PoC: Check if we can leverage a Multi-SAN approach for internal-encryption #13820
Comments
|
/cc @davidhadas |
|
Refer to match_typed_subject_alt_names field of envoy as discussed in https://docs.google.com/document/d/1XE7UzgQlVVtAb7ULSqOyKCaIHtm8zMF35ainp1JmwyY/ |
|
@KauzClay would you mind reporting your findings with contour here? |
|
Currently, Contour does not allow trusting mutliple SANs for a backend. I've started an issue with them to potentially change this: projectcontour/contour#5520 I'm trying to work with them on this when I can. |
|
To summarize the findings:
/close |
|
@ReToCode: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I've been talking to the upstream maintainers
Contour prioritized multi-san in their next release
The latest update to the Backend TLS GEP PR added support for multi-san |
Description
As discussed in https://docs.google.com/document/d/1YdcdBVg_zpT4WSNRsWlihut5JuLddOTIggFvLni3A28/edit#heading=h.n8a530nnrb we would like to leverage a multi SAN approach to handle tls traffic for:
User --> Ingress Gateway --> Activator
User --> Ingress Gateway --> Queue-Proxy / KService
This results in two certificates that need to be trusted by the Ingress Gateway (one from the activator with a static SAN and one for Queue-Proxy with a SAN that contains the namespace of the KService). Envoy can be configured to trust multiple SANs for one upstream connection.
/area networking
If this works, #12797 can be omitted.
The text was updated successfully, but these errors were encountered: