Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

TCP SNI for Kubernetes? #71

Open
hapnermw opened this issue Aug 7, 2017 · 3 comments
Open

TCP SNI for Kubernetes? #71

hapnermw opened this issue Aug 7, 2017 · 3 comments

Comments

@hapnermw
Copy link

hapnermw commented Aug 7, 2017

Currently k8s ingress only supports HTTPS SNI.

I need k8s support for TLS SNI such that I can dynamically create TCP services with virtual server names and have a dynamically created TCP SNI reverse proxy dispatch connections to the correct k8s service.

I see that the linked-tcp beta is available and supports SNI. I see that linked-tcp integrates with the k8s API via namerd. I see some info on configuring namerd for k8s.

Since I’m hosting k8s on AWS, I’m assuming that the I would be using a loadbalancer service (that creates an ELB instance) as the internet entry point for TCP connections. This would load balance connections across instances of linked-tcp (that have been plumbed-into k8s via namerd).

What I don’t see is the full set of k8s resources that are required to get this to work.

Has anyone done this? What is the best way to get this configured?

@olix0r
Copy link
Member

olix0r commented Aug 15, 2017

Hi @hapnermw!

Currently, linkerd-tcp supports SNI insofar as a server may support multiple named certs. However, currently (or at least the last I looked), rustls does not expose the server name that was negotiated to the application, so linkerd can't yet route on this name dynamically.

I'd really like to support this type of configuration, but we need to get some changes into the libraries we depend on. The good news is that we're currently sponsoring some work on these projects that should make this a closer reality in the coming weeks.

@hapnermw
Copy link
Author

hapnermw commented Aug 16, 2017 via email

@briansmith
Copy link
Contributor

PR #76 shows that the SNI information is exposed to the application by the underlying library (Rustls).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants