You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With that, there's now a possible approach to implement mTLS for the connection between gateways and Kuadrant components (RFC 0012) entirely supported upstream.
The current implementation based on Istio sidecar injection and PeerAuthentication resource can be revisited, aiming for:
Better UX, in alignment with the upstream APIs we depend upon
Gateway provider independence – easier to support the same feature for Envoy Gateway, for example
A few points of attention for the implementation:
Specifically with Istio, targeting a Kuadrant component Service with a BackendTLSPolicy will probably affect an Envoy cluster definition other than the one referenced by the wasm-shim. The Kuadrant Operator creates separate Envoy clusters to circumvent Istio's unsupported hostname problem. See Investigate options for Istio integration without EnvoyFilter kuadrant-operator#1548.
Without the Istio sidecars,
the Kuadrant Operator will have to enable TLS at the Kuadrant components (Authorino and Limitador) based on the presence of BackendTLSPolicies
the components themselves will have to implement TLS client validation from the CA references configured at the gateways (likely mediated in the control plane by the Kuadrant Operator too)
BackendTLSPolicybecame standard in Gateway API since v1.4.0.gateways.spec.tls.backendsince v1.5.0.With that, there's now a possible approach to implement mTLS for the connection between gateways and Kuadrant components (RFC 0012) entirely supported upstream.
The current implementation based on Istio sidecar injection and
PeerAuthenticationresource can be revisited, aiming for:A few points of attention for the implementation:
Requires https://github.com/Kuadrant/RHCL/issues/20