K8s TLS/TCP SNI support


#1

Currently k8s ingress only supports HTTPS SNI.

I need k8s support for TLS SNI such that I can dynamically create TCP services with virtual server names and have a dynamically created TCP SNI reverse proxy dispatch connections to the correct k8s service.

I see that the linked-tcp beta is available and supports SNI. I see that linked-tcp integrates with the k8s API via namerd. I see some info on configuring namerd for k8s.

What I don’t see is the full path that results in the dynamic provisioning of TCP SNI reverse proxies for k8s services.

Is this something that linked-tcp can do? Has anyone integrated linked-tcp with k8s as a TCP SNI load balancer exposed via a k8s service loadbalancer on AWS?


#2

This is a great use case! Unfortunately, linkerd-tcp does not yet support routing based on the virtual server name. This is on our roadmap.


#3

We’re always interested in new contributors :grinning:


#4

Thanks Alex,

Setting aside the lack of SNI support, what is the best way to configure linked-tcp as a k8s external tcp proxy for the functionality it does support?

On AWS, i’m assuming it would be front-ended with a k8s service loadbalancer (ELB); it would be a deployment of the linked-tcp container; it would use a deployment of namerd; a namerd tpr is created; this is used to dynamically provision dtabs entries


#5

If I can get this basically working, perhaps I’ll contribute SNI support …


#6

Yes, I think that’s right. If you create a k8s service object with load balancer type, AWS should provision an ELB that points to your linkerd-tcp pod. linkerd-tcp gets the address set from namerd, and namerd gets the dtab from a TPR.


#7

If I can get this basically working, perhaps I’ll contribute SNI support …


#8

OK, but there are some details missing.

From what I’ve found, the namerd config for k8s doesn’t describe the schema for the d-tab.l5d.io thirdpartyresouce and I don’t see any examples of its use to create a dtab entry. It’s also not clear how a namerd k8s deployment is configured to watch for the arrive of d-tab.l5d.io trp’s and which of these it will record.

It’s also not clear how to configure linked-tcp to use a namerd k8s service to use for service resolution.

In addition, it is not clear how a dtab entry should be created to resolve to a k8s service.

There are dribs and drabs of k8s integration info sprinkled around in various places so I’m probably just not looking in the right place.