Skip to content

feat: create per-tag KIngress resources instead of a single KIngress per Route#16439

Closed
kahirokunn wants to merge 8 commits intoknative:mainfrom
kahirokunn:per-tag-kingress
Closed

feat: create per-tag KIngress resources instead of a single KIngress per Route#16439
kahirokunn wants to merge 8 commits intoknative:mainfrom
kahirokunn:per-tag-kingress

Conversation

@kahirokunn
Copy link
Member

@kahirokunn kahirokunn commented Mar 9, 2026
edited
Loading

Depends on knative/networking#1120 (must be merged first).

Proposed Changes

Create individual KIngress resources per traffic tag instead of bundling all tags into a single KIngress. Each per-tag KIngress is labeled with networking.internal.knative.dev/tag.

  • MakeIngress now returns []*Ingress (one per tag)
  • Replace reconcileIngress with reconcileIngresses (with orphan cleanup)
  • Merge rollout state across per-tag ingresses
  • Filter TLS entries per tag's hosts

Release Note

Route reconciler now creates individual KIngress resources per traffic tag, each labeled with `networking.internal.knative.dev/tag`.

Testing

Manually verified the behavior by deploying a Route with multiple traffic tags.

With tag

CleanShot 2026-03-10 at 21 54 26@2x

Without tag

CleanShot 2026-03-10 at 21 55 56@2x

Tag Header Base Routing is also working properly.

@kahirokunn kahirokunn marked this pull request as draft March 9, 2026 15:24
@knative-prow
Copy link

knative-prow bot commented Mar 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kahirokunn
Once this PR has been reviewed and has the lgtm label, please assign skonto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 9, 2026
@knative-prow knative-prow bot requested review from dsimansk and skonto March 9, 2026 15:24
@codecov
Copy link

codecov bot commented Mar 9, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.59322% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.27%. Comparing base (cff5211) to head (5f813e6).
⚠️ Report is 15 commits behind head on main.

Files with missing lines Patch % Lines
pkg/reconciler/route/reconcile_resources.go 77.77% 16 Missing and 6 partials ⚠️
pkg/reconciler/route/resources/ingress.go 96.58% 2 Missing and 2 partials ⚠️
pkg/reconciler/route/resources/names/names.go 0.00% 4 Missing ⚠️
pkg/reconciler/route/route.go 75.00% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #16439      +/-   ##
==========================================
+ Coverage   80.16%   80.27%   +0.10%     
==========================================
  Files         217      217              
  Lines       13503    13661     +158     
==========================================
+ Hits        10825    10966     +141     
- Misses       2310     2326      +16     
- Partials      368      369       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@kahirokunn kahirokunn force-pushed the per-tag-kingress branch 2 times, most recently from 780d593 to ebfaf55 Compare March 9, 2026 15:55
@kahirokunn kahirokunn marked this pull request as ready for review March 10, 2026 05:10
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 10, 2026
@kahirokunn kahirokunn force-pushed the per-tag-kingress branch 2 times, most recently from 6fd19b3 to 99fc0ea Compare March 10, 2026 07:29
@kahirokunn
feat: create per-tag KIngress resources instead of a single KIngress …
94567d0 
…per Route

Instead of consolidating all traffic tags into one KIngress, the Route
reconciler now creates individual KIngress resources for each traffic
tag. Each per-tag KIngress is labeled with networking.internal.knative.dev/tag
to identify which tag it serves. This enables independent lifecycle
management and status tracking per tag.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
dprotaso
dprotaso reviewed Mar 10, 2026
View reviewed changes
@kahirokunn kahirokunn mentioned this pull request Mar 11, 2026
Closed
@kahirokunn
refactor: split MakeIngressWithRollout into separate default and per-…
a281315 
…tag functions

Address review feedback to separate ingress creation into distinct methods:
- MakeDefaultIngressWithRollout: builds the default ingress with explicit rollout
- MakeRouteTagIngress: builds per-tag ingress (rollout derived internally)
- MakeIngressWithRollout: remains as orchestrator delegating to buildTagIngress

This makes it clear at the API level that rollout is primarily a concern of
the default ingress. Also extracts buildACMEPathsByHost and rolloutForTag
as reusable helpers.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn
fix: omit TagLabelKey label from default ingress to avoid empty-strin…
e927e0d 
…g value

The default ingress was labeled with `networking.internal.knative.dev/tag: ""`
which conflates "no tag" with "empty string tag." Now only per-tag ingresses
carry the TagLabelKey label, making label selectors cleaner for operators.

The ingressByTag map logic in route.go is unaffected since Go's map zero-value
for a missing key is "" which matches traffic.DefaultTarget.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn
refactor: use DesiredIngressNames and split functions in reconcileIng…
5809c57 
…resses

Replace MakeIngress (full spec construction) with DesiredIngressNames
(name-only computation) in Pass 1, and replace MakeIngressWithRollout
orchestrator with direct MakeDefaultIngressWithRollout + MakeRouteTagIngress
calls in Pass 2. This eliminates unnecessary spec construction in Pass 1,
removes the need for the empty-targets guard in the reconciler path, and
connects the split functions introduced in the previous commit.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn
refactor: remove dead empty-targets guard from MakeIngressWithRollout
317f650 
The reconciler now calls MakeDefaultIngressWithRollout and
MakeRouteTagIngress directly, so the fallback that created a default
ingress for empty tc.Targets was unreachable. Remove it and fix tests
that relied on passing empty traffic.Config.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
dprotaso
dprotaso reviewed Mar 11, 2026
View reviewed changes
kahirokunn and others added 3 commits March 12, 2026 13:35
@kahirokunn @dprotaso
Apply suggestions from code review
75af8e0 
Co-authored-by: Dave Protasowski <dprotaso@gmail.com>
@kahirokunn
refactor: limit rollout annotation to default ingress and restructure…
653ac81 
… reconcileIngresses

Address review feedback from dprotaso (round 2):

- Fix build error: slices.Sort → slices.Sorted, add maps/slices imports
- Limit rollout annotation to the default ingress only; tag ingresses
  no longer carry rollout annotations since rollout state (gradual
  traffic shifting) is a concern of the default ingress only
- Store full rollout (all tags) in the default ingress annotation
  instead of per-tag filtered subsets
- Restructure reconcileIngresses into 3 clear phases:
  Phase 1: build default ingress with rollout (read prevRO from
           default ingress only)
  Phase 2: build per-tag ingresses (no rollout annotation)
  Phase 3: upsert all desired ingresses, then clean up orphans
- Move ingressByTag map construction from route.go into
  updatePlaceholderServices (signature change: map → slice)
- Remove dead len(ingresses) > 0 guard in ReconcileKind
- Remove unused rolloutForTag helper

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn
refactor: address per-tag ingress
5f813e6 
Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@dprotaso
Copy link
Member

dprotaso commented Mar 13, 2026

Circling back on this - given that we have route tag header based routing - splitting the KIngress doesn't buy us much.

I think ultimately I'd rather keep things really simple and go back to your prior approach - but instead of modifying the CRD I think a simple annotation mapping tags to host names would suffice.

See:
#16455
knative/networking#1121

This was referenced Mar 13, 2026
Merged
Merged
@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 13, 2026
@knative-prow-robot
Copy link
Contributor

knative-prow-robot commented Mar 13, 2026

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kahirokunn kahirokunn closed this Mar 13, 2026
@kahirokunn
Copy link
Member Author

kahirokunn commented Mar 13, 2026

Following discussions on Slack, we will adopt this option.
#16455

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dprotaso dprotaso dprotaso left review comments

@dsimansk dsimansk Awaiting requested review from dsimansk

@skonto skonto Awaiting requested review from skonto

Assignees

No one assigned

Labels

needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kahirokunn @dprotaso @knative-prow-robot