istio icon indicating copy to clipboard operation
istio copied to clipboard

Published 20 hours ago verified publisher icon istio

Dual ingress sidecar TLS/istio mTLS termination on the same port

Open wtzhang23 opened this issue 1 year ago • 5 comments

Describe the feature request

  • Currently, when supporting internal traffic using istio mTLS and external traffic using simple or mutual tls, two ports must be defined and a PeerAuthentication config disabling istio mTLS on the external TLS port must be defined (see ingress sidecar termination example). I would like to have the ability to configure the same port to serve both traffic.
  • In the original RFC, supporting the same port was not considered due to it being unclear how to distinguish Istio mTLS from external TLS. However, since Istio mTLS uses magic ALPN protocols, I suggest we distinguish them using ALPN listener matches
  • I propose either defining a boolean variable in the Sidecar resource (e.g. hybridPort: true) to distinguish this from existing use cases, or merging IstioIngressListener configurations if it is determined that there is no conflict between two that share the same port.
  • Alternatively, we can handle this if the authorizationpolicy is permissive
  • Would also need to distinguish the protocol after termination

Describe alternatives you've considered

  • Rewrite services that send traffic to the external TLS port to send traffic to the internal Istio mTLS port

Affected product area (please put an X in all that apply)

[ ] Ambient [ ] Docs [ ] Dual Stack [ ] Installation [x] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane

wtzhang23 avatar Jun 27 '24 15:06 wtzhang23

Re-reading the RFC, it looks viable to terminate tls/mtls.

Would also need to distinguish the protocol after termination

Can you elaborate more on this

hzxuzhonghu avatar Jun 28 '24 07:06 hzxuzhonghu

Currently reading the code the sidecar ingress listener builder, although advertises http1 + h2 through alpn, does not have a way to select which to forward to the service in the inbound cluster it builds since it requires the sidecar port protocol to be HTTPS. I'd like to be able to explicitly set it. One option is to allow the sidecar port to set the protocol as http2 and grpc rather than just https (validation webhook rejects that). Another option is to add another field.

This probably should be a separate issue.

wtzhang23 avatar Jun 28 '24 12:06 wtzhang23

Think I can give a PR a shot?

wtzhang23 avatar Jun 30 '24 17:06 wtzhang23

Maybe a proposal first

hzxuzhonghu avatar Jul 01 '24 02:07 hzxuzhonghu

Sorry; created a rough draft of an RFC here. Will spend some time polishing and adding figures.

wtzhang23 avatar Jul 01 '24 03:07 wtzhang23

Just found this issue which discusses exactly this problem.

wtzhang23 avatar Jul 01 '24 06:07 wtzhang23

If that one completely meet your need, we can open that

hzxuzhonghu avatar Jul 01 '24 09:07 hzxuzhonghu

I think although the issue discusses this problem in depth, the scope of that issue given the description in the first comment is broader than this issue. As such, I think it might be better to keep things in this issue? Also, I think the bulk of the RFC is done.

wtzhang23 avatar Jul 01 '24 13:07 wtzhang23

Going to experiment and play around with supporting this. Progress tracking in the above draft PR.

wtzhang23 avatar Oct 08 '24 03:10 wtzhang23

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2024-07-01. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

istio-policy-bot avatar Jan 13 '25 05:01 istio-policy-bot