Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Standardizing Behavior for Invalid BackendTLSPolicy #3516

Open
snorwin opened this issue Dec 20, 2024 · 1 comment
Open

Standardizing Behavior for Invalid BackendTLSPolicy #3516

snorwin opened this issue Dec 20, 2024 · 1 comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone

Comments

@snorwin
Copy link
Contributor

snorwin commented Dec 20, 2024

Related to:
GEP: TLS from Gateway to Backend for Ingress (#1897)

In recent discussions regarding the implementation of the BackendTLSPolicy, several concerns have been raised regarding the handling of invalid policies. Notably, there are significant security implications if an invalid BackendTLSPolicy results in the Gateway connecting to the backend over plain HTTP.

Current implementations:

  • NGINX: if a BackendTLSPolicy is invalid (e.g., if the ca.crt data field does not contain a valid certificate), the ResolvedRefs condition in the associated HTTPRoute is set to false with the reason UnsupportedValue, resulting in all traffic receiving an HTTP 500 error.
    \cc @ciarams87
  • Envoy: an invalid BackendTLSPolicy also leads to HTTP 500 errors. However, unlike NGINX, the status of the invalid policy is only reflected in the BackendTLSPolicy itself and is not propagated to the HTTPRoute.
    \cc @arkodg

What would you like to be added:
Update the Gateway API specification for the BackendTLSPolicy to clearly define the expected behavior for invalid policies, including specific HTTP error codes and status indications, rather than be implementation specific.

Why this is needed:
This update is essential to ensure consistent handling of invalid BackendTLSPolicies across different implementations.urthermore, the insights and best practices established for the BackendTLSPolicy can serve as general guidelines for specifying the behavior of resources with invalid policies attached.

@snorwin snorwin added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 20, 2024
@snorwin
Copy link
Contributor Author

snorwin commented Dec 20, 2024

\cc @candita \cc @mikemorris

@robscott robscott added this to the v1.3.0 milestone Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

No branches or pull requests

2 participants