forked from projectcontour/contour
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support gateway api BackendTLSPolicy (projectcontour#6119)
The BackendTLSPolicy will allow a user to connect an httproute to a backend service with TLS. - Only implements BackendTLSPolicy for HTTPRoute - Only allows Services for spec.targetRef - Allows ConfigMap or Secret for spec.TLS.CACertRefs - Adds backendtlspolicies to the ClusterRole for Contour - Adds configmaps to the ClusterRole for Contour - Controller reconciles on BackendTLSPolicy and ConfigMaps now - BackendTLSPolicy spec.targetRef can specify SectionName to be port name of a service to target a particular section of the service. Signed-off-by: Edwin Xie <[email protected]> Signed-off-by: Christian Ang <[email protected]> Co-authored-by: Christian Ang <[email protected]>
- Loading branch information
1 parent
62f81db
commit 943d5e2
Showing
42 changed files
with
4,355 additions
and
1,746 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
## Support for Gateway API BackendTLSPolicy | ||
|
||
The BackendTLSPolicy CRD can now be used with HTTPRoute to configure a Contour gateway to connect to a backend Service with TLS. This will give users the ability to use Gateway API to configure their routes to securely connect to backends that use TLS with Contour. | ||
|
||
The BackendTLSPolicy spec requires you to specify a `targetRef`, which can currently only be a Kubernetes Service within the same namespace as the BackendTLSPolicy. The targetRef is what Service should be watched to apply the BackendTLSPolicy to. A `SectionName` can also be configured to the port name of a Service to reference a specific section of the Service. | ||
|
||
The spec also requires you to specify `caCertRefs`, which can either be a ConfigMap or Secret with a `ca.crt` key in the data map containing a PEM-encoded TLS certificate. The CA certificates referenced will be configured to be used by the gateway to perform TLS to the backend Service. You will also need to specify a `Hostname`, which will be used to configure the SNI the gateway will use for the connection. | ||
|
||
See Gateway API's [GEP-1897](https://gateway-api.sigs.k8s.io/geps/gep-1897) for the proposal for BackendTLSPolicy. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.