gateway
gateway copied to clipboard
envoyproxy
Support for multiple TLS certificates for a single host
Description: LB vendors provide the ability to configure multiple certificates for a single fqdn. The usecase is to have multiple certificates with different signing algorithms (RSA and/or ECC). The server, based on the clients' SSL capabilities decides to send the relevant certificate, preferably ECC signed cert (if configured). So customers might want to configure two certificates for a single host - one for each algorithm RSA / ECC.
[optional Relevant Links:]
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate https://www.ibm.com/docs/en/i/7.2?topic=ssl-multiple-certificate-selection https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#certificate-selection
Came across this - so probably EG needs to not have this limitation, (and additionally some other checks and configs?) https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/translator.go#L321
The Gateway API spec definitely allows this as an implementation-specific behavior (see certificateRefs under https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.GatewayTLSConfig), so no reason we can't add this to EG. The initial implementation has just been focused on Gateway API's core conformance features, which in this case is 1 TLS cert.
@chauhanshubham since the focus of v0.2.0 is Gateway API conformance, I have tagged this issue as Backlog.
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}