TLS_PASSTHROUGH document #650
Conversation
zijun726911
force-pushed
the
tls-passthrough-doc-2
branch
from
c34d9d4 to
946a64f
Compare
zijun726911
changed the title
| @@ -0,0 +1,894 @@ | |||
| apiVersion: apiextensions.k8s.io/v1 | |||
There was a problem hiding this comment.
I found we need to add that CRD under the folder helm/crds/ ,otherwise the built helm chart don't include that (that's the reason why e2e-test github action failed previously)
zijun726911
force-pushed
the
tls-passthrough-doc-2
branch
from
27bd96d to
266d4a9
Compare
zijun726911
force-pushed
the
tls-passthrough-doc-2
branch
from
266d4a9 to
112b6b0
Compare
| ### Considerations | ||
|
|
||
| - `TLSRoute` sectionName must refer to an `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`. | ||
| - `TLSRoute` only supports to have one rule. |
There was a problem hiding this comment.
perhaps to be more specific, only supports one default rule
There was a problem hiding this comment.
But I think Kubernetes resource TLSRoute don't have a concept of "default rule" ?
https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1alpha2.TLSRoute
There was a problem hiding this comment.
ok, i misunderstood. or the wording can be "can only have one rule"
There was a problem hiding this comment.
Probably change to: " the TLSRoute managed by aws gateway api controller only supports to have one rule."
Since the k8s gateway api standard supports to have multiple rules, and other gateway api implementation can have multiple rules in TLSRoute for example: envoyproxy/gateway, https://github.com/envoyproxy/gateway
But our implementation don't support that because we are base on vpc lattice
There was a problem hiding this comment.
In other docs we have a "Features" and a "Limitations" section. Can we be consistent here as well?
There was a problem hiding this comment.
I did consider to add "Features" and "Limitations", but don't think TLSRoute has some fancy features that need one separate section besides some words in the "Introduction" and " Example Configuration" sections.
For "Limitations", just use the word "Considerations", same as the word in the vpc lattice doc because that are more likely design decision and not limitation? What do you think?
There was a problem hiding this comment.
OK I think it's fine to leave as-is
| name: tls-rate2 | ||
| protocol: TCP | ||
| healthCheck: | ||
| enabled: false |
There was a problem hiding this comment.
do we want to include an example with health check enabled?
There was a problem hiding this comment.
The new example nginx image: public.ecr.aws/x2j8p8w7/https-server:latest has some issue to enable health check. the targets are healthy initially but it will then change to unhealthy. Still plan to keep the healthcheck disable as unhealthy target will be weighted out and traffic will not work.
But in our other TargetGroupPolicy, it did have healthcheck enabled examples:
aws-application-networking-k8s/docs/api-types/target-group-policy.md
Lines 36 to 62 in 112b6b0
| # Deploy to the mike doc version `dev` and update the `latest` alias for the main branch new git commits | ||
| mike deploy dev latest --update-aliases --push | ||
| mike set-default latest | ||
| elif [[ ${{ github.ref }} == refs/heads/release-v* ]]; then |
There was a problem hiding this comment.
this'll be super helpful
| ### Considerations | ||
|
|
||
| - `TLSRoute` sectionName must refer to an `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`. | ||
| - `TLSRoute` only supports to have one rule. |
There was a problem hiding this comment.
In other docs we have a "Features" and a "Limitations" section. Can we be consistent here as well?
docs/api-types/tls-route.md
Outdated
| - `TLSRoute` sectionName must refer to an `TLS` protocol listener with `mode: Passthrough` in the parentRefs `Gateway`. | ||
| - `TLSRoute` only supports to have one rule. | ||
| - `TLSRoute` doesn't support any rule matching condition. | ||
| - The `hostnames` field with exactly one host name is required. This domain name is used as a vpc lattice's Service Name Indication (SNI) match to route the traffic to the correct backend service. |
There was a problem hiding this comment.
Is this essential? "This domain name is used as a vpc lattice's Service Name Indication (SNI) match to route the traffic to the correct backend service."
We explain this later with "The customer must use this domain name..." which I think is more helpful
There was a problem hiding this comment.
Ok, make sense to remove, just hope to emphasize, customer cannot use lattice generated DNS name to send traffic to backend service, they must use custom domain name
There was a problem hiding this comment.
Makes sense. I think we need to lean on the public Lattice documentation as well. The docs we have here in the controller don't have to be comprehensive and should focus on the integration rather than the core functionality Lattice provides.
docs/guides/tls-passthrough.md
Outdated
| ### 1. Configure TLS Passthrough Listener on Gateway | ||
|
|
||
| ``` | ||
| kubectl apply -f files/examples/gateway-tls-passthrough.yaml |
There was a problem hiding this comment.
I don't see this file, should it be "my-gateway-tls...."?
There was a problem hiding this comment.
Good catch, yes, should be my-gateway-tls-passthrough.yaml
docs/guides/tls-passthrough.md
Outdated
| * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 | ||
| * ALPN, server accepted to use h2 | ||
| * Server certificate: | ||
| * subject: C=US; ST=wa; L=seattle; O=aws; OU=lattice; CN=liwen.ssl-test.com; [email protected] |
There was a problem hiding this comment.
Can we scrub this email address?
docs/guides/tls-passthrough.md
Outdated
| * Trying 169.254.171.0:443... | ||
| * Connected to nginx-test.my-test.com (169.254.171.0) port 443 (#0) | ||
| * ALPN, offering h2 | ||
| * ALPN, offering http/1.1 | ||
| * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH | ||
| * successfully set certificate verify locations: | ||
| * CAfile: /etc/pki/tls/certs/ca-bundle.crt | ||
| * CApath: none |
There was a problem hiding this comment.
Is all this important for people reading the docs? Should we rather highlight individual lines if we think showing the debug output is crucial?
There was a problem hiding this comment.
Shorten that part in the new revision
zijun726911
force-pushed
the
tls-passthrough-doc-2
branch
from
c93826a to
1dbd98c
Compare
What type of PR is this? Add TLS_PASSTHROUGH feature documentation
The initial doc cherry picked from https://github.com/liwenwu-amazon/aws-application-networking-k8-publics/tree/tls-route-support-mar20
main branchtoliwenwu-amazon:tls-route-support-mar20 branchdiff: zijun726911#3Changes
mainandpublish-docbranch git commit trigger different doc versionmike deployTest
Following the docs/guides/tls-passthrough.md step by step, it can set up the single and multi cluster use cases TLS_PASSTHROUGH e2e connectivity
Testing for
.github/workflows/publish-doc.yaml:Used my own repo,
mainandpublish-docbranch git commit can triggerpublic-docand thenpages-build-deploymentworkflow actions, https://github.com/zijun726911/aws-application-networking-k8s/actionsIt can build the doc version
devformainbranch git commit and buildv1.9.9forrelease-v1.9.9branch git commitBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.