[infinispan-dev] TLS/SNI support for Relay protocol
Sebastian Laskawiec
slaskawi at redhat.com
Tue Apr 25 09:04:39 EDT 2017
Hey Bela!
I've been thinking about Cross Site Replication using Relay protocol on
Kubernetes/OpenShift. Most of the installations should use Federation [1]
but I can also imagine a custom installation with two sites (let's call
them X and Y) and totally separate networks. In that case, the flow through
Kubernetes/OpenShift might look like the following:
Site X, Pod 1 (sending relay message) ---> sending packets ---> the
Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1
Ingress/Routes and Services are Kubernetes/OpenShift "things". The former
acts as a reverse proxy and the latter as a load balancer.
Unfortunately Ingress/Routes don't have good support for custom protocols
using TCP (they were designed with HTTP in mind). The only way to make it
work is to use TLS with SNI [2][3]. So we would need to encrypt all traffic
with TLS and use Application FQDN (a fully qualified application name, so
something like this: infinispan-app-2-myproject.*site-x*.com) as SNI
Hostname. Note that FQDN for both sites might be slightly different -
Infinispan on site X might want to use FQDN containing site Y in its name
and vice versa.
I was wondering if it is possible to configure JGroups this way. If not,
are there any plans to do so?
Thanks,
Sebastian
[1] https://kubernetes.io/docs/concepts/cluster-administration/federation/
[2] https://www.ietf.org/rfc/rfc3546.txt
[3] Look for "Passthrough Termination"
https://docs.openshift.com/enterprise/3.2/architecture/core_concepts/routes.html#secured-routes
--
SEBASTIAN ŁASKAWIEC
INFINISPAN DEVELOPER
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/infinispan-dev/attachments/20170425/6f146577/attachment.html
More information about the infinispan-dev
mailing list