Contribute guides for TLS #374
Conversation
✅ Deploy Preview for elastic-nobel-0aef7a ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
In draft, as I still need to verify all is correct. |
| servers: | ||
| - hosts: | ||
| - '*' |
There was a problem hiding this comment.
The domain seems too broad. It would be better to narrow it down to *.svc.cluster.local."
There was a problem hiding this comment.
I saw in Knative docs that the provided manifests also use * for their local gateway. So, I simply used the same.
I can change if you think it is really better.
There was a problem hiding this comment.
This may need to match the cname in the tls credential
| ``` | ||
|
|
||
| You will need to create a Secret named `kserve-cluster-local-tls` holding the TLS certificate. You may get this certificate from cert-manager. |
There was a problem hiding this comment.
It would be good to add here that the Secret should be created under the istio-system.
There was a problem hiding this comment.
just a few comments, not mandatory though.
Nice doc @israel-hdez
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: israel-hdez, spolti The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Sounds good @edgar, thanks! |
This adds documentation for guiding users on how to secure KServe workloads with TLS. The guides are broken down in several sections: from what is needed to enable mTLS in Istio, to how to allow requests from workloads outside the service mesh and still secure traffic with TLS. Signed-off-by: Edgar Hernández <[email protected]>
|
I pushed some small amendments and confirmed that the configurations work. |
|
/assign @yuzisun |
| namespace: istio-system | ||
| labels: | ||
| experimental.istio.io/disable-gateway-port-translation: "true" |
There was a problem hiding this comment.
What does this label do ? might be good to add an explanation
There was a problem hiding this comment.
I simply took it from Knative's gateway manifests, to have similar configurations here in KServe.
It is related to this issue: kubeflow/manifests#2082. Istio added this label as a workaround.
AFAIK, Istio has already implemented the long-term solution, but Knative still hasn't moved to it. Istio project may simply drop this label, given it is experimental. I may propose the migration to Knative project, and then we could also move.
| "knativeLocalGatewayService": "knative-local-gateway.istio-system.svc.cluster.local", | ||
| "localGateway": "istio-system/kserve-local-gateway", | ||
| "localGatewayService": "kserve-local-gateway.istio-system.svc.cluster.local" | ||
| } |
There was a problem hiding this comment.
Would be nice to include a diagram to explain the data plane path how the traffic is secured with these configured gateways
Proposed Changes
This adds documentation for guiding users on how to secure KServe workloads with TLS. The guides are broken down in several sections: from what is needed to enable mTLS in Istio, to how to allow requests from workloads outside the service mesh and still secure traffic with TLS.
This documentation is valid only after kserve/kserve#3737 is merged.