contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Allow the configuration of ALPN negotiation when using Gateway API in TLS Terminate mode

Open hbobenicio opened this issue 1 year ago • 1 comments

Problem

I'm using Contour with Dynamically Provisioned mode using the Contour Gateway Provisioner. I'm also using the Gateway API listeners using TLS in Terminate mode for connecting to TLSRoute's. The upstream service I'm trying to serve is Postgres. I'd like to use tls in client connections for obvious reasons. I'm focusing on postgres client and server on version 17 which enable sslnegotiation=direct, which means, it runs directly the tls after tcp without that clunky SSL Request extra roundtrip from postgres protocol, but it also requires the TLS Server to respond to ALPN for application protocol "postgresql".

If I terminate the TLS conection in the gateway, I need to configure it to respond to custom a ALPN (with "postgresql"). ATM Contour doesn't allow us to do that (but envoy itself does!).

This may apply to any protocol or upstream service that requires ALPN negotiation.

Related Links

  • https://github.com/kubernetes-sigs/gateway-api/issues/1958

hbobenicio avatar Sep 26 '24 15:09 hbobenicio