-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow application developer to specify TLS client certificate #622
Comments
This seems reasonable to me, with the proviso that the |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
This API has changed substantially with v1alpha2, we will need to revisit how we can achieve this. |
It seems like it would be possible to achieve this with some form of policy attachment initially, not sure if there's a better approach or built in policy resource we can offer here. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
While grooming we saw that this one was open for a long period of time without anyone with a strong use case to champion it. We're going to close this as we don't expect anyone's ready to drive it forward, but if you still want this feature and have a strong use case we will be happy to reconsider this and re-open. |
The use case is presented in the description and in my mind it is strong: application developer should be able to configure TLS certificates to protect backend communication without bothering the cluster administrator. I have not participated actively in the gateway-api project though, so it is of course fair to close this. |
Noting for posterity and shared context that this appears to be a duplicate of #763 |
Hi @mikemorris
While being closely related,
After very quick look at #1430 it seems to me like "GEP-1282: Describing Backend Properties" would rather allow addressing this (closed) issue than #763? Cc @candita. |
@youngnick reviewing your previous comment and reviewing #1282, it appears that #1282 now includes the scope of this issue so it seems we should be able to close this as a duplicate. If I'm mistaken or I've missed something, please re-open! |
What would you like to be added:
Application developer should be able to define a client certificate that the proxy uses when it connects to developer's backend service with TLS.
Why is this needed:
Background:
This feature has been previously discussed and it was included as
BackendPolicy.spec.tls.clientCertificateRef
. Later, Gateway level configuration was preferred #395 and feature was removed. As per discussion in the comments of #400, I would like to propose this capability to be re-introduced as an optional feature, as an alternative to global (per gateway) configuration.Use case details:
Assume we have application developer working within Kubernetes namespace. Application developer wants to secure the traffic between proxy and their backend service.
1. Application developer generates their own certificates and configures server certificate to their backend service
2. To get the proxy to validate the server certificate, the application developer configures reference to the CA certificate secret to
BackendPolicy.spec.tls.certificateAuthorityRef
Next the developer would like to protect the backend service even further, by allowing incoming TLS connections only from the proxy. Symmetrically, application developer could enable client authentication by themselves, like they did for the server authentication in step 2 above but this would require client certificate to be configurable per backend service, not per Gateway which would be outside of application developers domain.
Implementing this enhancement has following advantages:
The text was updated successfully, but these errors were encountered: