TLS Termination Policy #52
Comments
danehans
added
the
kind/feature
|
Can this be achieved using match/filter/action of a route? If so, how easy is the workflow understood by a user? Is this a gateway class, gateway or route setting? |
|
In scenario 2, are you doing http routing before using TLS on the backside? This might be handled by saying that the Service app-protocol field can be used to determine whether or not TLS will be used on the Gateway/HTTPRoute => Service leg of the journey. In scenario 3, what kind of routing are you expecting wrt to TLS? For example, this could just be TCP passed through OR is there some form of routing on the hostname that happens? |
|
/kind user-story |
k8s-ci-robot
added
the
kind/user-story
I think both are valid use-cases. |
@bowei I call scenario 2 "Reencrypt" in which the gateway terminates the client-side tls connection and creates a new tls connection to the backend service. The gateway would associate a ca bundle with the route to auth the backend service. PTAL at https://github.com/kubernetes-sigs/service-apis/pull/71/files#diff-c32a8ad2aa56de73b42e20d9e3cc82d8 for an example.
Can you help me better understand "Service app-protocol field"? Are you referring to
I call this scenario "Passthrough". Yes, the supported route type would be |
He is referring to a new field that is coming in 1.18: kubernetes/enhancements#1422 |
|
Thanks for providing the link. |
@bowei do we want to address this use case for pre 1.18 clusters that don't support the Service app-protocol field? |
|
As a bit of a tangential update, that field did land in 1.18 but due to backwards compatibility requirements had to be feature gated - it won't be enabled by default until 1.19, so given the extended timeline it might be worth looking at potential solutions here as well. For reference, here's the PR updating the KEP to reflect that updated timeline: kubernetes/enhancements#1676 |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
bowei
removed
the
lifecycle/stale
|
Considering this resolved. |
|
/close |
|
@hbagdi: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add Service Directory GKE Integration recipes
What would you like to be added:
As an application developer, I need the ability to specify a TLS termination policy for my
HTTPRouteto specify how the associated connections should be handled by theGateway.Why is this needed:
I create
HTTPRoutesroutes foo, bar and baz (with TLS configured). I need tls connections for route foo to be:client----(tls)----->gateway----(http)---->serviceThe tls connection is terminated at the gateway and an http connection is created to the service.
I need tls connections for route bar to be:
client----(tls)----->gateway----(tls-2)---->serviceWhere tls-2 is a new tls connection between gateway and service. Options should be provided for one and two-way authentication between gateway and service.
I need tls connections for route baz to be:
client----(tls)----->gateway----(tls)---->serviceWhere the client tls connection is not terminated at the gateway, but instead is passed through to the backend service.
Implementation References
The text was updated successfully, but these errors were encountered: