Allow external authorization for non-tls virtual hosts #6657
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
lifecycle/needs-triage
Indicates that an issue needs to be triaged by a project contributor.
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Currently, external authorization (via httpproxy) is only possible when using TLS, and even more restrictive than that it is only possible when clients send SNI headers, as using a fallback certificate is also not allowed. I understand there are technical reasons for this from reading the design doc (https://github.com/projectcontour/contour/blob/main/design/external-authorization-design.md), but strongly hope this is something that can be added to the roadmap as it is a blocker for many common architectures.
For us specifically this causes an issue when we use contour together with an AWS ALB. Our original hope was to do TLS offloading on the ALB and then forward http to contour (running in k8s). We figured that we can take the additional step and encrypt traffic between the ALB and contour as well to allow external authorization, but then discovered that the ALB doesn't forward SNI headers, which means it will only ever be able to hit a fallback certificate in envoy, which as said don't allow external auth servers. ALB is unfortunately a non-negotiable necessary component for us and surely many others, primarily as a place to plug in a WAF and public certificates, so just going with an NLB instead for example loses important functionality.
Because of this we're forced to go with a different ingress controller (unless there's some magic solution we're overlooking) solely so that we can have a functional external auth, which is very unfortunate as we really like how it has been implemented in contour apart from this snag.
The text was updated successfully, but these errors were encountered: