External mTLS

[deniskhas]

Hello,
We are considering migration from ingress-nginx into Gateway API (and specifically nginx-gateway-fabric implementation).
Majority of use cases works perfectly but I stumble upon a problem with mtls configuration.
In ingress we do

nginx.ingress.kubernetes.io/auth-tls-match-cn: CN=.*ingest-otlp                                                                                                                                                  
nginx.ingress.kubernetes.io/auth-tls-secret: ...
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" 

We do not want to have Gateway per app/ns (costs related with LoadBalancer per app/ns) and to configure all possible certificates in Gateway (as number of apps are big and dynamic). Is there a way to do it ?

kubernetes-sigs/gateway-api#91

[sjberman]

Hi @deniskhas, looks like there are a couple things to address here.

For one, we don't yet have mTLS support for client -> gateway communication. While we support server verification, we haven't implemented client verification, which can be done using FrontendTLS on a Gateway. This is something that we'll need to add to our roadmap.

The second part looks like a common issue that has been echoed in the Gateway API community, where you would prefer to configure certificates per app. There is currently an experimental feature called ListenerSets that is likely going to be promoted to standard soon. This is on our roadmap to support due to the increasing interest from users.

Hopefully these would address your concerns? We appreciate the feedback to help us prioritize and understand what our users need!