| skraynev_ | @gthiemonge : hello, does the octavia LB support mTLS? I can not find any notes about it in the docs, but looks like HAproxy supports it from 2.2 version. | 09:51 |
|---|---|---|
| gthiemonge | skraynev_: hey, yes, but we don't call it mTLS, it's called client authentication, it's described in the cookbook: https://docs.openstack.org/octavia/latest/user/guides/basic-cookbook.html#deploy-a-tls-terminated-https-load-balancer-with-client-authentication | 10:57 |
| skraynev_ | awesome. thank you very much. I did not match it. | 10:58 |
| gthiemonge | skraynev_: is there something new in haproxy 2.2? because we've been supported client auth for a long time (with haproxy 1.x) | 10:58 |
| gthiemonge | I'm looking at this blog post https://www.haproxy.com/blog/restrict-api-access-with-client-certificates-mtls | 10:59 |
| gthiemonge | it's very similar to our implementation in the amphora driver | 10:59 |
| skraynev_ | hm. looks I misread it: https://www.haproxy.com/blog/restrict-api-access-with-client-certificates-mtls I read this line: "the ca-verify-file argument (introduced in HAProxy 2.2) " | 11:01 |
| skraynev_ | sorry for confusing | 11:01 |
| skraynev_ | so due to one option, I decided, that it's something "fresh" | 11:02 |
| gthiemonge | yeah we don't use this option, maybe it's worth it that we take a look at it | 11:03 |
| gthiemonge | https://github.com/openstack/octavia/blob/60287ed692f1d37a0279bb52cd262cdd95089204/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2#L37 | 11:04 |
| johnsom | HAProxy added new options for how you specify the certificates in the config file. That was the change in 2.2 | 16:13 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!