GEP: Off-Cluster Gateways

[kflynn]

Original Title: Chihiro and Ian want a way for out-of-cluster load balancers to be able to usefully participate in a GAMMA-compliant mesh

Historically, API gateways and ingress controllers have often been implemented as a Service of type LoadBalancer fronting a pod running a proxy. This is simple to reason about, easy to manage for sidecar meshes, and will presumably be an important implementation mechanism for the foreseeable future.

However, some cloud providers really, really want to move the proxy outside of the cluster, for various reasons which are out of scope for this discussion but should be considered Valid™.

On the one hand, this isn't really a problem: as long as this external-to-the-cluster proxy (which I'll start calling an "external ingress proxy") can make TCP connections to the IP addresses of Services and/or Endpoints inside the cluster, everything will work at least at a basic level. On the other hand, the first hop of traffic from the external ingress proxy to the application pods in the cluster will always be cleartext, which is hardly desirable.

Chihiro and Ian would, therefore, really like a way to configure the external ingress proxy to actually participate in the mesh.

[shaneutt]

This feature has been accepted for the v1.4.0 release. Please see this announcement for more details, and for the timing expectations for transitions. Note that if the timeline can not be met, there is a risk that this feature may unfortunately need to be dropped from the release. If you have any questions, concerns, or are in need of support please reach out to the maintainers so we can assist you!

Note: @robscott and @mikemorris are the assigned reviewers.

[karthikbox]

hi @kflynn, wanted to confirm if (external) gateway to mesh MTLS interop is in scope for this GEP?
by mtls interop i mean that most mesh implementations today terminate MTLS (backed by some sort of CA) when the application backends are opted into mesh. so the gateway should be able to discover this and do mesh mtls.

[kflynn]

@karthikbox, I think that that's a basic requirement for this to work well, and in fact that'll be a major focus of the definitional GEP that needs to happen in the next week.