feat: add knob for switching container port

[zvlb]

issue - #3226, #2310
Previos PR - #2405 (not my, not finished)

@arkodg I add new field to EnvoyProxy (not EnvoyGateway), bc with this EnvoyProxy We can use kubernetes Gateway CRD for functionality)

Local tests finished good

[arkodg]

any other alternate name suggestions ?DisablePortShift is too vague imo and doesnt account for the fact that this issue is tied to ContainerPort
cc @envoyproxy/gateway-maintainers @envoyproxy/gateway-reviewers

[zvlb]

To come up with variable names is harder than writing code.

Something like DisableShiftContainerPort?

[cnvergence]

Could it be an other way around, like BindPort or StaticPort bool value?

[zvlb]

BindPort and StaticPort looks like fields for port value. Not for bool

[arkodg]

I prefer UseListenerPortAsContainerPort from https://github.com/envoyproxy/gateway/pull/2405/files
@envoyproxy/gateway-maintainers / @envoyproxy/gateway-reviewers wdyt

[zhaohuabing]

+1 for UseListenerPortAsContainerPort .

I can tell what UseListenerPortAsContainerPort does by its name, but can't infer what DisablePortShift without looking into the comment. :-)

[zvlb]

No problem. I can use this variable. However, I see a small logical issue. If I plan to use a port higher than 1024 in the Listener (for example, 3000), there will be no 'port offsets'. That means the UseListenerPortAsContainerPort variable will be set to false (the default value), and at the same time, the listener port and the container port will be equal.

[zhaohuabing]

Does this require user involvement, or does EG automatically add the CAP_NET_BIND_SERVICE capability to the Envoy container?

[zvlb]

I'm not sure about "automatically".
In my case I set this CAP in envoyProxy, like:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: default
  namespace: envoy-gateway
spec:
  provider:
    kubernetes:
      disablePortShift: true.  # tmp name
      envoyDaemonSet:
        pod:
          nodeSelector:
            node-role.kubernetes.io/gateway: "true"
        container:
          image: envoyproxy/envoy:v1.29.2
          securityContext:
            allowPrivilegeEscalation: true
            capabilities:
              add:
              - NET_BIND_SERVICE
              drop:
              - ALL
            seccompProfile:
              type: RuntimeDefault
        patch:
          type: StrategicMerge
          value:
            spec:
              template:
                spec:
                  hostNetwork: true
                  dnsPolicy: ClusterFirstWithHostNet
    type: Kubernetes

And need to use NOT distroless images, bc distroless can't bind on 1-1024 ports

[zvlb]

I rebase my branch from main and change field name from DisablePortShift to UseListenerPortAsContainerPort.

But I can't run e2e test localy. If something broken - I will test all and fix in monday. (I'm not sure about route.go... Many changes. Now this package don't collect container ports)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.43%. Comparing base (8206e11) to head (65253e1).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3333      +/-   ##
==========================================
+ Coverage   67.41%   67.43%   +0.01%     
==========================================
  Files         166      166              
  Lines       19186    19197      +11     
==========================================
+ Hits        12934    12945      +11     
  Misses       5322     5322              
  Partials      930      930              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zvlb]

Just rebase

[zvlb]

Test error: Tokenless has reached GitHub rate limit

[AliceProxy]

branch needs rebase again but lgtm

[arkodg]

LGTM thanks !