Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auto-generate SSL config #1190

Closed
rickducott opened this issue Sep 13, 2019 · 4 comments
Closed

auto-generate SSL config #1190

rickducott opened this issue Sep 13, 2019 · 4 comments
Labels
Size: S 1 - 3 days Type: Enhancement New feature or request

Comments

@rickducott
Copy link

rickducott commented Sep 13, 2019
edited

If I am deploying a service that uses TLS, an upstream automatically gets generated for that service but the upstream doesn't have ssl configured and I have to edit the resource to enable encryption. Is there an annotation or something I can add to the service so that the ssl config is added automatically?

EDIT: this request came in from a user.
@ilackarms
Copy link
Member

as an alternative to putting annotations inside the kube service, i would propse creating an UpstreamProfile CRD which essentially contains the whole UpstreamSpec minus the UpstreamType field. instead, it can point to a kube service, and we can attach it to the generated upstream

@yuval-k
Copy link
Member

yuval-k commented Sep 26, 2019

not sure what's the advantage of UpstreamProfile over just an Upstream, as it is something that needs be created in addition to the service either way. i.e. what's the advantage of this approach over disabling discovery and creating upstreams manually?

@rickducott
Copy link
Author

Agreed, not seeing the logic of UpstreamProfile for this particular issue. The original request for an annotation seems (a) is easier to write than an upstream, and (b) means the SSL config won't be lost if the upstream is accidentally deleted.

I should note that even though I'm the author of this issue, the request came in from a user.

@rickducott rickducott added Area: discovery Size: S 1 - 3 days Type: Enhancement New feature or request labels Sep 26, 2019
@mitchdraft
Copy link
Contributor

The UpstreamProfile concept seems well aligned with the offerings of our discovery service. It could allow users to specify a single value that would be used on all "n" upstreams. This seems better than telling them to disable discovery entirely. To generalize, we might call it DiscoveryHook with one type being custom ssl configs that are applied when a service matches a given selector. Another hook could be a selector that tells discovery not to create an upstream from the matching services.

Annotations are appealing for their simplicity: localizing the effect, and reducing the number of APIs involved in specifying the behavior. It would be nice to offer something like this if we expect users to want this behavior on a small number of services.

Having both would be nice: allow simple specs through annotations, provide more advanced features in a dedicated CRD. Each "user interface" would use the same underlying logic. We could begin with whichever is quickest to implement.

@solo-git-bot solo-git-bot bot mentioned this issue Oct 21, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Size: S 1 - 3 days Type: Enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yuval-k @ilackarms @mitchdraft @rickducott