Skip to content

EP-11219: tls in xds #11221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

EP-11219: tls in xds #11221

wants to merge 1 commit into from

Conversation

yuval-k
Copy link
Contributor

@yuval-k yuval-k commented May 15, 2025
edited
Loading

/kind design

NONE

@yuval-k
ep-11219 tls in xds
2ed229e 
Signed-off-by: Yuval Kohavi <yuval.kohavi@gmail.com>
@Copilot Copilot AI review requested due to automatic review settings May 15, 2025 17:53
Copilot
Copilot AI reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a design document outlining the addition of one-way TLS support for kgateway-Envoy communication.

  • Proposes TLS support using Kubernetes secrets for certificate configuration.
  • Details server behavior for certificate updates and CA injection into Envoy's configuration.

design/11219-xds-tls.md

The TLS configuration will be handled by the kgateway xDS server:
- Load TLS certificates from the specified secret.
- if the secret is not found, the server will not start.
Copy link
Preview

Copilot AI May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider elaborating on the failure mode when the TLS secret is missing, such as including potential error messages or operational guidance for debugging.

Copilot uses AI. Check for mistakes.

design/11219-xds-tls.md

## Open Questions

1. Any reason to use TLS version lower than TLS1.3?
Copy link
Preview

Copilot AI May 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] It would be beneficial to include a recommended default for TLS protocol versions and cipher suites in the design to provide clear guidance on the security posture.

Copilot uses AI. Check for mistakes.

@github-actions github-actions bot added do-not-merge/release-note-invalid Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/kind-invalid Indicates a PR lacks a `kind/foo` label and requires one. release-note-none kind/design Categorizes issue or PR as related to design. and removed do-not-merge/release-note-invalid Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/kind-invalid Indicates a PR lacks a `kind/foo` label and requires one. labels May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
kind/design Categorizes issue or PR as related to design. release-note-none
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yuval-k