Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dual ingress sidecar TLS/istio mTLS termination on the same port #51768

Open
wtzhang23 opened this issue Jun 27, 2024 · 3 comments
Open

Dual ingress sidecar TLS/istio mTLS termination on the same port #51768

wtzhang23 opened this issue Jun 27, 2024 · 3 comments
Labels
area/networking kind/enhancement

Comments

@wtzhang23
Copy link

wtzhang23 commented Jun 27, 2024
edited
Loading

Describe the feature request

  • Currently, when supporting internal traffic using istio mTLS and external traffic using simple or mutual tls, two ports must be defined and a PeerAuthentication config disabling istio mTLS on the external TLS port must be defined (see ingress sidecar termination example). I would like to have the ability to configure the same port to serve both traffic.
  • In the original RFC, supporting the same port was not considered due to it being unclear how to distinguish Istio mTLS from external TLS. However, since Istio mTLS uses magic ALPN protocols, I suggest we distinguish them using ALPN listener matches
  • I propose either defining a boolean variable in the Sidecar resource (e.g. hybridPort: true) to distinguish this from existing use cases, or merging IstioIngressListener configurations if it is determined that there is no conflict between two that share the same port.
  • Alternatively, we can handle this if the authorizationpolicy is permissive
  • Would also need to distinguish the protocol after termination

Describe alternatives you've considered

  • Rewrite services that send traffic to the external TLS port to send traffic to the internal Istio mTLS port

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
@wtzhang23 wtzhang23 changed the title Dual ingress sidecar TLS/istio mTLS termination Dual ingress sidecar TLS/istio mTLS termination on the same port Jun 27, 2024
@hzxuzhonghu
Copy link
Member

Re-reading the RFC, it looks viable to terminate tls/mtls.

Would also need to distinguish the protocol after termination

Can you elaborate more on this

@wtzhang23
Copy link
Author

wtzhang23 commented Jun 28, 2024
edited
Loading

Currently reading the code the sidecar ingress listener builder, although advertises http1 + h2 through alpn, does not have a way to select which to forward to the service in the inbound cluster it builds since it requires the sidecar port protocol to be HTTPS. I'd like to be able to explicitly set it. One option is to allow the sidecar port to set the protocol as http2 and grpc rather than just https (validation webhook rejects that). Another option is to add another field.

This probably should be a separate issue.

@wtzhang23
Copy link
Author

Think I can give a PR a shot?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hzxuzhonghu @wtzhang23 @istio-policy-bot