Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interaction between the existing Service annotation for specifying backend protocol and BackendTLSPolicy #6138

Closed
christianang opened this issue Jan 29, 2024 · 1 comment · Fixed by #6194
Closed

Interaction between the existing Service annotation for specifying backend protocol and BackendTLSPolicy #6138

christianang opened this issue Jan 29, 2024 · 1 comment · Fixed by #6194
Assignees
@christianang
Labels
area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@christianang
Copy link
Contributor

Please describe the problem you have

From #6119, The interaction between the existing Service annotation (as described in https://projectcontour.io/docs/main/config/upstream-tls/) and BackendTLSPolicy is ill-defined. We need to clearly define what happens if both these features are used at once, document it and ensure Contour conforms to this definition.

@sunjayBhatia did you have thoughts on what you'd like this behavior to be, when you were reviewing #6119?
@christianang christianang added kind/feature Categorizes issue or PR as related to a new feature. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. labels Jan 29, 2024
@sunjayBhatia
Copy link
Member

The annotation can specify a specific port to set the upstream protocol on, e.g. projectcontour.io/upstream-protocol.tls: "8443". This could also be a plaintext protocol, h2c

BackendTLSPolicy can do the same, though does not support setting the application protocol (i.e it corresponds to the annotation setting protocol to tls, not h2).

I'm thinking if you have both present, the BackendTLSPolicy wins out (e.g. with annotation projectcontour.io/upstream-protocol.h2c: "8443" and a BackendTLSPolicy targeting the Service and possibly port, the upstream connection should rather be over TLS)

This issue will likely result in some additional unit and/or featuretests to demonstrate precedence

@christianang christianang mentioned this issue Feb 15, 2024
Merged
@christianang christianang self-assigned this Feb 15, 2024
@christianang christianang removed the lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. label Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@christianang christianang

Labels
area/gateway-api Issues or PRs related to the Gateway (Gateway API working group) API. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add test demonstrating backendtlspolicy precedence christianang/contour
2 participants
@christianang @sunjayBhatia