-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
8
-
None
-
None
-
None
Given the need to implement PQC and centralized TLS configuration for components, on Gateway API we may want to approach as following:
- Define if we will operate only on openshift-ingress or any namespace
- Read all the Gateway classes that are managed by Openshift - Contains "controllerName: openshift.io/gateway-controller/v1"
- Watch for the TLSProfile on Ingress config for cluster
- Watch for all the Gateways that match our Gateway class
- Watch for all the EnvoyFilters to validate that the ones we care are re-created
Implement a controller:
- Given a Gateway that we care
- And Given a TLSProfile that has definitions (ignore in case there are no definitions, remove the EnvoyFilter in case there are no definitions but a filter exists)
- Create an EnvoyFilter attached to the gateways that contains the matching label "gateway.networking.k8s.io/gateway-class-name" or any label that signals that the Gateway is managed by CIO
The proposed EnvoyFilter should contain the following:
apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: gateway-tls-<class> spec: workloadSelector: labels: gateway.networking.k8s.io/gateway-class-name: <match-with-controller> istio.io/rev: <match-with-controller> configPatches: - applyTo: FILTER_CHAIN match: context: GATEWAY listener: filterChain: filter: name: "envoy.filters.network.http_connection_manager" patch: operation: MERGE value: transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_params: tls_minimum_protocol_version: <MATCH-WITH-PROFILE> tls_maximum_protocol_version: <MATCH-WITH-PROFILE cipher_suites: - <BELOW-ARE-EXAMPLES-MUST-MATCH-PROFILE> - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- depends on
-
-
- In Progress
-
