An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
Hi Laha Prithwish, thx for sharing urs issue here at Q&A portal.
That limitation is about SNI passthrough using TLSRoute, not all backend TLS. It means AKS application routing currently doesn’t support passing the original client TLS session straight through the Gateway to an HTTPS backend using Gateway API TLSRoute. So this is not supported right now Client TLS > Gateway just passes SNI/TLS through > backend pod terminates TLS
But u can still usually do TLS termination at the Gateway and then connect to backend services depending on what the addon supports for the HTTPRoute/backend config.
So the difference is Client > HTTPS > Gateway terminates TLS > HTTP/HTTPS to backend
vs
Client > HTTPS passthrough > backend terminates TLS
The doc is saying the second one, SNI passthrough with TLSRoute, isn’t supported until AKS supports the needed Istio version. https://learn.microsoft.com/en-us/azure/aks/app-routing-gateway-api & https://gateway-api.sigs.k8s.io/api-types/tlsroute/ & https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/
If u need strict end-to-end TLS where the pod owns the cert and decrypts traffic itself, this addon may not fit yet. U may need Istio ingress directly, NGINX ingress with SSL passthrough, or another ingress/gateway option that supports TLS passthrough today.
Rgds,
Alex
&
If my answer was helpful pls mark it and additional thx if u follow me at Q&A portal
and at my blog https://ctrlaltdel.blog/