Ability to observe Kubernetes secrets and expose them as SDS resources? #5325
Unanswered
aukevanleeuwen
asked this question in
Q&A
Replies: 1 comment 1 reply
-
is this unlikely something that will be added as an API to Envoy Gateway, because its not tied to a specific feature. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
This is more or less a followup of #5301 (reply in thread).
In that question, it turns out that adding an extra cluster as the target of a Lua
httpCall
should (for now?) be done with anEnvoyPatchPolicy
. This leaves me wanting a little bit though, because on that cluster I would like to add TLS configuration with certificate pinning to a certain trust store and mTLS configuration to send a client certificate.For this I need to add some
UpstreamTlsContext
which I can obviously provide in the JSON patch.However, ideally I don't want to inline or file reference a
ca.crt
/tls.key
/tls.crt
secret, but ideally want to use the SDS capabilities of Envoy (like thevalidation_context_sds_secret_config
).So basically my question is: is it possible either with Envoy Gateway API to generically 'load' / observe extra secrets such as a secret containing
ca.crt
or a TLS secret and expose them via the SDS service? If this is not possible in Envoy Gateway, do you know of open source components that I would be able to leverage to create an SDS service? Maybe I'm talking nonsense, but it looks possible to me to be honest. I think the whole idea of SDS is that I should be able to spin up an SDS service, create a cluster for it (more EnvoyPatchPolicy probably) and then reference that SDS service for some of the configuration that I'm using for (m)TLS.To reiterate my question: if the above is indeed the intended architecture of Envoy (I'm still learning daily here), are there components that I can use to implement such a service?
Thanks in advance for all your hard work!
Beta Was this translation helpful? Give feedback.
All reactions