gateway-api icon indicating copy to clipboard operation
gateway-api copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Configure Mutual TLS Termination in a Gateway

Open frankbu opened this issue 2 years ago • 6 comments
trafficstars

What would you like to be added:

GatewayTLSConfig should support 3 variants of Terminate mode:

  1. Simple TLS
  2. Mutual (mTLS)
  3. Mesh (Terminate mTLS managed by a mesh) - GAMMA only

Why this is needed:

The required certificateRef depends on which of the above Terminate modes is used.

This can currently be supported using an implementation-specific option. Istio, for example, has:

    tls:
      mode: Terminate
      certificateRefs:
      - name: example-credential
      options:
        gateway.istio.io/tls-terminate-mode: MUTUAL

Providing a standard API for this would be much better.

frankbu avatar Jun 12 '23 20:06 frankbu

I think this is at least partially addressed by https://github.com/kubernetes-sigs/gateway-api/pull/2080.

/cc @arkodg

robscott avatar Jun 12 '23 20:06 robscott

yes 2. should be addressed by #2080, which should also enable the capability for 3. (mTLS for Gateways in a mesh)

arkodg avatar Jun 14 '23 19:06 arkodg

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jan 22 '24 14:01 k8s-triage-robot

/remove-lifecycle stale

frankbu avatar Feb 01 '24 16:02 frankbu

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar May 01 '24 17:05 k8s-triage-robot

@frankbu I think this issue may need to be split up into smaller pieces. We're definitely making progress towards what I'd call "manually-configured frontend and backend mTLS" with both Arko's GEP (#2080) and BackendTLSPolicy. It's possible that some automation could be built on top of that as well. I think what you're really focused on here is some kind of standardized way to sign up for the UX that is common among Service meshes - automatic mTLS everywhere. If that's the case, I'd recommend a separate issue focused on just that part.

robscott avatar May 01 '24 17:05 robscott

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar May 31 '24 17:05 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Jun 30 '24 18:06 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot avatar Jun 30 '24 18:06 k8s-ci-robot