-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Passthrough does not work #2662
Comments
Milestone 3 inclusion is conditional on this being either no-op or a low effort change. |
This does not appear to be trivial. Our architecture does not easily allow feeding a property (the TLS mode) of a Listener into Route configuration. Certificates don't have this problem because they're not directly linked to individual Routes in either the spec or Kong configuration. There may also be some open questions about handling this properly on both our end and in the spec. Currently, Routes' only interactions with Listeners is part of determining whether they can bind to the Gateways in the Route's parentRefs. We check that there is at least some Listener of the appropriate type with allowedRoutes rules that permit that Route, but do not otherwise associate them with a specific Listener. Further logic is required to find that match:
So I think we need to do a fair amount of work to have Moving to milestone 4 as such. |
Okay. I'm moving this to "needs AC & prioritization" because it seems that the current AC don't capture the real work to be done. |
Nevermind, this is fine, I was confusing this with #2474, supporting certificates at all; this is about handling passthrough or terminate. It should be ready for work with the current criteria and milestone: we initially looked at it for 2.6 but since it wasn't a simple change it didn't make the cut. |
TLSRoute
TLS Passthrough does not work
TLSRoute
TLS Passthrough does not work
Kong supports configuring TLS passthrough in routes: https://docs.konghq.com/gateway/latest/how-kong-works/routing-traffic/#proxy-tls-passthrough-traffic. So we need to tell the parser whether a
|
For running integrated tests, we need a simple TLS server: Kong/go-echo#12 |
Problem Statement
The desired state of TLS support for TLSRoutes is:
TLSRoute
configured on aGateway
withlisteners[].tls.mode
=passthrough
to result in Kong not terminating the TLS connection and forwarding the streamTLSRoute
configured on aGateway
withlisteners[].tls.mode
=terminate
to result in Kong terminating the TLS connection and forwarding the (unencrypted TCP) streamThe scope of this issue is to:
Additional context
Broken out of #2475.
IIRC we don't do much anything with Gateway TLS mode (whether it terminates or passes through) yet, but should. We should review how, if at all, we handle it currently and add implementation for it if none exists or if the current implementation doesn't work well.
Acceptance criteria
The text was updated successfully, but these errors were encountered: