kdorosh
commented
4 years ago Mostly a link dump.
The work we did with istio to support SDS: https://github.com/solo-io/gloo/pull/559
The Gloo and Istio guide: https://docs.solo.io/gloo/latest/gloo_integrations/service_mesh/gloo_istio_mtls/
We should be able to plug in the consul connect mTLS config into our upstreamssl plugin by converting consul connect mTLS config into Gloo ssl config (either on upstreams or in TLS secrets).
Consul mTLS high-level architecture docs here: https://www.consul.io/docs/connect/connect-internals.html#mutual-transport-layer-security-mtls-
Consul connect client docs: https://www.consul.io/docs/connect/native.html
Most important link, api we want to use to get consul connect certs: https://www.consul.io/api/agent/connect.html#certificate-authority-ca-roots
Note:
This endpoint should be used by proxies and native integrations.
Talking about GET to /agent/connect/ca/roots
Raw consul connect client go docs, probably not useful for our case (since envoy needs to connect to service, not gloo): https://www.consul.io/docs/connect/native/go.html#raw-tls-connection
github-actions[bot]
dmaclaury
similar to what we did with Istio. Talk to @yuval-k and maybe @ilackarms Gloo is an ingress to the consul connect cluster. Every VM has a consul agent (node agent in istio, which provides certificates & tokens)
Putting one of their sidecars through our gateway-proxy