tcpproxy: add tls passthrough #850
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
glerchundi
force-pushed
the
feature/tcpproxy-without-tls
branch
from
824facf
to
c2a985d
Compare
Allow an IngressRoute for TCP forwarding but without a `tls` section which implicitly configures it as a TLS Passthrough. TLS Passthrough only reads the very first TLS packets and routes the traffic without doing any kind of TLS termination. The chosen `virtualhost` is discovered by reading the TLS SNI (Server Name Indication) extension. Closes projectcontour#15 Signed-off-by: Gorka Lerchundi Osa <glertxundi@gmail.com>
glerchundi
force-pushed
the
feature/tcpproxy-without-tls
branch
from
c2a985d
to
a6996bb
Compare
|
PTAL @davecheney we tested it in our environment and it works Kudos to @igarciaolaizola for making most of the hard work by testing it empirically and fixing a subtle bug that prevented this from working before. 👏 |
|
@glerchundi thank you very much for working on this. I really appreciate you taking the lead and pushing for this change. We (waves at heptio in general) are at an all hands this week, but I will try to find the time to review and merge this and your related PRs |
|
No hurries at all take your time as we're not blocked by this. Thanks! |
davecheney
added a commit
to davecheney/contour
that referenced
this pull request
Jan 25, 2019
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty.
davecheney
added a commit
to davecheney/contour
that referenced
this pull request
Jan 25, 2019
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty. Signed-off-by: Dave Cheney <dave@cheney.net>
davecheney
added a commit
to davecheney/contour
that referenced
this pull request
Jan 25, 2019
Updates projectcontour#850 TCP proxying requires one of a `tls.secretName` or `tls.passthrough` to be present. The `tls.passthrough` option has no effect if `spec.tcpproxy` is empty. Signed-off-by: Dave Cheney <dave@cheney.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow an IngressRoute for TCP forwarding but without a
tlssectionwhich implicitly configures it as a TLS Passthrough. TLS Passthrough
only reads the very first TLS packets and routes the traffic without
doing any kind of TLS termination. The chosen
virtualhostisdiscovered by reading the TLS SNI (Server Name Indication) extension.
Closes #15
Signed-off-by: Gorka Lerchundi Osa glertxundi@gmail.com