apisix-ingress-controller icon indicating copy to clipboard operation
apisix-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon apache

feat: Support SNI based TLS Route

Open tokers opened this issue 3 years ago • 15 comments

Now Apache APISIX supports to match the stream route with TLS SNI (https://github.com/apache/apisix/pull/4433), we can implement it in ApisixRoute.

tokers avatar Jun 17 '21 01:06 tokers

LGTM

tao12345666333 avatar Mar 23 '22 05:03 tao12345666333

Any ETA for this? At the moment we have to manually call the API and set SNI for stream routes to support TLS. It would be nice to use the ApisixRoute CRD without having to manually update the streamroute with SNI afterwards.

svendberg avatar May 09 '22 18:05 svendberg

It will be added in the next version v1.5 at the earliest, and v1.6 at the latest.

tao12345666333 avatar May 10 '22 01:05 tao12345666333

@svendberg Is this feature of APISIX currently used in your production environment?

tao12345666333 avatar May 10 '22 01:05 tao12345666333

We use it in production to expose MQTT endpoints ( TCP ) with TLS for a multi-tenant solution. Right now, we use an ApisixRoute to create the upstream and a "dummy" stream_route in Apisix. Then we use the Apisix API to create a new stream_route with an SNI defined, reusing the upstream created by ApisixRoute.

svendberg avatar May 10 '22 06:05 svendberg

WeOpen Star

I'd like to work on this issue.

mangoGoForward avatar May 13 '22 08:05 mangoGoForward

thanks @mangoGoForward Assigned

tao12345666333 avatar May 14 '22 05:05 tao12345666333

Hi @tao12345666333 . On the implementation, I want to confirm a few things:

  1. We should add sni in types. https://github.com/apache/apisix-ingress-controller/blob/3cccd5666e098f374c262eb443de194d69d6a55e/pkg/types/apisix/v1/types.go#L331-L339
  2. When ApisixRoute translate to StreamRoute, we should add sni to StreamRoute instance? https://github.com/apache/apisix-ingress-controller/blob/3cccd5666e098f374c262eb443de194d69d6a55e/pkg/kube/translation/apisix_route.go#L732 then create or update it. But I am confused about that which field in ApisixRoute we can use.

mangoGoForward avatar May 18 '22 08:05 mangoGoForward

@mangoGoForward What about just using Host or SNI?

tokers avatar May 18 '22 09:05 tokers

I prefer Host

tao12345666333 avatar May 18 '22 09:05 tao12345666333

I prefer Host

But seems ApisixRouteSpec.Stream doesn't have this property? If I'm missed the meaning, please correct me, thanks.

mangoGoForward avatar May 20 '22 01:05 mangoGoForward

@mangoGoForward sorry for delay.

But seems ApisixRouteSpec.Stream doesn't have this property?

yes, since it's a new feature, we can add it

tao12345666333 avatar May 24 '22 14:05 tao12345666333

I prefer Host

But seems ApisixRouteSpec.Stream doesn't have this property? If I'm missed the meaning, please correct me, thanks.

Yeah, that's the point that we need to implement it :).

tokers avatar May 25 '22 01:05 tokers

I have been commit a PR #1051, if you have free time, please have a review~

mangoGoForward avatar May 27 '22 09:05 mangoGoForward

Thanks

tao12345666333 avatar May 27 '22 09:05 tao12345666333

@svendberg #1051 has been merged. Thanks @mangoGoForward

This feature will be released in v1.6

tao12345666333 avatar Nov 04 '22 09:11 tao12345666333