-
Task
-
Resolution: Done
-
Major
-
None
-
OSSM 2.4.5
TODO / Acceptance criteria:
1) Deploy grpc-echo.
- Example deployment: e.g. https://github.com/istio/istio/blob/master/samples/grpc-echo/grpc-echo.yaml
- gRPC service definition: https://github.com/istio/istio/blob/master/pkg/test/echo/proto/echo.proto#L25.
2) TestExposeGrpcWithHttpsGateway: expose the grpc-echo through HTTPS Gateway with TLS mode SIMPLE and use grpcurl as a client. In this test, grpc-echo should not have configured TLS certificates.
3) TestExposeGrpcWithPassthroughGateway: expose the grpc-echo through TLS Gateway with TLS mode PASSTHROUGH. In this case, the grpc-echo should have configured TLS certificates.
Original description:
As a user, I want to enable external access to Pods within the OpenShift Container Platform (OCP) using the GRPC protocol. We have verified that Istio Ingress Gateway (IIG) supports GRPC, but concerns exist regarding its capability to handle GRPC with TLS. The objective of this story is to allow secure external access to services through IIG while ensuring support for the GRPC protocol with TLS.
It's rather doable, although there's, of course, no documentation available.
There are 2 following approaches:
1. To expose TLS + gRPC, where TLS is terminated at the ingress level:
grpc-client --> TLS(gRPC msg) --> Istio Ingress --> mTLS(gRPC msg) - plain-text(gRPC) mTLS or plain text depending on whether mTLS is enabled (PeerAuthentication STRICT) --> appProbable solution: Create a Gateway with the HTTPS protocol, set the TLS mode to SIMPLE, and provide a secret with a certificate.
2. To expose TLS + gRPC, where TLS is terminated at the app level (with its own certificate not signed by Istio):
grpc-client --> TLS(gRPC msg) --> Istio Ingress --> TLS(gRPC msg) --> appFor this, a Gateway with the TLS protocol needs to be created, and TLS mode set to PASSTHROUGH.
I believe this story should have a task to create the end-to-end tests and maybe a documentation snippet.