Fix inconsistencies on TLSRoute documentation #4139
Conversation
k8s-ci-robot
added
release-note-none
|
/cc @mikemorris |
|
Thanks @mikemorris , I have fixed/tried to reword, let me know if this works |
|
sounds good, commited here! thank you! |
Co-authored-by: Blake Covarrubias <[email protected]>
Co-authored-by: Mike Morris <[email protected]>
rikatz
force-pushed
the
docs-tls-support
branch
from
cdbd11a to
278e488
Compare
Co-authored-by: Candace Holman <[email protected]>
rikatz
force-pushed
the
docs-tls-support
branch
from
1fabe01 to
615bf11
Compare
site-src/concepts/api-overview.md
Outdated
| allowing traffic inspection and routing based on attributes of the inner request | ||
| payload. |
There was a problem hiding this comment.
What are the TLS "attributes of the inner request payload"?
- we don't support ECH yet to route based on
ClientHelloInner - TLSRoute is restricted to SNI-based routing and doesn't use other TLS metadata that requires decryption
- TLSRoute doesn't rout based on the properties of higher-level protocols such as HTTP (as mentioned above)
There was a problem hiding this comment.
yes, I had the same feeling of it, but I would say right now this should be clarified on the GEP + the routing is decided specifically on SNI.
Do you have a proposal to improve this text?
There was a problem hiding this comment.
Added my suggestion.
- In both TLS Passthrough and Terminate modes, TLSRoute makes routing decisions by inspecting unencrypted TLS metadata.
- I'd reword "use the SNI as the main routing method" to "route based on TLS metadata" so that when we add ALPN we don't need to rework this section again.
A side note: Even when we add ECH support, it won't change this much, as both TLS Passthrough and Terminate modes will have access to ESNI.
site-src/guides/tls.md
Outdated
| the Gateway. | ||
|
|
||
| For `TLSRoute`, the use of `Terminate` means that the TLS termination happens on | ||
| the `Gateway` and the connection to the backend resumes as an unencrypted connection. |
There was a problem hiding this comment.
| the `Gateway` and the connection to the backend resumes as an unencrypted connection. | |
| the `Gateway` and the connection to the backend resumes as an unencrypted connection, | |
| unless the connection from the Gateway to the backend is encrypted by some other | |
| mechanism. |
I'm specifically thinking of mesh-integrated ingress gateways here, whether Istio's ingress which can initiate mTLS to a backend, or Linkerd deploying a sidecar next to an ingress, and trying to avoid any explicit mention of BackendTLSPolicy. Does this sound okay to you @candita?
There was a problem hiding this comment.
I think we don't need this section here, it can be removed. We already say this in https://github.com/kubernetes-sigs/gateway-api/pull/4139/files#diff-631650e61708a9c464016c50834d5def9b4967b7daade9fcd5d8c2c175c3e317R120-R126.
If we keep it, the two sections should express consistent views.
There was a problem hiding this comment.
ok I have removed the session and kept only the phrase
"The use of Terminate on TLSRoute is available on Extended [Support Level]." as we may want to be explicit that Terminate is Extended support level
site-src/concepts/api-overview.md
Outdated
| without any introspection beyond the TLS metadata. When using a `Terminate` | ||
| TLS listener, encryption is terminated at the gateway to "unwrap" the connection, | ||
| allowing traffic inspection and routing based on attributes of the inner request | ||
| payload. |
There was a problem hiding this comment.
| without any introspection beyond the TLS metadata. When using a `Terminate` | |
| TLS listener, encryption is terminated at the gateway to "unwrap" the connection, | |
| allowing traffic inspection and routing based on attributes of the inner request | |
| payload. | |
| without any introspection beyond the TLS metadata. When using a `Terminate` | |
| TLS listener, the encryption is terminated at the gateway. |
site-src/concepts/api-overview.md
Outdated
| for where you want to use the SNI as the main routing method, and are not interested | ||
| in properties of the higher-level protocols like HTTP. The byte stream of the | ||
| connection is proxied without any inspection to the backend. | ||
| in properties of the higher-level protocols like HTTP. When using a `Passthrough` | ||
| TLS listener, the encrypted byte stream of the connection is proxied directly to | ||
| the backend destination (which is then responsible for decrypting the stream) | ||
| without any introspection beyond the TLS metadata. When using a `Terminate` | ||
| TLS listener, encryption is terminated at the gateway to "unwrap" the connection, | ||
| allowing traffic inspection and routing based on attributes of the inner request | ||
| payload. |
There was a problem hiding this comment.
| for where you want to use the SNI as the main routing method, and are not interested | |
| in properties of the higher-level protocols like HTTP. The byte stream of the | |
| connection is proxied without any inspection to the backend. | |
| in properties of the higher-level protocols like HTTP. When using a `Passthrough` | |
| TLS listener, the encrypted byte stream of the connection is proxied directly to | |
| the backend destination (which is then responsible for decrypting the stream) | |
| without any introspection beyond the TLS metadata. When using a `Terminate` | |
| TLS listener, encryption is terminated at the gateway to "unwrap" the connection, | |
| allowing traffic inspection and routing based on attributes of the inner request | |
| payload. | |
| for where you want to route based on TLS metadata, and are not interested in properties | |
| of the higher-level protocols like HTTP. When using a `Passthrough` TLS listener, the | |
| encrypted byte stream of the connection is proxied directly to the destination backend, | |
| which is then responsible for decrypting the stream. When using a `Terminate` TLS | |
| listener, encryption is terminated at the gateway. |
There was a problem hiding this comment.
The "unwrap" metaphor doesn't really add much here. Reminds me of a gift or a sandwich.
There was a problem hiding this comment.
Agree, dropping it makes the sentence clean and clearer without impacting the meaning.
Updated.
There was a problem hiding this comment.
I will have to copy/paste on my own commit here because Github is being annoying and not allowing me to add it directly
site-src/concepts/api-overview.md
Outdated
| allowing traffic inspection and routing based on attributes of the inner request | ||
| payload. |
There was a problem hiding this comment.
Added my suggestion.
- In both TLS Passthrough and Terminate modes, TLSRoute makes routing decisions by inspecting unencrypted TLS metadata.
- I'd reword "use the SNI as the main routing method" to "route based on TLS metadata" so that when we add ALPN we don't need to rework this section again.
A side note: Even when we add ECH support, it won't change this much, as both TLS Passthrough and Terminate modes will have access to ESNI.
|
Thanks @rikatz ! /ok-to-test |
k8s-ci-robot
added
the
ok-to-test
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
Thanks @rikatz! /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikemorris, rikatz, robscott, rostislavbobo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
* Fix inconsistencies on TLSRoute documentation * Apply suggestions Co-authored-by: Blake Covarrubias <[email protected]> * Clarify on TLSRoute termination * Reword on TLSRoute termination Co-authored-by: Mike Morris <[email protected]> * Remove mention to BTLSPolicy on TLSroute * clarify that TLSRoute termination is extended feature * Reword how termination happens on TLSRoute Co-authored-by: Candace Holman <[email protected]> * Finalize TLSRoute wording --------- Co-authored-by: Blake Covarrubias <[email protected]> Co-authored-by: Mike Morris <[email protected]> Co-authored-by: Candace Holman <[email protected]>
7 participants
What type of PR is this?
/kind documentation
What this PR does / why we need it:
TLSRoute documentation has some inconsistencies between what is supported, and how it is supported. This PR fixes these inconsistencies on the documentation.
Which issue(s) this PR fixes:
Fixes #1474
Does this PR introduce a user-facing change?: