-
Story
-
Resolution: Obsolete
-
Major
-
None
-
OSSM 2.0.0, OSSM 2.1.0
-
False
-
False
-
Undefined
-
This was raised from the following customer call notes (under End2End Encryption): https://docs.google.com/document/d/1ci59eC2tPXRepNpnXPdjfl-I4HBNE_Ymft6DN3Z87AE/edit. It's a question that has come up at other times as well, so I think we need more explanation here.
This likely crosses over two areas:
- Configuring Service Mesh at the edge - Ingress and Egress Gateways, and how they might work with OpenShift routes and external gateways. Currently, we document automatic route creation under traffic management though this is a bit out of context in a traffic management section (traffic management usually refers to internal mesh traffic management - VirtualServices, DestinationRules, etc). We likely need a section dedicated specifically to Ingress/Egress on a Service Mesh, including the integration with OpenShift routes.
- mTLS termination and certificate management - we cover this for the internal Service Mesh traffic in the [Security Section|https://docs.openshift.com/container-platform/4.6/service_mesh/v2x/ossm-security.html,] but customers often want to understand how to configure Gateways for mTLS termination (with an external certificate authority). Some of this may change in 2.1 with the introduction of Spire/Spiffe. We also have an open issue around using the [OpenShift cluster certificate authority|OSSM-13]. Needless to say, I think we need a section of the docs around trust domains and certificate management. Perhaps this should be part of 2.1 documentation scope with Spire.
Note, both of these quite closely relate to this [blog post|https://www.openshift.com/blog/design-considerations-at-the-edge-of-the-servicemesh,], which describes how to configure Service Mesh at the edge - both in terms of integration with OpenShift routes and mTLS. It's a popular post, and may help guide this documentation.
This could probably one large page - or two pages, divided along the lines above. I think both should include example configurations of routes, gateways and virtualservices / destination rules to show an end to end example.