Serverless reverse proxy w/Envoy PoC

Description

In the Serverless area we want to move towards viable maturity soon. We do have an epic about it &1726 (closed)

The two most interesting problems that our users have is configuring a domain for their Knative deployment and configuring SSL.

We can resolve those two problems by deploying a reverse proxy managed by GitLab, that will terminate GitLab-provided certificate for GitLab-provided domain and encrypt the traffic between a cluster and itself using mutual TLS.

Proposal

Envoy

Envoy is a popular edge proxy designed for Cloud Native applications.

It has support for dynamic configuration of listeners, SSL termination and supports mutual TLS through dynamic certificates configuration.

Pages

GitLab Pages is a project that we use to serve static content of Pages. It has a lot of implementation that we could reuse to proxy serverless requests. It already supports custom SSL certificates / let's encrypt and we are working on adding support for GitLab internal API.

Workhorse

We already deploy a GitLab-managed reverse proxy, called GitLab Workhorse, so adding serverless-proxing there this could be another solution.

Envoy PoC scope

  • Deploy Envoy proxy locally or in GCP / DO
  • Prepare a service that provides configuration (it might be a stub service, perhaps written in Sinatra), REST API is ok
  • Deploy Knative cluster somewhere, configure mutual TLS on Istio ingress gateway
  • Generate self-signed certificates, deploy them to a cluster
  • Management server should provide certificates capable of performing the mTLS handshake
  • Management server should provide listener / cluster details and routing details
  • Investigate if we need Host: request filter in Envoy, since the proxied domain may differ
  • Check if Envoy proxies requests correctly and the traffic between a function and front proxy is encrypted
  • Configure front SSL and SSL termination (this is optional for the PoC, might be nice, though)

Pages / Workhorse PoC scope

  • Implement proxying of (\h{8})-(\h{8})-(\h{10}).serverless.gitlab.io to a cluster provided by GitLab
  • Implement mTLS support using certificates provided by GitLab
  • Check if it works as expected

Further details

This is an upstream dependency for https://gitlab.com/gitlab-org/gitlab-ce/issues/56467 and https://gitlab.com/gitlab-org/gitlab-ce/issues/64640

Edited by Daniel Gruesso