What is route delegation

As your environment grows, your gateways manage traffic for more and more routes. These routes typically belong to many different apps that are owned by different individuals or teams. Managing the routing rules for all of these routes can be cumbersome and route updates can easily impact the behavior of other routes.

Route delegation allows you to split up big and complex routing configurations into smaller routing configurations that are easier to maintain. The ownership for these routing configurations are then delegated to the teams that own the app or domain.

For example, let’s assume you have three apps (app-a, app-b, and app-c) that are owned by three different teams (team-a, team-b, and team-c). Instead of creating one routing configuration that includes the routing rules for all apps, you create a routing configuration for each app and delegate ownership for this configuration to the team that is responsible for that app. Each team can then further delegate routing decisions to other teams.

Each set of routing rules is defined in a dedicated HTTPRoute resource. These HTTPRoute resources are then organized into a routing hierarchy that consists of the following elements:

Element in routing hierarchyResourceDescription
ParentHTTPRouteThe parent HTTPRoute resource specifies the main domain under which all of the routes that are defined in the parent, child, or grandchild HTTPRoute resources are exposed on. The parent HTTPRoute resource also references the gateway that you want to use to fulfill the routing configuration in the parentRef section. To delegate traffic to a child HTTPRoute resource, a PathPrefix matcher must be used.
ChildHTTPRouteThe child HTTPRoute resource receives traffic from the parent HTTPRoute resource and can either forward traffic to the backing service, or delegate traffic decisions to grandchild HTTPRoute resources. To receive delegated traffic from a parent, the child HTTPRoute must match on a path that contains the path prefix for which the parent delegated traffic for. For example, if the parent delegates traffic for /route, the child must define a route that includes this prefix, such as /route/a. If traffic is further delegated to a grandchild HTTPRoute resource, a PathPrefix matcher must be used.
GrandchildHTTPRouteA grandchild HTTPRoute resource receives traffic from a child HTTPRoute resource and can either bind to a specific child by using the parentRef section or be selected by all child HTTPRoute resources that want to delegate traffic to this grandchild. To receive traffic from a child, the grandchild must match on a path that contains the path prefix for which the child delegated traffic for. For example, if the child delegates traffic for /route/a, the grandchild must define a route that includes this prefix, such as /route/a/myservice. If traffic is further delegated to a great-grandchild HTTPRoute resource, a PathPrefix matcher must be used. Note that great-grandchild or great-great-grandchild behave similar to a grandchild HTTPRoute resource.

Benefits and use cases

Route delegation is often used as a security and risk mitigation strategy to allow multiple teams to own, add, remove, and update routes on a gateway without impacting the routing rules that other teams configured and requiring access to the entire routing configuration.

Review some of the benefits that you can achieve with route delegation:

BenefitDescription
Organize routing rules by user groupsWith route delegation, you can break up large routing configurations into smaller routing configurations which makes them easier to maintain and to assign ownership to. Each routing configuration in the routing hierarchy contains the routing rules and policies for only a subset of routes.
Restrict access to routing configurationBecause route delegation lets you break up large routing configurations into smaller, manageable pieces, you can easily assign ownership and restrict access to the smaller routing configurations to the individual or teams that are responsible for a specific app or domain. For example, the network administrator can configure the top level routing rules, such as the hostname and main route match, and delegate the individual routing rules to other teams.
Simplify blue-green route testingTo test new routing configuration, you can easily delegate a specific number of traffic to the new set of routes.
Optimize traffic flowsRoute delegation can be used to distribute traffic load across multiple paths or nodes in the cluster, which can improve network performance and reliability.
Easier updates with limited blast radiusIndividual teams can easily update the routing configuration for their apps and manage the policies for their routes. If errors are introduced, the blast radius is limited to the set of routes that were changed.

Policy inheritance

Policies that are defined in a RouteOption resource and that are applied to a parent HTTPRoute resource are inherited by all the child or grandchild HTTPRoutes along the route delegation chain. The following rules apply:

  • Only policies that are specified in a RouteOption resource can be inherited by a child HTTPRoute. For inheritance to take effect, you must use the spec.targetRefs field in the RouteOption resource to apply the RouteOption resource to the parent HTTPRoute resource. Any child or grandchild HTTPRoute that the parent delegates traffic to inherits these policies.
  • You can add the delegation.gateway.solo.io/enable-policy-overrides annotation to a parent HTTPRoute to allow its immediate child HTTPRoutes to override the top-level policies that are defined on the parent. You have the option to allow overriding policies of all types (delegation.gateway.solo.io/enable-policy-overrides: "*") or to limit the type of policies that a child can override (delegation.gateway.solo.io/enable-policy-overrides: "faults,headerManipulation,cors").
  • In a multi-level delegation chain with parent, child, and grandchild HTTPRoutes, the parent and the child HTTPRoutes must both set the delegation.gateway.solo.io/enable-policy-overrides annotation for the grandchild to be able to override the top-level policies that were defined on the parent.
  • If no delegation.gateway.solo.io/enable-policy-overrides annotation is set on the parent and the child HTTPRoute sets a policy that is already defined on the parent HTTPRoute, the setting on the parent HTTPRoute takes precedence and the setting on the child is ignored. For example, if the parent HTTPRoute defines a data loss prevention policy, the child HTTPRoute cannot change these settings or disable that policy.
  • If no delegation.gateway.solo.io/enable-policy-overrides annotation is set on the parent HTTPRoute, child HTTPRoutes can augment the inherited settings by defining RouteOption fields that were not already set on the parent HTTPRoute.

For an example, see the Policy inheritance guide.

Limitations

The current route delegation model imposes a few restrictions on how routes can be delegated. If a rule is violated, the corresponding rule is removed from the route.

Hostnames

Only parent HTTPRoutes can specify the spec.hostnames field. All child and grandchild HTTPRoute resources inherit the parent’s hostname.

Route matchers

Parent HTTPRoute resources that delegate to child HTTPRoute resources must use PathPrefix matchers as shown in the following example:

 rules:
 - matches:
   - path:
       type: PathPrefix
       value: /a
   backendRefs:
   - group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: "*"
     namespace: abc

Child HTTPRoute resources can use prefix, exact, or regex path matchers in their matching rules as shown in the following example. Each path matcher must start with the prefix path that the parent HTTPRoute delegates traffic for, in this case /a. The child HTTPRoute in the following example defines three route matchers along the /a path: /1, /1/foo, and /1/.*.

 rules:
 - matches:
   - path:
       type: PathPrefix
       value: /a/1
   - path:
       type: Exact
       value: /a/1/foo
   - path:
       type: RegularExpression
       value: /a/1/.*
   backendRefs:
   - name: svc-a
     port: 8080

Headers, query parameters, HTTP methods

You can specify headers, query parameters, and HTTP method matchers on the parent HTTPRoute resource. However, any child HTTPRoute resource that you delegate traffic to must specify the same header, query parameters, or HTTP method matchers to be considered a valid configuration. You can optionally define additional header, query parameter, or HTTP method matchers on the child.

For example, let’s say you define the following parent and child HTTPRoute resources:

Example configurationValid route delegation configuration?
  • parent
    • match on /anything/team1 and delegate traffic to the child HTTPRoute
    • header1: val1
    • query1=val1
  • child
    • match on /anything/team1/foo and route traffic to the httpbin app
    • header1: val1
    • headerX: valX
    • query1=val1
    • queryX=valX


The headers and query parameters that are specified on the child HTTPRoute are a superset of the header and query parameters that are specified on the parent.
  • parent
    • match on /anything/team1 and delegate traffic to the child HTTPRoute
    • header1: val1
    • query1=val1
  • child
    • match on /anything/team1/foo and route traffic to the httpbin app
    • headerX: valX
    • queryX=valX


The headers and query parameters that are specified on the child HTTPRoute do not include the header and query parameters that are specified on the parent.

Cyclic delegation

Cyclic route delegations, such as where HTTPRoute A delegates to B, B delegates to C, and C delegates back to A are not allowed in Gloo Gateway as no proper backend is specified that fulfills the request. If cyclic route delegation is detected, the route that is part of the cycle is ignored and reported as an error.