Support for TLS termination using an HSM

[kevinsookocheff-wf]

Hi,

We are looking at using nginx as a gateway. Our current logic for terminating TLS connections leverages an HSM (specifically AWS CloudHSM). I'm looking at replicating this using nginx gateway fabric but have trouble setting the configuration correctly with what is exposed by the nginx gateway fabric configuration options today. Any chance this could be added in the future?

As an example, the configuration I would like to be able to set is something like this:: https://docs.aws.amazon.com/cloudhsm/latest/userguide/ssl-offload-configure-web-server.html

[mpstefan]

Hey @kevinsookocheff-wf, this would be a pretty major feature on our part to include this specific type of certificate management directly into NGF, and while the use case is definitely valid, I'm not sure it is a specific feature we'd ever get to in NGF. Even our upcoming Snippets feature won't quite do what we need to make this work... so I see two approaches that might be able to help here, neither ideal:

1. Use some other certificate management software to update a secret in Kubernetes where your TLS certificates are stored that has AWS HSM support or is custom built. So long as the secret is updated, NGF will update to use the new certificate. Problem is getting the certificate in the HSM into a secret in the first place. A few Google searches didn't yield anything immediately obvious, but I imagine there's some solution out there that can fill this need.

2. Use a proxy NGINX instance, or any other proxy that can handle AWS HSM, to pass traffic to NGF - most likely from outside the cluster. In this case you'd need to re-encrypt traffic before it hits NGF, which isn't ideal, but if you setup your network so that you can only access the cluster from your proxy (NGINX, API Manager, something else) you could use the same certificates client side and manage the backend connection separately with internal certificates.

Unfortunately, if you directly edit the nginx.conf in your own custom image it'll just be overwritten by what we write for NGF, so that isn't an option either.

Sorry about that, but hopefully that gives you some leads!

[kevinsookocheff-wf]

Thank you @mpstefan. I know this is a niche use case! It would be great if we could see more cloud-based tooling support HSMs in the future.