Adds Per Route TLS Config to Gateway API Type #71
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -56,9 +56,12 @@ type GatewaySpec struct { | |
| // Listeners associated with this Gateway. Listeners define what addresses, | ||
| // ports, protocols are bound on this Gateway. | ||
| Listeners []Listener `json:"listeners"` | ||
| // Routes defines routes to associate with the Gateway. | ||
| // | ||
| // Support: Core | ||
| // | ||
| // +optional | ||
| Routes []Route `json:"routes,omitempty"` | ||
| } | ||
|
|
||
| const ( | ||
|
|
@@ -68,6 +71,25 @@ const ( | |
| HTTPSProcotol = "HTTPS" | ||
| ) | ||
|
|
||
| // Route defines the schema for a route. | ||
| type Route struct { | ||
| // RouteRef is a reference to an object to associate with the Gateway. | ||
| // RouteRef defines protocol-specific routing to back-ends (e.g. Services). | ||
| // | ||
| // If unspecified, no routes will be associated to the Gateway. | ||
| // | ||
| // Support: Core | ||
| // | ||
| // +optional | ||
| RouteRef core.ObjectReference `json:"routeRef"` | ||
| // TLS is the configuration used for establishing a TLS connection. | ||
| // | ||
| // Support: Core | ||
| // | ||
| // +optional | ||
| TLS *TLSConfig `json:"tls,omitempty"` | ||
| } | ||
|
|
||
| // Listener defines a | ||
| type Listener struct { | ||
| // Name is the listener's name and should be specified as an | ||
|
|
@@ -87,7 +109,7 @@ type Listener struct { | |
| // the request address is invalid, the GatewayClass MUST indicate | ||
| // this in the associated entry in GatewayStatus.Listeners. | ||
| // | ||
| // Support: Core | ||
| // | ||
| // +optional | ||
| Address *ListenerAddress `json:"address,omitempty"` | ||
|
|
@@ -107,7 +129,7 @@ type Listener struct { | |
| // Support: Core | ||
| // | ||
| // +optional | ||
| TLS *TLSConfig `json:"tls,omitempty"` | ||
|
There was a problem hiding this comment. Maybe we need to step back from attaching TLS to the listener. The There was a problem hiding this comment. If the App Dev is responsible for managing TLS config, then I agree that |
||
| // Extension for this Listener. | ||
| // | ||
| // Support: custom. | ||
|
|
@@ -149,7 +171,7 @@ const ( | |
| TLS1_3 = "TLS1_3" | ||
| ) | ||
|
|
||
| // TLSConfig describes configuration for establishing a TLS connection. | ||
|
There was a problem hiding this comment. To me, "establishing a TLS connection" implies pretty strongly that it is being used by a network client. There was a problem hiding this comment. Maybe (the server also is part of connection establishment) There was a problem hiding this comment. If this is intended to be specific to accepting a TLS session, then I agree There was a problem hiding this comment. @bowei I considered |
||
| // | ||
| // References | ||
| // - nginx: https://nginx.org/en/docs/http/configuring_https_servers.html | ||
|
|
@@ -158,20 +180,41 @@ const ( | |
| // - gcp: https://cloud.google.com/load-balancing/docs/use-ssl-policies#creating_an_ssl_policy_with_a_custom_profile | ||
| // - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies | ||
| // - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112 | ||
| type TLSConfig struct { | ||
| // Certificates is a reference to one or more Kubernetes objects each containing | ||
| // an identity certificate that is bound to a listener. The hostname in a TLS | ||
| // SNI client hello message is used for certificate matching and route hostname | ||
| // selection. | ||
| // | ||
| // If apiGroup and kind are empty, will default to Kubernetes Secrets resources. | ||
| // | ||
| // Support: Core (Kubernetes Secrets) | ||
| // Support: Implementation-specific (Other resource types) | ||
| // | ||
| // +optional | ||
| ListenerCertificates []core.TypedLocalObjectReference `json:"listenerCertificates,omitempty"` | ||
|
There was a problem hiding this comment. I think this relates back to my comment on There was a problem hiding this comment. My current understand is that the certs associated with the Gateway here are for downstream connection and the TLSConfig in |
||
| // CACertificates is a reference to one or more Kubernetes objects | ||
| // each containing a CA certificate used by the TLS client for | ||
| // establishing a connection with a server. | ||
| // | ||
| // Here is a ConfigMap example (in yaml): | ||
| // | ||
| // apiVersion: v1 | ||
| // kind: ConfigMap | ||
| // metadata: | ||
| // name: my-dest-svc-ca | ||
| // namespace: my-dest-svc-namespace | ||
| // data: | ||
| // ca-bundle.crt: | | ||
| // -----BEGIN CERTIFICATE----- | ||
| // Destination Service CA Certificate Bundle. | ||
| // -----END CERTIFICATE----- | ||
| // | ||
|
There was a problem hiding this comment. This is a nice improvement. Should we add a reference to #74, which hopefully will fully define the requirements around certificates? |
||
| // Support: Core (Kubernetes ConfigMap) | ||
| // Support: Implementation-specific (For other resource types) | ||
|
There was a problem hiding this comment.
|
||
| // | ||
| // +optional | ||
| CACertificates []core.TypedLocalObjectReference `json:"caCertificates,omitempty"` | ||
| // MinimumVersion of TLS allowed. It is recommended to use one of | ||
| // the TLS_* constants above. Note: this is not strongly | ||
| // typed to allow implementation-specific versions to be used without | ||
|
|
@@ -182,7 +225,15 @@ type ListenerTLS struct { | |
| // values. | ||
| // | ||
| // +optional | ||
| MinimumVersion *string `json:"minimumVersion,omitempty"` | ||
|
There was a problem hiding this comment. Hmm, are there any requirements on implementations if the minimum version is omitted? Maybe track a separate issue to discuss? |
||
| // TLSTermination defines how to terminate TLS connections. | ||
| // | ||
| // If unspecified, TLS termination type "Edge" will be used. | ||
| // | ||
| // Support: Core | ||
| // | ||
| // +optional | ||
| TLSTermination TLSTerminationType `json:"tlsTermination,omitempty"` | ||
|
There was a problem hiding this comment. This gets interesting. Sometimes one can be in a situation where the termination is decided based on the SNI. For some SNIs, the proxy terminates TLS while for other it is passthrough. It has come up a few times but I'm not sure if it should be supported by our API. Leaving a note here but I think it is okay to keep this as is. |
||
| // Options are a list of key/value pairs to give extended options | ||
| // to the provider. | ||
| // | ||
|
|
@@ -192,9 +243,26 @@ type ListenerTLS struct { | |
| // construct. | ||
| // | ||
| // Support: Implementation-specific. | ||
| // | ||
| // +optional | ||
| Options map[string]string `json:"options,omitempty"` | ||
| } | ||
|
|
||
| // TLSTerminationType specifies where TLS connections will terminate. | ||
| type TLSTerminationType string | ||
|
|
||
| const ( | ||
| // TLSTerminationEdge terminates the TLS connection at the gateway. | ||
| TLSTerminationEdge TLSTerminationType = "Edge" | ||
|
|
||
| // TLSTerminationPassthrough terminates the TLS connection at the | ||
| // destination service. The destination service is responsible for | ||
| // decrypting data from the connection. The Gateway listener must be | ||
| // configured for the HTTPS protocol. SNI is used by the Gateway to | ||
| // perform route selection. | ||
| TLSTerminationPassthrough TLSTerminationType = "Passthrough" | ||
| ) | ||
|
|
||
| // GatewayStatus defines the observed state of Gateway. | ||
| type GatewayStatus struct { | ||
| // Conditions describe the current conditions of the Gateway. | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this really what a Route is? Looking at the current spec,
TcpRouteandHTTPRouteare defined. To my mind these have more in common with endpoints (since we are in a reverse-proxy configuration, they will appear to be endpoints from the perspective of the client).I realize that this terminology is already in play, but maybe we can clarify here. The description of "routing to back-ends" seems more applicable to
HTTPRouteAction.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you define more what "endpoint" and "client" you mention in the above.
Endpoint e.g. k8s Endpoint? Or something else?
Client as in the HTTP-client coming to the Gateway (or something else)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The purpose of the
Routetype is to group attributes with the route reference. Currently, we're focused on TLS, but I can foresee other attributes a Cluster Operator may want to associate to a route, e.g. a traffic shaping policy.