New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tcpproxy: add tls passthrough #850
tcpproxy: add tls passthrough #850
Conversation
824facf
to
c2a985d
Compare
Allow an IngressRoute for TCP forwarding but without a `tls` section which implicitly configures it as a TLS Passthrough. TLS Passthrough only reads the very first TLS packets and routes the traffic without doing any kind of TLS termination. The chosen `virtualhost` is discovered by reading the TLS SNI (Server Name Indication) extension. Closes projectcontour#15 Signed-off-by: Gorka Lerchundi Osa <glertxundi@gmail.com>
c2a985d
to
a6996bb
Compare
PTAL @davecheney we tested it in our environment and it works Kudos to @igarciaolaizola for making most of the hard work by testing it empirically and fixing a subtle bug that prevented this from working before. 👏 |
@glerchundi thank you very much for working on this. I really appreciate you taking the lead and pushing for this change. We (waves at heptio in general) are at an all hands this week, but I will try to find the time to review and merge this and your related PRs |
No hurries at all take your time as we're not blocked by this. Thanks! |
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty.
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty. Signed-off-by: Dave Cheney <dave@cheney.net>
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty. Signed-off-by: Dave Cheney <dave@cheney.net>
Allow an IngressRoute for TCP forwarding but without a
tls
sectionwhich implicitly configures it as a TLS Passthrough. TLS Passthrough
only reads the very first TLS packets and routes the traffic without
doing any kind of TLS termination. The chosen
virtualhost
isdiscovered by reading the TLS SNI (Server Name Indication) extension.
Closes #15
Signed-off-by: Gorka Lerchundi Osa glertxundi@gmail.com