Gateway API: support TLS termination with TLSRoute/TCPRoute #5481
Conversation
internal/xdscache/v3/listener.go
Outdated
| ) | ||
|
|
||
| tcpProxyFilter := envoy_v3.TCPProxy(listener.Name, listener.TCPProxy, cfg.newInsecureAccessLog()) |
There was a problem hiding this comment.
This ends up duplicating some of the code from the existing SecureVirtualHost + TCPProxy code path. It might be possible to change the implementation for TCPRoutes to just configure a SecureVirtualHost of * along with a Secret/TCPProxy attached there, instead of using the Listener-level TCPProxy that I added to the DAG with the TCPRoute PR. Will look into it some, but at least what's here now works.
There was a problem hiding this comment.
OK, made this change in 5088897
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #5481 +/- ##
==========================================
+ Coverage 78.52% 78.55% +0.02%
==========================================
Files 138 138
Lines 19018 19027 +9
==========================================
+ Hits 14934 14946 +12
+ Misses 3801 3799 -2
+ Partials 283 282 -1
|
skriss
force-pushed
the
pr-gwapi-tls-tcproute
branch
from
7e8ba6f
to
fadbf59
Compare
skriss
added
the
release-note/minor
skriss
force-pushed
the
pr-gwapi-tls-tcproute
branch
2 times, most recently
from
a058a75
to
acb3cff
Compare
|
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
github-actions
bot
added
the
lifecycle/stale
skriss
removed
the
lifecycle/stale
|
I would love to get this into the upcoming release, but unfortunately there hasn't been a clear consensus on the upstream issue. We could merge it anyway, assuming that the upstream spec will eventually allow this (or at least not disallow it), but that does create a risk that we'd have to make a breaking behavior change in the future if something unexpected changes. @sunjayBhatia WDYT? |
Adds support for TLS termination with the TLS listener protocol. Envoy is configured to terminate TLS and then to proxy TCP traffic to the backend. Signed-off-by: Steve Kriss <krisss@vmware.com>
Code might be simpler if we add a secure vhost of "*" and use the existing TCPProxy code flow from there, I think it should already work. Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: Steve Kriss <krisss@vmware.com>
Signed-off-by: Steve Kriss <krisss@vmware.com>
skriss
force-pushed
the
pr-gwapi-tls-tcproute
branch
from
acb3cff
to
fea4b08
Compare
just pinged that issue to hopefully get it triaged it is a little funny since the Gateway fields are v1beta1 and core but the route resources are v1alpha2 so how does the api versioning guarantee work since TLSRoute etc. is still in alpha I think it'll be ok in the slim chance behavior has to change? We can push to get conformance etc. codified if we do merge this so it's less likely to change out from under us |
|
Ah that's a great point, kinda forgot that these are still alpha resources 😁 |
skriss
requested review from
tsaarni and
sunjayBhatia
and removed request for
a team
Adds support for TLS termination with the TLS
listener protocol. Envoy is configured to terminate
TLS and then to proxy TCP traffic to the backend.
This configuration is compatible with both TLSRoute
and TCPRoute.
Closes #5461.
Leaving as a draft for now until there's a clear consensus on the upstream issue (kubernetes-sigs/gateway-api#2111) around TLS termination with TLSRoute.