Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

design: Split deployments user experience improvements #1184

Closed
youngnick opened this issue Jun 20, 2019 · 1 comment
Closed

design: Split deployments user experience improvements #1184

youngnick opened this issue Jun 20, 2019 · 1 comment
Assignees
@youngnick
Labels
kind/design Categorizes issue or PR as related to design. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
0.14.0

Comments

@youngnick
Copy link
Member

Issue #881 covers an initial phase of work to secure communication between Contour and Envoy, allowing for a more secure split deployment. This issue covers the second phase of a three-phase plan to make secure split deployments the default for Contour.

The ultimate outcome of the plan is:

  • Split deployments the default for Contour
  • Secure communication between Contour and Envoy via secured gRPC.
  • Authentication for Envoy such that Contour can ensure that only its Envoy can see secret information (like Ingress or IngressRoute certificates), without Envoy needing to access the Kubernetes apiserver.

This design should cover adding additional functionality and/or tools to Contour to help with making the certificate management problem for mutual TLS certificates for gRPC easier.

It will probably include something like:

  • support for initial generation of a CA keypair, a Contour keypair, and an Envoy keypair, and the creation of Kube Secrets for the same (excepting the CA key). It may use the Kube apiserver CA functionality, but that will need to be carefully designed to avoid compromising the Authentication goal.
  • Tooling to help with rotating some or all of those keypairs.
  • A set of deployment YAMLs that don't need extra openssl or similar commands run locally.
@youngnick youngnick added kind/design Categorizes issue or PR as related to design. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Jun 20, 2019
@youngnick youngnick added this to the 0.14.0 milestone Jun 20, 2019
@youngnick youngnick self-assigned this Jun 26, 2019
@youngnick
Copy link
Member Author

Turns out that work on #862 effectively designed this without the need for a design doc. Closing in favour of #1215 for implementation.

@youngnick youngnick mentioned this issue Jul 4, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@youngnick youngnick

Labels
kind/design Categorizes issue or PR as related to design. kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
0.14.0
Development

No branches or pull requests
1 participant
@youngnick