[infinispan-dev] TLS/SNI support for Relay protocol

Bela Ban belaban at mailbox.org
Fri Apr 28 09:01:52 EDT 2017 

Hi Sebastian,

I must confess I understood about 30% of your email (I understood "Bela" 
and "JGroups" LOL :-))...

Cross-site replication works by bridging local clusters with a 'global' 
cluster. The endpoints (IP addresses:ports) of this global cluster need 
to be listed (or found dynamically), and at the end of the day, I don't 
care how we get them as long as we can establish (TCP) connections to them.

TCP, TCP_NIO2 and UDP are currently the only options, but if this only 
works with HTTP, we could think about an HTTP protocol which sends and 
receives serialized (binary) JGroups messages.
OTOH if we have site masters which have addresses that are accessible 
from any of the local cluster nodes plus the other site masters, then I 
don't see why we would need routes.

So if we can use Federation to (1) find endpoints of the global cluster 
and (2) and SNI/TLS to exchange messages between site masters, I'm all 
for building a specialized setup for Kubernetes/Openshift. Although, as 
I mentioned above, I don't currently see what the value-add of (2) is.

Let's discuss this in a chat.
Cheers,


On 25/04/17 15:04, Sebastian Laskawiec wrote:
> Hey Bela!
>
> I've been thinking about Cross Site Replication using Relay protocol on
> Kubernetes/OpenShift. Most of the installations should use Federation
> [1] but I can also imagine a custom installation with two sites (let's
> call them X and Y) and totally separate networks. In that case, the flow
> through Kubernetes/OpenShift might look like the following:
>
> Site X, Pod 1 (sending relay message) ---> sending packets ---> the
> Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1
>
> Ingress/Routes and Services are Kubernetes/OpenShift "things". The
> former acts as a reverse proxy and the latter as a load balancer.
>
> Unfortunately Ingress/Routes don't have good support for custom
> protocols using TCP (they were designed with HTTP in mind). The only way
> to make it work is to use TLS with SNI [2][3]. So we would need to
> encrypt all traffic with TLS and use Application FQDN (a fully qualified
> application name, so something like
> this: infinispan-app-2-myproject.*site-x*.com) as SNI Hostname. Note
> that FQDN for both sites might be slightly different - Infinispan on
> site X might want to use FQDN containing site Y in its name and vice versa.
>
> I was wondering if it is possible to configure JGroups this way. If not,
> are there any plans to do so?
>
> Thanks,
> Sebastian
>
> [1] https://kubernetes.io/docs/concepts/cluster-administration/federation/
> [2] https://www.ietf.org/rfc/rfc3546.txt
> [3] Look for "Passthrough Termination"
> https://docs.openshift.com/enterprise/3.2/architecture/core_concepts/routes.html#secured-routes
> --
>
> SEBASTIAN ŁASKAWIEC
>
> INFINISPAN DEVELOPER
>
> Red Hat EMEA <https://www.redhat.com/>
>
> <https://red.ht/sig>
>
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>

-- 
Bela Ban | http://www.jgroups.org

More information about the infinispan-dev mailing list