Introduce virtual servers as a concrete type. #101
Conversation
Since the HTTPRoute terminates traffic (either HTTP or TLS), it behaves more like an endpoint than list a route. Introducinng the explicit concept of a virtual server improves the clarity of the object model by renaming the existing Route objects using terminology that better describes what they do. Now that we have virtual server terminology, attach TLS information at the server layer. This gives an explicit association between network applications (as represented by a virtual server) and their TLS configuration. Listeners are still resources that are attached to a gateway, but they not have a type, which can be "combined" or "dedicated". Dedicated listeners host up to 1 virtual server, where combined listeners may host many virtual servers. Combined listeners must have a discriminator in the server protocol stack, which the controller implementation is required to validate. The TLS configuration is barely a sketch, but it consists of the configuration for the comunicating party and a conviguration for validating its peer. It's not yet clear to me if this structure will suffice for both initiators and receivers. Signed-off-by: James Peach <jpeach@vmware.com>
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @jpeach. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jpeach The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cc @youngnick @danehans |
|
This is pretty complicated for the end user. Can you add a few sketches as to what this looks on a config level to your PR description. |
| // - gcp: https://cloud.google.com/load-balancing/docs/use-ssl-policies#creating_an_ssl_policy_with_a_custom_profile | ||
| // - aws: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies | ||
| // - azure: https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-1112 | ||
| type TLSConfiguration struct { |
There was a problem hiding this comment.
As I mentioned in on a related issue, for the intial API, most these things will be placed in implementation-specific extensions.
We unfortunately need to consider a subset for the core and extended APIs.
There was a problem hiding this comment.
This doesn't change the items that can be configured much. The main thing here is that I break out an explicit (but currently un-specced) object for TLS peer validation. I think that's a useful approach that will help us manage the different concerns around TLS config.
There was a problem hiding this comment.
For usability I would like to see a more simplified names, i.e. TLSConfig or TLSOptions.
| const ListenerProtocolTCP ListenerProtocolType = "TCP" | ||
| const ListenerProtocolUDP ListenerProtocolType = "UDP" | ||
|
|
||
| type Listenertype string |
Signed-off-by: James Peach <jpeach@vmware.com>
|
For my own understanding:
How do we control who specifies a cert if we don't want the app dev to be able to select their own TLS configuration? |
Do we need to capture a user story for this? This PR explores how to associate a TLS config with an endpoint (virtual host), but you can imagine there's more than one way to do that. We could have another object reference to the secrets in a TLS config, or we could reference TLS configurations by name.
The other separation suffers from the problem that the API doesn't easily express how virtual hosts are associated with their TLS configuration. This association is a pretty fundamental property of an application, so I think that exposing it in the API is important. We can still allow the responsibility for TLS (keys in particular) to be split, while preserving this association. |
|
/hold since the intention of this PR is for discussion only. |
k8s-ci-robot
added
the
do-not-merge/hold
|
|
||
| type Listenertype string | ||
|
|
||
| // DedicatedListenerType describes a listener with exactly on attached server. |
| // All traffic received by this listener is terminated by this server. | ||
| const DedicatedListenerType ListenerType = "Dedicated" | ||
|
|
||
| // CombinedListenerType describes a listener what may have multiple attached |
| // CombinedListenerType describes a listener what may have multiple attached | ||
| // servers. The protocol recognized by this listener must have a discriminator | ||
| // that can be used to select the appropriate server for the incoming request. | ||
| // In the case of a streaming data over TLS, the ALPN protocol name can sepect |
There was a problem hiding this comment.
sepect... do you mean inspect?
There was a problem hiding this comment.
I think I meant to say "the ALPN protocol name can be used to select".
| // that can be used to select the appropriate server for the incoming request. | ||
| // In the case of a streaming data over TLS, the ALPN protocol name can sepect | ||
| // between different StreamServer specification. In the case of HTTP traffic, | ||
| // the HTTP Host (i.e. H2 authority) provides the discriminator. |
There was a problem hiding this comment.
Is "HTTP Host" the Host header? If so, please add the word header.
There was a problem hiding this comment.
Is SNI server_name considered a discriminator for TLS?
There was a problem hiding this comment.
Yep, this is the Host header (aka HTTP/2 authority header).
Right, SNI would be the TLS discriminator.
| // The ALPNProtocols field in this TLSAcceptor must contain only valid | ||
| // HTTP protocol identifiers, i.e. "http/0.9", "http/1.0", "http/1.1", | ||
| // "h2". Implementations may accept only a subset of these values if | ||
| // the underlying proxy implementation does not implement the |
| // TLSInitiator describes the TLS configuration for a party that initiates TLS | ||
| // sessions. | ||
| // | ||
| // TODO(jpeach): consider merging TLSAcceptor and TLSInitiator if it turns out |
There was a problem hiding this comment.
I think removing TLSInitiator and TLSAcceptor and embedding TLSConfiguration in types will reduce complexity for users. If we find that an initiator and acceptor require different properties then let's introduce the additional complexity.
There was a problem hiding this comment.
Yeh, I ended up thinking something similar. I think that the separation between configuration and peer validation makes sense. I'm not sold that initiator vs. acceptor is needed :)
@bowei @jpeach IMO we need to get #95 resolved to move forward with this or any of the other PR's that address TLS. /cc @Miciah |
|
@danehans: GitHub didn't allow me to request PR reviews from the following users: Miciah. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Yeah, I agree that #95 is a good place to coalesce around until we get the underlying API type definitions sorted out. |
k8s-ci-robot
added
the
needs-rebase
|
@jpeach: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@jpeach: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
This is an RFC sketch for discussion, not intended to be merged. Please do not merge.
Since the HTTPRoute terminates traffic (either HTTP or TLS), it behaves
more like an endpoint than list a route. Introducinng the explicit concept
of a virtual server improves the clarity of the object model by renaming
the existing Route objects using terminology that better describes what
they do.
Now that we have virtual server terminology, attach TLS information at
the server layer. This gives an explicit association between network
applications (as represented by a virtual server) and their TLS
configuration.
Listeners are still resources that are attached to a gateway, but they not
have a type, which can be "combined" or "dedicated". Dedicated listeners
host up to 1 virtual server, where combined listeners may host many
virtual servers. Combined listeners must have a discriminator in the
server protocol stack, which the controller implementation is required
to validate.
The TLS configuration is barely a sketch, but it consists of the
configuration for the comunicating party and a conviguration for
validating its peer. It's not yet clear to me if this structure will
suffice for both initiators and receivers.
Signed-off-by: James Peach jpeach@vmware.com
xref #72
xref #94
xref #49