-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] TLS TCP session proxying #787
Comments
I think one potential value-add over traditional service load balancers is traffic consolidation. For example, in the case that I have N services that I want to load balance, I can send traffic through my ingress tier instead of having (and paying for) N cloud load balancers. |
@alexbrand but these N services would have to be presented externally on N ports. Without the SNI handshake we cannot tell which backend service the traffic is for so we'd have to forward then entire port carte blanche. This means contour would need to open a new incoming port on its service type:loadBalancer to route that traffic. |
You could map all the rest of the port range for that ip to internal services |
We should talk through a couple of use cases I've seen. |
Updates projectcontour#787 This PR rearranges and renames dag.ServiceVector, dag.Service, and dag.HTTPService. By recognising that dag.HTTPService represents a L7 service on top of a L4 dag.TCPService we free up dag.Service as a descriptive name for an interface which both L4 TCPService and L7 HTTPServices represent. Signed-off-by: Dave Cheney <dave@cheney.net>
I think for 0.8 it's safe to focus on the TLS TCP user-case, but I agree with @alexbrand and @mauilion that we should work out the port-based proxying user-cases for future releases. |
Updates projectcontour#787 This PR adds preliminary support for forwarding TLS encapsulated TCP sessions. This is supported only on ingressroute objects with a new spec.forward key. The presence of spec.forward causes contour to ignore the contents of spec.routes, although spec.routes must be present to pass validation. spec.forward permits multiple services, although currently only one is used. Signed-off-by: Dave Cheney <dave@cheney.net>
Updates projectcontour#787 This PR adds preliminary support for forwarding TLS encapsulated TCP sessions. This is supported only on ingressroute objects with a new spec.forward key. The presence of spec.forward causes contour to ignore the contents of spec.routes, although spec.routes must be present to pass validation. spec.forward permits multiple services, although currently only one is used. Signed-off-by: Dave Cheney <dave@cheney.net>
Updates projectcontour#787 While adding TCPForwarding to internal/contour I noticed the way the vistors worked was very fragile. ListenerVisitor in particular expected to be called with a visitor which delegated to a VirtualHost/SecureVirtualHost. This PR fixes this and refactors the visitors in general to be more robust. Signed-off-by: Dave Cheney <dave@cheney.net>
Updates projectcontour#787 While adding TCPForwarding to internal/contour I noticed the way the vistors worked was very fragile. ListenerVisitor in particular expected to be called with a visitor which delegated to a VirtualHost/SecureVirtualHost. This PR fixes this and refactors the visitors in general to be more robust. Signed-off-by: Dave Cheney <dave@cheney.net>
Updates projectcontour#787 This PR adds preliminary support for forwarding TLS encapsulated TCP sessions. This is supported only on ingressroute objects with a new spec.forward key. The presence of spec.forward causes contour to ignore the contents of spec.routes, although spec.routes must be present to pass validation. spec.forward permits multiple services, although currently only one is used. Signed-off-by: Dave Cheney <dave@cheney.net>
Update projectcontour#787 Support multiple tcpproxy services. We reuse the ingressroute Service definition so weighting and default weighting is supported. Signed-off-by: Dave Cheney <dave@cheney.net>
Update projectcontour#787 Support multiple tcpproxy services. We reuse the ingressroute Service definition so weighting and default weighting is supported. Signed-off-by: Dave Cheney <dave@cheney.net>
Is this feature available in I see it's been target for |
@joshrosso part of this feature is available in 0.8, please see the release notes -- there are a bunch of limitations. This ticket will stay open until those limitations are addressed. The hope is to deliver more TCP proxying functionality in the 0.9 milestone. |
I'm going to mark this as closed for the moment. Additional enhancements on this feature should have their own issue number. |
This is a high level ticket to track the addition of TLS forwarding to Contour 0.8.
What is being added?
Support for handling TLS encrypted TCP sessions is planned for Contour 0.8. This will terminate the TLS connection at the Envoy edge and forward the decrypted TCP flow to a backend pod making up a service. [Note: this is my best understanding of the way Envoy 1.7.0 works, this may change].
How is it being added?
The DAG is being extended to differentiate between
dag.HTTPService
objects (#786), anddag.TCPService
objects (#785). Once this is complete it will be possible to model the required configuration Envoy requires.On the frontend the
ingressroute.spec
stanza will be extended with a newforward
key. Something likeservices
is a list ofService
objects, similar tospec.routes.services
. There may be many entries in theservices
list, but only oneservices
key may be present.name
is the name of a service in this Ingressroute's namespace.port
is the port on the Service object. This port is expecting NON TLS traffic. TLS demux is handled at the Envoy layer.weight
, weighting is supported with the same logic asspec.route.services
.strategy
, load balancing strategies are supported per backend service.Only one of
virtualhost
orforward
keys may be present.forward
is ignored ifspec.virtualhost.tls
is missing.Out of scope
The text was updated successfully, but these errors were encountered: