamespacefield and the cross-namespace fallback branch.What the doc covers
RouteMatch.port,RoutingConfig.streaming, andServiceReferenceslim-down.BackendTrafficPolicyresource shape, lifecycle, and target-refs (covers both main and public HTTPRoutes).api/v1/,internal/controller/reconcilers/), including a newstreaming.goreconciler and an RBAC bump forbackendtrafficpolicies.spec.service; failure surfaces on the NebariApp's status.spec.service.namespaceremoval inv1; project README still flags the API as unstable, so this fits within the stated contract).publicRoutessymmetry, status surface for resolved ports, whether streaming should apply to the public HTTPRoute, and whether to expose individual timeout knobs vs. a boolean.Test plan
RouteMatch.portshape (*int32, optional, falls back tospec.service.port)RoutingConfig.streamingshape (boolean intent vs. astreamingTimeoutsstruct — see Open questions)targetRefsshould cover both main and public HTTPRoutes (vs. main only)ServiceReference.Namespaceremoval is acceptable given the nebari-landing analysisFollow-up
ServiceNamespaceplumbing.