You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At a minimum include documentation on how to configure the system for end-to-end encryption. Optionally, include this as part of the IGW configuration or contract with gateways.
Why is this needed:
Enterprise requirement and regulations may dictate use of TLS to secure communications inside cluster.
This can be enabled by deploying a service mesh, which might be a relevant option in some deployments.
In other scenarios, IGW might need to support encryption directly.
EPP to model server (e.g., solved for metricsscraping by specifying the scheme viamodel-server-metrics-scheme` CLI option)
since metrics and inference are served over the same port, the use of the above also implies inference should be over TLS.
In the case of HTTP client requests, the gateway would need to upgrade the connection to model servers to use HTTPS.
There is no indication in InferencePool or EPP response (EPP returns IP:port to the gateway, not scheme) whether model servers serve over HTTPS.
Unfortunately, BackendTLSPolicy mandates a Service backend and can't be used for InfererncePool backends. Gateway specific configurations could be used in some cases (e.g., Istio DestinationRule) - but are implementation dependent and place responsibility with the user (e.g., a "shadow service" is defined for the inference pool, but its name is computed at runtime).
What would you like to be added:
Support encryption on inference gateway communication paths.
At a minimum include documentation on how to configure the system for end-to-end encryption. Optionally, include this as part of the IGW configuration or contract with gateways.
Why is this needed:
Enterprise requirement and regulations may dictate use of TLS to secure communications inside cluster.
This can be enabled by deploying a service mesh, which might be a relevant option in some deployments.
In other scenarios, IGW might need to support encryption directly.
scraping by specifying the scheme viamodel-server-metrics-scheme` CLI option)In the case of HTTP client requests, the gateway would need to upgrade the connection to model servers to use HTTPS.
There is no indication in InferencePool or EPP response (EPP returns IP:port to the gateway, not scheme) whether model servers serve over HTTPS.
Unfortunately, BackendTLSPolicy mandates a
Servicebackend and can't be used forInfererncePoolbackends. Gateway specific configurations could be used in some cases (e.g., IstioDestinationRule) - but are implementation dependent and place responsibility with the user (e.g., a "shadow service" is defined for the inference pool, but its name is computed at runtime).