Quantcast

[infinispan-dev] TLS/SNI support for Relay protocol

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[infinispan-dev] TLS/SNI support for Relay protocol

Sebastian Laskawiec
Hey Bela!

I've been thinking about Cross Site Replication using Relay protocol on Kubernetes/OpenShift. Most of the installations should use Federation [1] but I can also imagine a custom installation with two sites (let's call them X and Y) and totally separate networks. In that case, the flow through Kubernetes/OpenShift might look like the following:

Site X, Pod 1 (sending relay message) ---> sending packets ---> the Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1

Ingress/Routes and Services are Kubernetes/OpenShift "things". The former acts as a reverse proxy and the latter as a load balancer. 

Unfortunately Ingress/Routes don't have good support for custom protocols using TCP (they were designed with HTTP in mind). The only way to make it work is to use TLS with SNI [2][3]. So we would need to encrypt all traffic with TLS and use Application FQDN (a fully qualified application name, so something like this: infinispan-app-2-myproject.site-x.com) as SNI Hostname. Note that FQDN for both sites might be slightly different - Infinispan on site X might want to use FQDN containing site Y in its name and vice versa. 

I was wondering if it is possible to configure JGroups this way. If not, are there any plans to do so?

Thanks,
Sebastian

--

SEBASTIAN ŁASKAWIEC

INFINISPAN DEVELOPER


_______________________________________________
infinispan-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/infinispan-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [infinispan-dev] TLS/SNI support for Relay protocol

Bela Ban-2
Hi Sebastian,

I must confess I understood about 30% of your email (I understood "Bela"
and "JGroups" LOL :-))...

Cross-site replication works by bridging local clusters with a 'global'
cluster. The endpoints (IP addresses:ports) of this global cluster need
to be listed (or found dynamically), and at the end of the day, I don't
care how we get them as long as we can establish (TCP) connections to them.

TCP, TCP_NIO2 and UDP are currently the only options, but if this only
works with HTTP, we could think about an HTTP protocol which sends and
receives serialized (binary) JGroups messages.
OTOH if we have site masters which have addresses that are accessible
from any of the local cluster nodes plus the other site masters, then I
don't see why we would need routes.

So if we can use Federation to (1) find endpoints of the global cluster
and (2) and SNI/TLS to exchange messages between site masters, I'm all
for building a specialized setup for Kubernetes/Openshift. Although, as
I mentioned above, I don't currently see what the value-add of (2) is.

Let's discuss this in a chat.
Cheers,


On 25/04/17 15:04, Sebastian Laskawiec wrote:

> Hey Bela!
>
> I've been thinking about Cross Site Replication using Relay protocol on
> Kubernetes/OpenShift. Most of the installations should use Federation
> [1] but I can also imagine a custom installation with two sites (let's
> call them X and Y) and totally separate networks. In that case, the flow
> through Kubernetes/OpenShift might look like the following:
>
> Site X, Pod 1 (sending relay message) ---> sending packets ---> the
> Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1
>
> Ingress/Routes and Services are Kubernetes/OpenShift "things". The
> former acts as a reverse proxy and the latter as a load balancer.
>
> Unfortunately Ingress/Routes don't have good support for custom
> protocols using TCP (they were designed with HTTP in mind). The only way
> to make it work is to use TLS with SNI [2][3]. So we would need to
> encrypt all traffic with TLS and use Application FQDN (a fully qualified
> application name, so something like
> this: infinispan-app-2-myproject.*site-x*.com) as SNI Hostname. Note
> that FQDN for both sites might be slightly different - Infinispan on
> site X might want to use FQDN containing site Y in its name and vice versa.
>
> I was wondering if it is possible to configure JGroups this way. If not,
> are there any plans to do so?
>
> Thanks,
> Sebastian
>
> [1] https://kubernetes.io/docs/concepts/cluster-administration/federation/
> [2] https://www.ietf.org/rfc/rfc3546.txt
> [3] Look for "Passthrough Termination"
> https://docs.openshift.com/enterprise/3.2/architecture/core_concepts/routes.html#secured-routes
> --
>
> SEBASTIAN ŁASKAWIEC
>
> INFINISPAN DEVELOPER
>
> Red Hat EMEA <https://www.redhat.com/>
>
> <https://red.ht/sig>
>
>
>
> _______________________________________________
> infinispan-dev mailing list
> [hidden email]
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>

--
Bela Ban | http://www.jgroups.org

_______________________________________________
infinispan-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/infinispan-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [infinispan-dev] TLS/SNI support for Relay protocol

Emmanuel Bernard
In reply to this post by Sebastian Laskawiec
Sebastian,

Do you know if OpenShift has or plans to have some VPN or VPN like capabilities to
bridge two "cross site" projects?

It would probably be a faster and more generic solution than going
through HTTP.

Emmanuel

On Tue 17-04-25 13:04, Sebastian Laskawiec wrote:

>Hey Bela!
>
>I've been thinking about Cross Site Replication using Relay protocol on
>Kubernetes/OpenShift. Most of the installations should use Federation [1]
>but I can also imagine a custom installation with two sites (let's call
>them X and Y) and totally separate networks. In that case, the flow through
>Kubernetes/OpenShift might look like the following:
>
>Site X, Pod 1 (sending relay message) ---> sending packets ---> the
>Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1
>
>Ingress/Routes and Services are Kubernetes/OpenShift "things". The former
>acts as a reverse proxy and the latter as a load balancer.
>
>Unfortunately Ingress/Routes don't have good support for custom protocols
>using TCP (they were designed with HTTP in mind). The only way to make it
>work is to use TLS with SNI [2][3]. So we would need to encrypt all traffic
>with TLS and use Application FQDN (a fully qualified application name, so
>something like this: infinispan-app-2-myproject.*site-x*.com) as SNI
>Hostname. Note that FQDN for both sites might be slightly different -
>Infinispan on site X might want to use FQDN containing site Y in its name
>and vice versa.
>
>I was wondering if it is possible to configure JGroups this way. If not,
>are there any plans to do so?
>
>Thanks,
>Sebastian
>
>[1] https://kubernetes.io/docs/concepts/cluster-administration/federation/
>[2] https://www.ietf.org/rfc/rfc3546.txt
>[3] Look for "Passthrough Termination"
>https://docs.openshift.com/enterprise/3.2/architecture/core_concepts/routes.html#secured-routes
>--
>
>SEBASTIAN ŁASKAWIEC
>
>INFINISPAN DEVELOPER
>
>Red Hat EMEA <https://www.redhat.com/>
><https://red.ht/sig>

>_______________________________________________
>infinispan-dev mailing list
>[hidden email]
>https://lists.jboss.org/mailman/listinfo/infinispan-dev

_______________________________________________
infinispan-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/infinispan-dev
Loading...