Multiple ingressgateway TLS Ticket keys #20347
Labels
Projects
Comments
|
are you suggesting suggestion key can be even shared across pods? different gateways can have different level of trusts, not sure how we can define a trust boundary for sharing. i'm more curious of the motivation behind the session key, are you seeing potential performance bottlenecke-ed on this? |
|
There might be some restrictions set by Envoy on using/sharing session keys for security concerns. There is no such service that stores session keys and provisions session keys to multiple ingress gateways. |
|
This is essentially the same as #26009, lets tackle this in that issue which has some good discussion. thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature request
Currently, TLS sessions ticket keys are generated internally per envoy, which mean multiple ingressgateway will generate different keys, and sessions will not correctly be resumed (unless some kind of sticky session is used in the K8s service).
It could be nice if we found a way to generate and share keys so that sessions could be resumed independently from the ingressgateway pod.
I'm not really familiar with Istio development, so not sure how I can contribute about that.
[] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
https://discuss.istio.io/t/tls-tickets-with-multiple-ingress-gateway/1468
The text was updated successfully, but these errors were encountered: