Serverless reverse proxy w/Envoy PoC
Description
In the Serverless area we want to move towards viable maturity soon. We do have an epic about it
The two most interesting problems that our users have is configuring a domain for their Knative deployment and configuring SSL.
We can resolve those two problems by deploying a reverse proxy managed by GitLab, that will terminate GitLab-provided certificate for GitLab-provided domain and encrypt the traffic between a cluster and itself using mutual TLS.
Proposal
Envoy
Envoy is a popular edge proxy designed for Cloud Native applications.
It has support for dynamic configuration of listeners, SSL termination and supports mutual TLS through dynamic certificates configuration.
Pages
GitLab Pages is a project that we use to serve static content of Pages. It has a lot of implementation that we could reuse to proxy serverless requests. It already supports custom SSL certificates / let's encrypt and we are working on adding support for GitLab internal API.
Workhorse
We already deploy a GitLab-managed reverse proxy, called GitLab Workhorse, so adding serverless-proxing there this could be another solution.
Envoy PoC scope
-
Deploy Envoy proxy locally or in GCP / DO -
Prepare a service that provides configuration (it might be a stub service, perhaps written in Sinatra), REST API is ok -
Deploy Knative cluster somewhere, configure mutual TLS on Istio ingress gateway -
Generate self-signed certificates, deploy them to a cluster -
Management server should provide certificates capable of performing the mTLS handshake -
Management server should provide listener / cluster details and routing details -
Investigate if we need Host:
request filter in Envoy, since the proxied domain may differ -
Check if Envoy proxies requests correctly and the traffic between a function and front proxy is encrypted -
Configure front SSL and SSL termination (this is optional for the PoC, might be nice, though)
Pages / Workhorse PoC scope
- Implement proxying of
(\h{8})-(\h{8})-(\h{10}).serverless.gitlab.io
to a cluster provided by GitLab - Implement mTLS support using certificates provided by GitLab
- Check if it works as expected
Further details
This is an upstream dependency for https://gitlab.com/gitlab-org/gitlab-ce/issues/56467 and https://gitlab.com/gitlab-org/gitlab-ce/issues/64640