Hi all
Is it possible to have Envoy expose an _inbound_ HTTP/2 CONNECT or HTTP/3 CONNECT session as a listener over which it can route other proxied traffic?
I know Envoy can do HTTP upgrades and HTTP CONNECT termination when both the tunnelled connections and tunnelling connection are initiated from the same direction, but I want the tunneling connection used as a transport to be initiated from the destination end of the tunnelled connections. So Envoy accepts a remote-initiated connection to use as a reverse tunnel.
The underlying problem is that I have a hub-and-spoke configuration where I want to transit east-west traffic between the hub kube network and select services on the spokes' independent kube networks. The spokes are behind NAT and restrictive firewalls; they are not Internet-reachable and cannot be connected to via a VPN. There is no common private trunk or backbone that can be used to peer them. But the spokes *can* initiate and maintain connections to the hub. I'm trying to expose one specific service on each spoke to the hub so the hub can initiate queries to that specific service on each spoke, and nothing else.
You'd think this would be well-solved problem in the k8s space, but all the multi-network multi-meshpeering and federation options I've looked into (Istio, Consul, etc) require mutual reachability, where the "spokes" are public-routable from the hub. And I've been unable to find any sort of kube-friendly reverse tunneling operator or reverse-tunnel proxy management tool. The underlying tools like "ssh -R" exist and I found a HTTP/2 based reverse tunnel tool
https://github.com/hotnops/gtunnel, but they'll all require quite a bit of glue to make them play nicely in kube.
So I was hoping to use my existing Istio and Envoy deployment with some custom Envoy rules/config or even a plugin to do these reverse tunnels. But I can't find any sign it's possible in Envoy. Am I missing something, or can this just not be done?
Related: