You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when supporting internal traffic using istio mTLS and external traffic using simple or mutual tls, two ports must be defined and a PeerAuthentication config disabling istio mTLS on the external TLS port must be defined (see ingress sidecar termination example). I would like to have the ability to configure the same port to serve both traffic.
In the original RFC, supporting the same port was not considered due to it being unclear how to distinguish Istio mTLS from external TLS. However, since Istio mTLS uses magic ALPN protocols, I suggest we distinguish them using ALPN listener matches
I propose either defining a boolean variable in the Sidecar resource (e.g. hybridPort: true) to distinguish this from existing use cases, or merging IstioIngressListener configurations if it is determined that there is no conflict between two that share the same port.
Alternatively, we can handle this if the authorizationpolicy is permissive
Would also need to distinguish the protocol after termination
Describe alternatives you've considered
Rewrite services that send traffic to the external TLS port to send traffic to the internal Istio mTLS port
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
The text was updated successfully, but these errors were encountered:
wtzhang23
changed the title
Dual ingress sidecar TLS/istio mTLS termination
Dual ingress sidecar TLS/istio mTLS termination on the same port
Jun 27, 2024
Currently reading the code the sidecar ingress listener builder, although advertises http1 + h2 through alpn, does not have a way to select which to forward to the service in the inbound cluster it builds since it requires the sidecar port protocol to be HTTPS. I'd like to be able to explicitly set it. One option is to allow the sidecar port to set the protocol as http2 and grpc rather than just https (validation webhook rejects that). Another option is to add another field.
Describe the feature request
hybridPort: true
) to distinguish this from existing use cases, or merging IstioIngressListener configurations if it is determined that there is no conflict between two that share the same port.Describe alternatives you've considered
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
The text was updated successfully, but these errors were encountered: