[infinispan-dev] TLS/SNI support for Relay protocol
Emmanuel Bernard
emmanuel at hibernate.org
Wed May 3 12:02:36 EDT 2017
Sebastian,
Do you know if OpenShift has or plans to have some VPN or VPN like capabilities to
bridge two "cross site" projects?
It would probably be a faster and more generic solution than going
through HTTP.
Emmanuel
On Tue 17-04-25 13:04, Sebastian Laskawiec wrote:
>Hey Bela!
>
>I've been thinking about Cross Site Replication using Relay protocol on
>Kubernetes/OpenShift. Most of the installations should use Federation [1]
>but I can also imagine a custom installation with two sites (let's call
>them X and Y) and totally separate networks. In that case, the flow through
>Kubernetes/OpenShift might look like the following:
>
>Site X, Pod 1 (sending relay message) ---> sending packets ---> the
>Internet ---> Site Y, Ingress/Route ---> Service ---> Site Y, Pod 1
>
>Ingress/Routes and Services are Kubernetes/OpenShift "things". The former
>acts as a reverse proxy and the latter as a load balancer.
>
>Unfortunately Ingress/Routes don't have good support for custom protocols
>using TCP (they were designed with HTTP in mind). The only way to make it
>work is to use TLS with SNI [2][3]. So we would need to encrypt all traffic
>with TLS and use Application FQDN (a fully qualified application name, so
>something like this: infinispan-app-2-myproject.*site-x*.com) as SNI
>Hostname. Note that FQDN for both sites might be slightly different -
>Infinispan on site X might want to use FQDN containing site Y in its name
>and vice versa.
>
>I was wondering if it is possible to configure JGroups this way. If not,
>are there any plans to do so?
>
>Thanks,
>Sebastian
>
>[1] https://kubernetes.io/docs/concepts/cluster-administration/federation/
>[2] https://www.ietf.org/rfc/rfc3546.txt
>[3] Look for "Passthrough Termination"
>https://docs.openshift.com/enterprise/3.2/architecture/core_concepts/routes.html#secured-routes
>--
>
>SEBASTIAN ŁASKAWIEC
>
>INFINISPAN DEVELOPER
>
>Red Hat EMEA <https://www.redhat.com/>
><https://red.ht/sig>
>_______________________________________________
>infinispan-dev mailing list
>infinispan-dev at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/infinispan-dev
More information about the infinispan-dev
mailing list