You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, TLS sessions ticket keys are generated internally per envoy, which mean multiple ingressgateway will generate different keys, and sessions will not correctly be resumed (unless some kind of sticky session is used in the K8s service).
It could be nice if we found a way to generate and share keys so that sessions could be resumed independently from the ingressgateway pod.
I'm not really familiar with Istio development, so not sure how I can contribute about that.
[] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
are you suggesting suggestion key can be even shared across pods? different gateways can have different level of trusts, not sure how we can define a trust boundary for sharing.
i'm more curious of the motivation behind the session key, are you seeing potential performance bottlenecke-ed on this?
There might be some restrictions set by Envoy on using/sharing session keys for security concerns. There is no such service that stores session keys and provisions session keys to multiple ingress gateways.
Describe the feature request
Currently, TLS sessions ticket keys are generated internally per envoy, which mean multiple ingressgateway will generate different keys, and sessions will not correctly be resumed (unless some kind of sticky session is used in the K8s service).
It could be nice if we found a way to generate and share keys so that sessions could be resumed independently from the ingressgateway pod.
I'm not really familiar with Istio development, so not sure how I can contribute about that.
[] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
https://discuss.istio.io/t/tls-tickets-with-multiple-ingress-gateway/1468
The text was updated successfully, but these errors were encountered: