Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] TLS TCP session proxying #787

Closed
davecheney opened this issue Oct 29, 2018 · 8 comments
Closed

[Feature] TLS TCP session proxying #787

davecheney opened this issue Oct 29, 2018 · 8 comments
Assignees
@davecheney
Labels
Epic kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
0.9.0

Comments

@davecheney
Copy link
Contributor

davecheney commented Oct 29, 2018
edited

This is a high level ticket to track the addition of TLS forwarding to Contour 0.8.

What is being added?

Support for handling TLS encrypted TCP sessions is planned for Contour 0.8. This will terminate the TLS connection at the Envoy edge and forward the decrypted TCP flow to a backend pod making up a service. [Note: this is my best understanding of the way Envoy 1.7.0 works, this may change].

How is it being added?

The DAG is being extended to differentiate between dag.HTTPService objects (#786), and dag.TCPService objects (#785). Once this is complete it will be possible to model the required configuration Envoy requires.

On the frontend the ingressroute.spec stanza will be extended with a new forward key. Something like

spec:
  virtualhost:
    fqdn: secure.example.com
    tls:
      secretname: "required"
  forward:
    services:
    - name: s1
      port: 80
      weight: 10
    - name: s2
      port: 8080
      weight: 20
    - name: s3
      port: 80
      weight: 70
      strategy: Random # Overrides default LB policy
  • services is a list of Service objects, similar to spec.routes.services. There may be many entries in the services list, but only one services key may be present.
  • name is the name of a service in this Ingressroute's namespace.
  • port is the port on the Service object. This port is expecting NON TLS traffic. TLS demux is handled at the Envoy layer.
  • weight, weighting is supported with the same logic as spec.route.services.
  • strategy, load balancing strategies are supported per backend service.

Only one of virtualhost or forward keys may be present. forward is ignored if spec.virtualhost.tls is missing.

Out of scope

  • Raw TCP forwarding is not in scope for Contour 0.8. All connections proxied through Envoy must begin with a TLS SNI handshake. The SNI handshake is required to establish the hostname for the incoming connection. If TLS is not used then it is not clear what value using Contour adds over a traditional service load balancer.
  • TLS forwarding whereby the TLS connection is forwarded encrypted to the backend service is not in scope for Contour 0.8. This might be tracked as SSL Passthrough #15.
  • UDP forwarding is not in scope. It is unlikely Contour will ever attempt this feature.
  • Delegation from a Root ingressroute to another is not in scope.
@davecheney davecheney added kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. blocked/needs-design Categorizes the issue or PR as blocked because it needs a design document. Epic labels Oct 29, 2018
@davecheney davecheney added this to the 0.8.0 milestone Oct 29, 2018
@davecheney davecheney self-assigned this Oct 29, 2018
@davecheney davecheney removed the blocked/needs-design Categorizes the issue or PR as blocked because it needs a design document. label Oct 29, 2018
@alexbrand
Copy link
Contributor

Raw TCP forwarding is not in scope for Contour 0.8. All connections proxied through Envoy must begin with a TLS SNI handshake. The SNI handshake is required to establish the hostname for the incoming connection. If TLS is not used then it is not clear what value using Contour adds over a traditional service load balancer.

I think one potential value-add over traditional service load balancers is traffic consolidation. For example, in the case that I have N services that I want to load balance, I can send traffic through my ingress tier instead of having (and paying for) N cloud load balancers.

@davecheney
Copy link
Contributor Author

@alexbrand but these N services would have to be presented externally on N ports. Without the SNI handshake we cannot tell which backend service the traffic is for so we'd have to forward then entire port carte blanche. This means contour would need to open a new incoming port on its service type:loadBalancer to route that traffic.

@mauilion
Copy link

You could map all the rest of the port range for that ip to internal services

@mauilion
Copy link

We should talk through a couple of use cases I've seen.

@glerchundi glerchundi mentioned this issue Oct 31, 2018
Closed
davecheney added a commit to davecheney/contour that referenced this issue Nov 1, 2018
@davecheney
interna/dag: refactor dag.Service to dag.TCPService
7d3a1e8 
Updates projectcontour#787

This PR rearranges and renames dag.ServiceVector, dag.Service, and
dag.HTTPService.

By recognising that dag.HTTPService represents a L7 service on top of a
L4 dag.TCPService we free up dag.Service as a descriptive name for an
interface which both L4 TCPService and L7 HTTPServices represent.

Signed-off-by: Dave Cheney <dave@cheney.net>
@davecheney davecheney mentioned this issue Nov 1, 2018
Merged
@rosskukulinski
Copy link
Contributor

I think for 0.8 it's safe to focus on the TLS TCP user-case, but I agree with @alexbrand and @mauilion that we should work out the port-based proxying user-cases for future releases.

davecheney added a commit to davecheney/contour that referenced this issue Nov 15, 2018
@davecheney
internal/contour: add support for TCP Forwarding
10bf397 
Updates projectcontour#787

This PR adds preliminary support for forwarding TLS encapsulated TCP
sessions.

This is supported only on ingressroute objects with a new spec.forward
key. The presence of spec.forward causes contour to ignore the contents
of spec.routes, although spec.routes must be present to pass validation.

spec.forward permits multiple services, although currently only one is
used.

Signed-off-by: Dave Cheney <dave@cheney.net>
@davecheney davecheney mentioned this issue Nov 15, 2018
Merged
davecheney added a commit to davecheney/contour that referenced this issue Nov 15, 2018
@davecheney
internal/contour: add support for TCP Forwarding
64b846f 
Updates projectcontour#787

This PR adds preliminary support for forwarding TLS encapsulated TCP
sessions.

This is supported only on ingressroute objects with a new spec.forward
key. The presence of spec.forward causes contour to ignore the contents
of spec.routes, although spec.routes must be present to pass validation.

spec.forward permits multiple services, although currently only one is
used.

Signed-off-by: Dave Cheney <dave@cheney.net>
davecheney added a commit to davecheney/contour that referenced this issue Nov 15, 2018
@davecheney
internal/contour: refactor visitors
02247dc 
Updates projectcontour#787

While adding TCPForwarding to internal/contour I noticed the way the
vistors worked was very fragile. ListenerVisitor in particular expected
to be called with a visitor which delegated to a
VirtualHost/SecureVirtualHost. This PR fixes this and refactors the
visitors in general to be more robust.

Signed-off-by: Dave Cheney <dave@cheney.net>
@davecheney davecheney mentioned this issue Nov 15, 2018
Merged
davecheney added a commit to davecheney/contour that referenced this issue Nov 15, 2018
@davecheney
internal/contour: refactor visitors
9849f9a 
Updates projectcontour#787

While adding TCPForwarding to internal/contour I noticed the way the
vistors worked was very fragile. ListenerVisitor in particular expected
to be called with a visitor which delegated to a
VirtualHost/SecureVirtualHost. This PR fixes this and refactors the
visitors in general to be more robust.

Signed-off-by: Dave Cheney <dave@cheney.net>
davecheney added a commit to davecheney/contour that referenced this issue Nov 15, 2018
@davecheney
internal/contour: add support for TCP Forwarding
b6e8a9a 
Updates projectcontour#787

This PR adds preliminary support for forwarding TLS encapsulated TCP
sessions.

This is supported only on ingressroute objects with a new spec.forward
key. The presence of spec.forward causes contour to ignore the contents
of spec.routes, although spec.routes must be present to pass validation.

spec.forward permits multiple services, although currently only one is
used.

Signed-off-by: Dave Cheney <dave@cheney.net>
davecheney added a commit to davecheney/contour that referenced this issue Nov 16, 2018
@davecheney
internal/envoy: add support for multiple TCPProxy.Services
ee54ba1 
Update projectcontour#787

Support multiple tcpproxy services. We reuse the ingressroute Service
definition so weighting and default weighting is supported.

Signed-off-by: Dave Cheney <dave@cheney.net>
@davecheney davecheney mentioned this issue Nov 16, 2018
Merged
davecheney added a commit to davecheney/contour that referenced this issue Nov 18, 2018
@davecheney
internal/envoy: add support for multiple TCPProxy.Services
9a49b01 
Update projectcontour#787

Support multiple tcpproxy services. We reuse the ingressroute Service
definition so weighting and default weighting is supported.

Signed-off-by: Dave Cheney <dave@cheney.net>
@davecheney davecheney modified the milestones: 0.8.0, 0.8.1 Nov 19, 2018
@davecheney davecheney reopened this Nov 19, 2018
@davecheney davecheney removed this from the 0.8.1 milestone Dec 10, 2018
@davecheney davecheney added this to the 0.9.0 milestone Dec 10, 2018
@davecheney davecheney mentioned this issue Dec 19, 2018
Closed
@glerchundi glerchundi mentioned this issue Dec 21, 2018
Closed
@joshrosso
Copy link
Contributor

joshrosso commented Jan 8, 2019
edited

Is this feature available in 0.8+ via #810?

I see it's been target for 0.9.

@davecheney
Copy link
Contributor Author

@joshrosso part of this feature is available in 0.8, please see the release notes -- there are a bunch of limitations. This ticket will stay open until those limitations are addressed.

The hope is to deliver more TCP proxying functionality in the 0.9 milestone.

@davecheney davecheney modified the milestones: 0.9.0, 0.10.0 Jan 9, 2019
@davecheney
Copy link
Contributor Author

I'm going to mark this as closed for the moment. Additional enhancements on this feature should have their own issue number.

@davecheney davecheney modified the milestones: 0.10.0, 0.9.0 Jan 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@davecheney davecheney

Labels
Epic kind/feature Categorizes issue or PR as related to a new feature. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
0.9.0
Development

No branches or pull requests
5 participants
@davecheney @alexbrand @mauilion @rosskukulinski @joshrosso