Add BackendTLSPolicy support for GRPCRoute objects

kubernetes-sigs / gateway-api

Repository for the next iteration of composite service (e.g. Ingress) and load balancing APIs.

https://gateway-api.sigs.k8s.io

Apache License 2.0

1.77k stars 460 forks source link

Add BackendTLSPolicy support for GRPCRoute objects #3087

Open wimnat opened 4 months ago

wimnat commented 4 months ago

What would you like to be added:

In GEP-1897, the document states:

TCPRoute and GRPCRoute use cases are not addressed here, because at this point in time these two route types are not graduated to beta.

Now that GPRCRoute has graduated to v1 , I think that it should be possible to add a BackendTLSPolicy that matches on GRPCRoute objects.

Why this is needed:

Without this change, any GRPC service that is running with a TLS enabled port can not be accessed via a GPRCRoute and instead the user must fall back to using an HTTPRoute resource with the appropriate BackendTLSPolicy.

Also discussed in Slack here

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

wimnat commented 1 month ago

/remove-lifecycle stale

xtineskim commented 1 month ago

As replied to in the sig-network-gateway-api thread by @candita , GRPCRoute's interaction with BackendTLSPolicy is currently implementation dependent (https://gateway-api.sigs.k8s.io/geps/gep-1897/#how-a-client-behaves)