Comments (4)
CH3CHO
commented on July 18, 2024
不过 Ingress 并不要求与被访问服务在一个命名空间下吧?
from higress.
johnlanni
commented on July 18, 2024
如上代码,机制上是可以支持的,这个需求也是合理的,一般ingress可能放在业务ns下给开发管理,secret更希望统一管理在系统ns下给运维统一管理。
Gateway API通过Gateway资源管理secret可以比较好解决这个问题,同时也支持了referenctGrant。
Ingress API要解决这个问题,直接让不同ns里的ingress跨ns使用secret不太合理,有安全隐患。
我们可以基于系统ns下的一份配置,来统一管理不同域名需要用到的证书,虽然底层也是跨ns引用secret,但ingress的创建者无法自己去配置secret,把权限收口在系统ns下。
这个 @2456868764 这边已经在开发能支持自动签发证书的管理工具,可以一并考虑在系统ns下全局配置证书的方式。例如可以对一个域名配置开启自动签发证书,或者对域名直接指定一个secret。
from higress.
daixijun
commented on July 18, 2024
如上代码,机制上是可以支持的,这个需求也是合理的,一般ingress可能放在业务ns下给开发管理,secret更希望统一管理在系统ns下给运维统一管理。 Gateway API通过Gateway资源管理secret可以比较好解决这个问题,同时也支持了referenctGrant。 Ingress API要解决这个问题,直接让不同ns里的ingress跨ns使用secret不太合理,有安全隐患。 我们可以基于系统ns下的一份配置,来统一管理不同域名需要用到的证书,虽然底层也是跨ns引用secret,但ingress的创建者无法自己去配置secret,把权限收口在系统ns下。 这个 @2456868764 这边已经在开发能支持自动签发证书的管理工具,可以一并考虑在系统ns下全局配置证书的方式。例如可以对一个域名配置开启自动签发证书,或者对域名直接指定一个secret。
同样的需求,希望将 TLS Secret 放在系统NS下, 业务只需要部署 Ingress 去使用即可
from higress.
johnlanni
commented on July 18, 2024
@2456868764 这个功能是ingress nginx的痛点,可以优先实现一下,你看是跟自动签发证书一起实现,还是先实现这个。
from higress.
Related Issues (20)
- jwt-auth claims to headers failed HOT 2
- When matching the original path with regex, the rewriting path is not correct. HOT 11
- ai-token-ratelimit 插件 stream 模式下 token 计算有误 HOT 2
- moonshot contextCache 潜在的问题 HOT 1
- 支持 moonshot contextCache HOT 1
- higress-controller: Failed to watch *v1.Deployment: failed to list *v1.Deployment: deployments.apps is forbidden HOT 2
- higress-gateway - 希望可以支持访问日志请求体的打印插件 HOT 1
- There is no docs about config plugins for the ingress way. HOT 2
- Need a general forward auth plugin to delegate authentication and authorization to external service. HOT 5
- 按照Wasm 插件镜像规范构建出的镜像不可用 HOT 7
- 修改Helm部署模板中controller.name/.Values.gateway.name后higress-gateway无法运行 HOT 7
- OPA 插件优化,减少opa请求次数。
- Config key-cluster-rate-limit plugin failed. HOT 18
- 后端业务 Pod 里的 nginx 转发到 localhost 透传到了 http 302 response里 HOT 12
- Higress console ingress not work when managed by higress, but it did work when managed by nginx ingress controller. HOT 4
- nginx 转发 https 协议的higress 域名出现104 Connection reset by peer报错 HOT 5
- higress接入Skywaking没有数据 HOT 1
- Higress是否支持跨K8s集群路由 HOT 1
- Please consider to support tailor header value for key-rate-limit and cluster-key-rate-limit. HOT 8
- JWT规则无法及时响应配置变更,经常不生效 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from higress.