Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-1025

[DOC] Add docs how to set cipher suites for Kourier Gateway

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Critical Critical
    • 1.33.0
    • 1.31.0
    • Documentation
    • None
    • False
    • None
    • False
    • Hide
      When specifying Kourier for Ingress and using DomainMapping, the TLS for OpenShift Route is set to passthrough, and TLS is handled by Kourier Gateway. Starting from the v1.31 release, it is now possible to specify the enabled cipher suites on the Kourier Gateway side.
      Show
      When specifying Kourier for Ingress and using DomainMapping, the TLS for OpenShift Route is set to passthrough, and TLS is handled by Kourier Gateway. Starting from the v1.31 release, it is now possible to specify the enabled cipher suites on the Kourier Gateway side.
    • Feature
    • Proposed

      The new section should be inserted into the bottom of Domain mapping using the Administrator perspective -
      https://docs.openshift.com/serverless/1.30/knative-serving/config-custom-domains/domain-mapping-odc-admin.html

      The draft documentation is below:

      ----------------------------------------------------------------------------------------------------

      Title: Overriding system deployment configurations

      When specifying net-kourier for Ingress and using DomainMapping, the TLS for OpenShift Route is set to passthrough, and TLS is handled by Kourier Gateway. In such cases, there might be a need to restrict the allowed TLS cipher suite for users.

      This section explains how to specify cipher suites for Kourier.

      KnativeServing CR example

      spec:
  config:
    kourier:
      cipher-suites: ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305  # *1.

      *1. Specify the cipher suites to enable. It is also possible to specify multiple suites, separated by commas.

      The Kourier Gateway's container image utilizes the ServiceMesh proxy image, and the default enabled cipher suites depend on the version of the ServiceMesh proxy.
      ----------------------------------------------------------------------------------------------------

              msvistun Maxim Svistunov
              rhn-support-knakayam Kenjiro Nakayama (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: