Is your feature request related to a problem? Please describe.
Multi-cluster self-managed NVCF needs transport encryption for worker-to-control-plane communication over QUIC. QUIC includes TLS, but the usual ingress and load balancer termination paths do not cover this case because cloud load balancers pass UDP through and Kubernetes Gateway API does not yet provide the QUIC certificate management behavior NVCF needs.
This work is already in progress. Some PKI implementation has merged, and the remaining work should be tracked against the POR so the public issue clearly distinguishes completed pieces from the remaining scope.
Describe the solution you'd like
Complete the cert-manager based PKI design for self-managed NVCF internal QUIC transport. Include the design document.
Describe alternatives you've considered
- Cloud load balancer or Gateway API TLS termination is not sufficient because QUIC uses UDP passthrough in the target environments.
- Calling OpenBao directly was considered, but cert-manager is preferred because it gives operators a pluggable issuer interface.
- Mutual TLS is not part of this phase because client identity remains PSAT/OIDC based.
- Manual certificate copying is not acceptable for a supported self-managed deployment because it is brittle across upgrades, renewal, and multi-cluster operations.
Additional context
N/A
Is your feature request related to a problem? Please describe.
Multi-cluster self-managed NVCF needs transport encryption for worker-to-control-plane communication over QUIC. QUIC includes TLS, but the usual ingress and load balancer termination paths do not cover this case because cloud load balancers pass UDP through and Kubernetes Gateway API does not yet provide the QUIC certificate management behavior NVCF needs.
This work is already in progress. Some PKI implementation has merged, and the remaining work should be tracked against the POR so the public issue clearly distinguishes completed pieces from the remaining scope.
Describe the solution you'd like
Complete the cert-manager based PKI design for self-managed NVCF internal QUIC transport. Include the design document.
Describe alternatives you've considered
Additional context
N/A