Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Application-Layer Protocol negotiation via nextProtos flag in tlsconfig #713

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Support Application-Layer Protocol negotiation via nextProtos flag in tlsconfig #713

wants to merge 2 commits into from

Conversation

davidkydd
Copy link

Allows fallback based on protocol availability and support for custom protocols securely over TLS.

ptal:
@roidelapluie
@gotjosh
@ArthurSens

@davidkydd davidkydd mentioned this pull request Nov 4, 2024
Open
@roidelapluie
Copy link
Member

I don't think we want that. What is your use case?

1 similar comment
@roidelapluie
Copy link
Member

I don't think we want that. What is your use case?

@davidkydd
Copy link
Author

we want to use ALPN protocols to identify certain scraping traffic routing through the APIServer, for a similar use case as konnectivity supports it: https://github.com/kubernetes-sigs/apiserver-network-proxy/blob/e4d5a2d64d0b5b7a28d73be99c34ae924190f2fa/cmd/agent/app/options/options.go#L117C2-L117C252

Its a generic capability so would likely have other uses - for example there is an open issue unrelated to our scenario here: prometheus/blackbox_exporter#870

@davidkydd davidkydd force-pushed the davidkydd/tlsconfig-nextprotos branch from 2b88aaf to dda0b06 Compare November 4, 2024 21:20
@phealy
Copy link

phealy commented Nov 5, 2024

To clarify David's post a bit - envoy can route traffic differently based on ALPN header and it's a good way to identify traffic or route connections without needing extra IPs or TLS decryption.

@phealy
Copy link

phealy commented Nov 5, 2024

This has a lot of the same potential cases as being able to set server_name in the tls_config, though that can also be used for cert validation.

@roidelapluie
Copy link
Member

How is it different than setting enable_http2: false?

@phealy
Copy link

phealy commented Nov 8, 2024

How is it different than setting enable_http2: false?

Setting http2 to false will change the ALPN header from something like "h2c,h2,http1.1" to just "http1.1". This PR instead lets us add extra things in there - for example, we could set it to "metrics,h2c,h2,http1.1", then use an envoy filter looking for the word "metrics" in the ALPN value to route the traffic on a VIP to the metrics destination instead of the default destination. Since that value is in cleartext in TLSClientHello, it's another nice way to route encrypted traffic without having to decrypt/reencrypt.

@phealy
Copy link

phealy commented Nov 20, 2024
edited
Loading

@roidelapluie Here's a graphic that might make the idea clearer. The basic use case is traffic routing when you're not terminating TLS, based on something other than SNI. We have firewall restrictions that make adding extra public IPs or hostnames (which would be needed for SNI) difficult, so this is a way to route traffic without needing any of that.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidkydd @roidelapluie @phealy