osm gradual mTLS rollout

gradual mTLS rollout

Open michelleN opened this issue 5 years ago • 5 comments

When service mesh is rolled out to a brownfield a service may need to be mTLS-optional. If two existing services A-B are enabled for mTLS, there will be before and after mTLS is enabled. Not all pods will be mTLS ready at the same time. This will result in some old pods connecting to new mTLS pods and most likely 503 errors. To prevent that we need mTLS-optional for a period of time, where if mTLS does not work we switch to non-mTLS.

What about traffic split, where one group is mTLS the other is not?

Jan 30 '20 19:01 michelleN

@michelleN could you add some description to this issue. Want to understand the feature we want to implement.

Feb 09 '20 16:02 asridharan

Given the non-triviality of this task, I propose we postpone implementation until after we release v1 of OSM. This would mean that v1 of OSM would cause downtime when deployed to a brownfield setup.

Mar 22 '20 21:03 draychev

Related issues

#2012
#1001
#2172

Feb 25 '22 16:02 steeling

Added default label size/needed. Please consider re-labeling this issue appropriately.

Jul 13 '22 00:07 github-actions[bot]

I think this is definitely a feature we should implement in the next couple of releases

Sep 07 '22 19:09 keithmattix

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

Feb 07 '23 00:02 github-actions[bot]

Issue closed due to inactivity.

Feb 14 '23 00:02 github-actions[bot]

osm osm copied to clipboard

gradual mTLS rollout

osm
osm copied to clipboard