kumahq · jakubdyszkiewicz · Dec 1, 2020 · Nov 24, 2020 · Nov 30, 2020 · Nov 30, 2020
@@ -144,7 +144,7 @@ func (b *remoteBootstrap) requestForBootstrap(url *net_url.URL, cfg kuma_dp.Conf
 		if resp.StatusCode == http.StatusNotFound && string(bodyBytes) == "404: Page Not Found" { // response body of Go HTTP Server when hit for invalid endpoint
 			return nil, errors.New("There is no /bootstrap endpoint for provided CP address. Double check if the address passed to the CP has a DP Server port (5678 by default), not HTTP API (5681 by default)")
 		}
-		if resp.StatusCode == http.StatusUnprocessableEntity {
+		if resp.StatusCode/100 == 4 {
 			return nil, InvalidRequestErr(string(bodyBytes))
 		}
 		return nil, errors.Errorf("unexpected status code: %d", resp.StatusCode)

@@ -15,7 +15,9 @@ func SetupServer(rt runtime.Runtime) error {
 	if err := xds_server.RegisterXDS(rt, dpServer.grpcServer); err != nil {
 		return err
 	}
-	bootstrap.RegisterBootstrap(rt, dpServer.httpMux)
+	if err := bootstrap.RegisterBootstrap(rt, dpServer.httpMux); err != nil {
+		return err
+	}
 	if err := rt.Add(dpServer); err != nil {
 		return err
 	}

@@ -7,15 +7,20 @@ import (
 	core_runtime "github.com/kumahq/kuma/pkg/core/runtime"
 )
 
-func RegisterBootstrap(rt core_runtime.Runtime, mux *http.ServeMux) {
+func RegisterBootstrap(rt core_runtime.Runtime, mux *http.ServeMux) error {
+	generator, err := NewDefaultBootstrapGenerator(
+		rt.ResourceManager(),
+		rt.Config().BootstrapServer.Params,
+		rt.Config().DpServer.TlsCertFile,
+		rt.Config().DpServer.Auth.Type != dp_server.DpServerAuthNone,
+	)
+	if err != nil {
+		return err
+	}
 	bootstrapHandler := BootstrapHandler{
-		Generator: NewDefaultBootstrapGenerator(
-			rt.ResourceManager(),
-			rt.Config().BootstrapServer.Params,
-			rt.Config().DpServer.TlsCertFile,
-			rt.Config().DpServer.Auth.Type != dp_server.DpServerAuthNone,
-		),
+		Generator: generator,
 	}
 	log.Info("registering Bootstrap in Dataplane Server")
 	mux.HandleFunc("/bootstrap", bootstrapHandler.Handle)
+	return nil
 }
@@ -3,9 +3,13 @@ package bootstrap
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"encoding/base64"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
+	"sort"
+	"strings"
 	"text/template"
 
 	"github.com/kumahq/kuma/pkg/core/resources/model"
@@ -33,22 +37,49 @@ type BootstrapGenerator interface {
 func NewDefaultBootstrapGenerator(
 	resManager core_manager.ResourceManager,
 	config *bootstrap_config.BootstrapParamsConfig,
-	cacertFile string,
+	dpServerCertFile string,
 	dpAuthEnabled bool,
-) BootstrapGenerator {
+) (BootstrapGenerator, error) {
+	hostsAndIps, err := hostsAndIPsFromCertFile(dpServerCertFile)
+	if err != nil {
+		return nil, err
+	}
 	return &bootstrapGenerator{
 		resManager:    resManager,
 		config:        config,
-		xdsCertFile:   cacertFile,
+		xdsCertFile:   dpServerCertFile,
 		dpAuthEnabled: dpAuthEnabled,
+		hostsAndIps:   hostsAndIps,
+	}, nil
+}
+
+func hostsAndIPsFromCertFile(dpServerCertFile string) (map[string]bool, error) {
+	certBytes, err := ioutil.ReadFile(dpServerCertFile)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not read certificate")
+	}
+	pemCert, _ := pem.Decode(certBytes)
+	cert, err := x509.ParseCertificate(pemCert.Bytes)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not parse certificate")
+	}
+
+	hostsAndIps := map[string]bool{}
+	for _, dnsName := range cert.DNSNames {
+		hostsAndIps[dnsName] = true
+	}
+	for _, ip := range cert.IPAddresses {
+		hostsAndIps[ip.String()] = true
 	}
+	return hostsAndIps, nil
 }
 
 type bootstrapGenerator struct {
 	resManager    core_manager.ResourceManager
 	config        *bootstrap_config.BootstrapParamsConfig
 	dpAuthEnabled bool
 	xdsCertFile   string
+	hostsAndIps   map[string]bool
 }
 
 func (b *bootstrapGenerator) Generate(ctx context.Context, request types.BootstrapRequest) (proto.Message, error) {
@@ -75,10 +106,34 @@ func (b *bootstrapGenerator) Generate(ctx context.Context, request types.Bootstr
 
 var DpTokenRequired = errors.New("Dataplane Token is required. Generate token using 'kumactl generate dataplane-token > /path/file' and provide it via --dataplane-token-file=/path/file argument to Kuma DP")
 
+func SANMismatchErr(host string, sans []string) error {
+	return errors.Errorf("A data plane proxy is trying to connect to the control plane using %q address, but the certificate in the control plane has the following SANs %q. "+
+		"Either change the --cp-address in kuma-dp to one of those or execute the following steps:\n"+
+		"1) Generate a new certificate with the address you are trying to use. It is recommended to use trusted Certificate Authority, but you can also generate self-signed certificates using 'kumactl generate tls-certificate --type=server --cp-hostname=%s'\n"+
+		"2) Set KUMA_GENERAL_TLS_CERT_FILE and KUMA_GENERAL_TLS_KEY_FILE or the equivalent in Kuma CP config file to the new certificate.\n"+
+		"3) Restart the control plane to read the new certificate and start kuma-dp.", host, sans, host)
+}
+
+func ISSanMismatchErr(err error) bool {
+	if err == nil {
+		return false
+	}
+	return strings.HasPrefix(err.Error(), "A data plane proxy is trying to connect to the control plane using")
+}
+
 func (b *bootstrapGenerator) validateRequest(request types.BootstrapRequest) error {
 	if b.dpAuthEnabled && request.DataplaneTokenPath == "" {
 		return DpTokenRequired
 	}
+	host := b.xdsHost(request)
+	if !b.hostsAndIps[host] {
+		sans := []string{}
+		for san := range b.hostsAndIps {
+			sans = append(sans, san)
+		}
+		sort.Strings(sans)
+		return SANMismatchErr(host, sans)
+	}
 	return nil
 }
 
@@ -142,13 +197,6 @@ func (b *bootstrapGenerator) generateFor(proxyId core_xds.ProxyId, dataplane *co
 		return nil, err
 	}
 
-	xdsHost := ""
-	if b.config.XdsHost != "" {
-		xdsHost = b.config.XdsHost
-	} else {
-		xdsHost = request.Host
-	}
-
 	var certBytes string = ""
 	if b.xdsCertFile != "" {
 		cert, err := ioutil.ReadFile(b.xdsCertFile)
@@ -164,7 +212,7 @@ func (b *bootstrapGenerator) generateFor(proxyId core_xds.ProxyId, dataplane *co
 		AdminAddress:       b.config.AdminAddress,
 		AdminPort:          adminPort,
 		AdminAccessLogPath: b.config.AdminAccessLogPath,
-		XdsHost:            xdsHost,
+		XdsHost:            b.xdsHost(request),
 		XdsPort:            b.config.XdsPort,
 		XdsConnectTimeout:  b.config.XdsConnectTimeout,
 		AccessLogPipe:      accessLogPipe,
@@ -176,6 +224,14 @@ func (b *bootstrapGenerator) generateFor(proxyId core_xds.ProxyId, dataplane *co
 	return b.configForParameters(params)
 }
 
+func (b *bootstrapGenerator) xdsHost(request types.BootstrapRequest) string {
+	if b.config.XdsHost != "" {
+		return b.config.XdsHost
+	} else {
+		return request.Host
+	}
+}
+
 func (b *bootstrapGenerator) verifyAdminPort(adminPort uint32, dataplane *core_mesh.DataplaneResource) error {
 	// The admin port in kuma-dp is always bound to 127.0.0.1
 	if dataplane.UsesInboundInterface(core_mesh.IPv4Loopback, adminPort) {

@@ -77,7 +77,8 @@ var _ = Describe("bootstrapGenerator", func() {
 	DescribeTable("should generate bootstrap configuration",
 		func(given testCase) {
 			// setup
-			generator := NewDefaultBootstrapGenerator(resManager, given.config(), filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), given.dpAuthEnabled)
+			generator, err := NewDefaultBootstrapGenerator(resManager, given.config(), filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), given.dpAuthEnabled)
+			Expect(err).ToNot(HaveOccurred())
 
 			// when
 			bootstrapConfig, err := generator.Generate(context.Background(), given.request)
@@ -101,7 +102,7 @@ var _ = Describe("bootstrapGenerator", func() {
 			dpAuthEnabled: false,
 			config: func() *bootstrap_config.BootstrapParamsConfig {
 				cfg := bootstrap_config.DefaultBootstrapParamsConfig()
-				cfg.XdsHost = "127.0.0.1"
+				cfg.XdsHost = "localhost"
 				cfg.XdsPort = 5678
 				return cfg
 			},
@@ -115,7 +116,7 @@ var _ = Describe("bootstrapGenerator", func() {
 			dpAuthEnabled: true,
 			config: func() *bootstrap_config.BootstrapParamsConfig {
 				cfg := bootstrap_config.DefaultBootstrapParamsConfig()
-				cfg.XdsHost = "127.0.0.1"
+				cfg.XdsHost = "localhost"
 				cfg.XdsPort = 5678
 				return cfg
 			},
@@ -134,7 +135,7 @@ var _ = Describe("bootstrapGenerator", func() {
 					AdminAddress:       "192.168.0.1", // by default, Envoy Admin interface should listen on loopback address
 					AdminPort:          9902,          // by default, turn off Admin interface of Envoy
 					AdminAccessLogPath: "/var/log",
-					XdsHost:            "kuma-control-plane.internal",
+					XdsHost:            "localhost",
 					XdsPort:            15678,
 					XdsConnectTimeout:  2 * time.Second,
 				}
@@ -152,7 +153,7 @@ var _ = Describe("bootstrapGenerator", func() {
 					AdminAddress:       "192.168.0.1", // by default, Envoy Admin interface should listen on loopback address
 					AdminPort:          9902,          // by default, turn off Admin interface of Envoy
 					AdminAccessLogPath: "/var/log",
-					XdsHost:            "kuma-control-plane.internal",
+					XdsHost:            "localhost",
 					XdsPort:            15678,
 					XdsConnectTimeout:  2 * time.Second,
 				}
@@ -228,10 +229,11 @@ var _ = Describe("bootstrapGenerator", func() {
 
 		// given
 		params := bootstrap_config.DefaultBootstrapParamsConfig()
-		params.XdsHost = "127.0.0.1"
+		params.XdsHost = "localhost"
 		params.XdsPort = 5678
 
-		generator := NewDefaultBootstrapGenerator(resManager, params, "", false)
+		generator, err := NewDefaultBootstrapGenerator(resManager, params, filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), false)
+		Expect(err).ToNot(HaveOccurred())
 		request := types.BootstrapRequest{
 			Mesh:      "mesh",
 			Name:      "name-1.namespace",
@@ -292,10 +294,11 @@ var _ = Describe("bootstrapGenerator", func() {
 
 		// given
 		params := bootstrap_config.DefaultBootstrapParamsConfig()
-		params.XdsHost = "127.0.0.1"
+		params.XdsHost = "localhost"
 		params.XdsPort = 5678
 
-		generator := NewDefaultBootstrapGenerator(resManager, params, "", false)
+		generator, err := NewDefaultBootstrapGenerator(resManager, params, filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), false)
+		Expect(err).ToNot(HaveOccurred())
 		request := types.BootstrapRequest{
 			Mesh:      "mesh",
 			Name:      "name-3.namespace",
@@ -308,6 +311,29 @@ var _ = Describe("bootstrapGenerator", func() {
 		Expect(err).To(HaveOccurred())
 		// and
 		Expect(err.Error()).To(Equal("Resource precondition failed: Port 9901 requested as both admin and outbound port."))
+	})
+
+	It("should fail bootstrap due to invalid hostname", func() {
+		// given
+		params := bootstrap_config.DefaultBootstrapParamsConfig()
 
+		generator, err := NewDefaultBootstrapGenerator(resManager, params, filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), false)
+		Expect(err).ToNot(HaveOccurred())
+		request := types.BootstrapRequest{
+			Mesh:      "mesh",
+			Name:      "name-3.namespace",
+			AdminPort: 9901,
+			Host:      "kuma.internal",
+		}
+
+		// when
+		_, err = generator.Generate(context.Background(), request)
+		// then
+		Expect(err).To(HaveOccurred())
+		// and
+		Expect(err.Error()).To(Equal(`A data plane proxy is trying to connect to the control plane using "kuma.internal" address, but the certificate in the control plane has the following SANs ["localhost"]. Either change the --cp-address in kuma-dp to one of those or execute the following steps:
+1) Generate a new certificate with the address you are trying to use. It is recommended to use trusted Certificate Authority, but you can also generate self-signed certificates using 'kumactl generate tls-certificate --type=server --cp-hostname=kuma.internal'
+2) Set KUMA_GENERAL_TLS_CERT_FILE and KUMA_GENERAL_TLS_KEY_FILE or the equivalent in Kuma CP config file to the new certificate.
+3) Restart the control plane to read the new certificate and start kuma-dp.`))
 	})
 })
@@ -80,6 +80,14 @@ func handleError(resp http.ResponseWriter, err error, logger logr.Logger) {
 		}
 		return
 	}
+	if ISSanMismatchErr(err) {
+		resp.WriteHeader(http.StatusBadRequest)
+		_, err = resp.Write([]byte(err.Error()))
+		if err != nil {
+			logger.Error(err, "Error while writing the response")
+		}
+		return
+	}
 	if store.IsResourceNotFound(err) {
 		resp.WriteHeader(http.StatusNotFound)
 		return

@@ -45,7 +45,7 @@ var _ = Describe("Bootstrap Server", func() {
 	BeforeEach(func() {
 		resManager = manager.NewResourceManager(memory.NewStore())
 		config = bootstrap_config.DefaultBootstrapParamsConfig()
-		config.XdsHost = "127.0.0.1"
+		config.XdsHost = "localhost"
 		config.XdsPort = 5678
 
 		port, err := test.GetFreePort()
@@ -61,8 +61,10 @@ var _ = Describe("Bootstrap Server", func() {
 		}
 		dpServer := dp_server.NewDpServer(dpServerCfg, metrics)
 
+		generator, err := bootstrap.NewDefaultBootstrapGenerator(resManager, config, filepath.Join("..", "..", "..", "test", "certs", "server-cert.pem"), true)
+		Expect(err).ToNot(HaveOccurred())
 		bootstrapHandler := bootstrap.BootstrapHandler{
-			Generator: bootstrap.NewDefaultBootstrapGenerator(resManager, config, "", true),
+			Generator: generator,
 		}
 		dpServer.HTTPMux().HandleFunc("/bootstrap", bootstrapHandler.Handle)
 

@@ -10,9 +10,13 @@ dynamicResources:
                   '@type': type.googleapis.com/envoy.config.grpc_credential.v2alpha.FileBasedMetadataConfig
                   secretData:
                     filename: /tmp/token
+          channelCredentials:
+            sslCredentials:
+              rootCerts:
+                inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMRENDQWhTZ0F3SUJBZ0lRSGRQaHhPZlhnV3VOeG9GbFYvRXdxVEFOQmdrcWhraUc5dzBCQVFzRkFEQVAKTVEwd0N3WURWUVFERXdScmRXMWhNQjRYRFRJd01Ea3hOakV5TWpnME5Gb1hEVE13TURreE5ERXlNamcwTkZvdwpEekVOTUFzR0ExVUVBeE1FYTNWdFlUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPWkdiV2hTbFFTUnhGTnQ1cC8yV0NLRnlIWjNDdXdOZ3lMRVA3blM0Wlh5a3hzRmJZU3VWM2JJZ0Y3YlQvdXEKYTVRaXJlK0M2MGd1aEZicExjUGgyWjZVZmdJZDY5R2xRekhNVlljbUxHalZRdXlBdDRGTU1rVGZWRWw1STRPYQorMml0M0J2aWhWa0toVXo4eTVSUjVLYnFKZkdwNFoyMEZoNmZ0dG9DRmJlT0RtdkJzWUpGbVVRUytpZm95TVkvClAzUjAzU3U3ZzVpSXZuejd0bWt5ZG9OQzhuR1JEemRENUM4Zkp2clZJMVVYNkpSR3lMS3Q0NW9RWHQxbXhLMTAKNUthTjJ6TlYyV3RIc2FKcDlid3JQSCtKaVpHZVp5dnVoNVV3ckxkSENtcUs3c205VG9kR3p0VVpZMFZ6QWM0cQprWVZpWFk4Z1VqZk5tK2NRclBPMWtOOENBd0VBQWFPQmd6Q0JnREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWUQKVlIwT0JCWUVGR01EQlBQaUJGSjNtdjJvQTlDVHFqZW1GVFYyTUI4R0ExVWRFUVFZTUJhQ0NXeHZZMkZzYUc5egpkSUlKYkc5allXeG9iM04wTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDLzE3UXdlT3BHZGIxTUVCSjhYUEc3CjNzSy91dG9XTFgxdGpmOFN1MURnYTZDRFQvZVRXSFpyV1JmODFLT1ZZMDdkbGU1U1JJREsxUWhmYkdHdEZQK1QKdlprcm9vdXNJOVVTMmFDV2xrZUNaV0dUbnF2TG1Eb091anFhZ0RvS1JSdWs0bVFkdE5Ob254aUwvd1p0VEZLaQorMWlOalVWYkxXaURYZEJMeG9SSVZkTE96cWIvTU54d0VsVXlhVERBa29wUXlPV2FURGtZUHJHbWFXamNzZlBHCmFPS293MHplK3pIVkZxVEhiam5DcUVWM2huc1V5UlV3c0JsbjkrakRKWGd3Wk0vdE1sVkpyWkNoMFNsZTlZNVoKTU9CMGZDZjZzVE1OUlRHZzVMcGw2dUlZTS81SU5wbUhWTW8zbjdNQlNucEVEQVVTMmJmL3VvNWdJaXE2WENkcAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
           credentialsFactoryName: envoy.grpc_credentials.file_based_metadata
           statPrefix: ads
-          targetUri: 127.0.0.1:5678
+          targetUri: localhost:5678
   cdsConfig:
     ads: {}
   ldsConfig:

@@ -16,9 +16,13 @@ dynamicResources:
                   '@type': type.googleapis.com/envoy.config.grpc_credential.v2alpha.FileBasedMetadataConfig
                   secretData:
                     filename: /tmp/token
+          channelCredentials:
+            sslCredentials:
+              rootCerts:
+                inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMRENDQWhTZ0F3SUJBZ0lRSGRQaHhPZlhnV3VOeG9GbFYvRXdxVEFOQmdrcWhraUc5dzBCQVFzRkFEQVAKTVEwd0N3WURWUVFERXdScmRXMWhNQjRYRFRJd01Ea3hOakV5TWpnME5Gb1hEVE13TURreE5ERXlNamcwTkZvdwpEekVOTUFzR0ExVUVBeE1FYTNWdFlUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPWkdiV2hTbFFTUnhGTnQ1cC8yV0NLRnlIWjNDdXdOZ3lMRVA3blM0Wlh5a3hzRmJZU3VWM2JJZ0Y3YlQvdXEKYTVRaXJlK0M2MGd1aEZicExjUGgyWjZVZmdJZDY5R2xRekhNVlljbUxHalZRdXlBdDRGTU1rVGZWRWw1STRPYQorMml0M0J2aWhWa0toVXo4eTVSUjVLYnFKZkdwNFoyMEZoNmZ0dG9DRmJlT0RtdkJzWUpGbVVRUytpZm95TVkvClAzUjAzU3U3ZzVpSXZuejd0bWt5ZG9OQzhuR1JEemRENUM4Zkp2clZJMVVYNkpSR3lMS3Q0NW9RWHQxbXhLMTAKNUthTjJ6TlYyV3RIc2FKcDlid3JQSCtKaVpHZVp5dnVoNVV3ckxkSENtcUs3c205VG9kR3p0VVpZMFZ6QWM0cQprWVZpWFk4Z1VqZk5tK2NRclBPMWtOOENBd0VBQWFPQmd6Q0JnREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWUQKVlIwT0JCWUVGR01EQlBQaUJGSjNtdjJvQTlDVHFqZW1GVFYyTUI4R0ExVWRFUVFZTUJhQ0NXeHZZMkZzYUc5egpkSUlKYkc5allXeG9iM04wTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDLzE3UXdlT3BHZGIxTUVCSjhYUEc3CjNzSy91dG9XTFgxdGpmOFN1MURnYTZDRFQvZVRXSFpyV1JmODFLT1ZZMDdkbGU1U1JJREsxUWhmYkdHdEZQK1QKdlprcm9vdXNJOVVTMmFDV2xrZUNaV0dUbnF2TG1Eb091anFhZ0RvS1JSdWs0bVFkdE5Ob254aUwvd1p0VEZLaQorMWlOalVWYkxXaURYZEJMeG9SSVZkTE96cWIvTU54d0VsVXlhVERBa29wUXlPV2FURGtZUHJHbWFXamNzZlBHCmFPS293MHplK3pIVkZxVEhiam5DcUVWM2huc1V5UlV3c0JsbjkrakRKWGd3Wk0vdE1sVkpyWkNoMFNsZTlZNVoKTU9CMGZDZjZzVE1OUlRHZzVMcGw2dUlZTS81SU5wbUhWTW8zbjdNQlNucEVEQVVTMmJmL3VvNWdJaXE2WENkcAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
           credentialsFactoryName: envoy.grpc_credentials.file_based_metadata
           statPrefix: ads
-          targetUri: 127.0.0.1:5678
+          targetUri: localhost:5678
   cdsConfig:
     ads: {}
   ldsConfig:

@@ -10,9 +10,13 @@ dynamicResources:
                   '@type': type.googleapis.com/envoy.config.grpc_credential.v2alpha.FileBasedMetadataConfig
                   secretData:
                     filename: /tmp/token
+          channelCredentials:
+            sslCredentials:
+              rootCerts:
+                inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMRENDQWhTZ0F3SUJBZ0lRSGRQaHhPZlhnV3VOeG9GbFYvRXdxVEFOQmdrcWhraUc5dzBCQVFzRkFEQVAKTVEwd0N3WURWUVFERXdScmRXMWhNQjRYRFRJd01Ea3hOakV5TWpnME5Gb1hEVE13TURreE5ERXlNamcwTkZvdwpEekVOTUFzR0ExVUVBeE1FYTNWdFlUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCCkFPWkdiV2hTbFFTUnhGTnQ1cC8yV0NLRnlIWjNDdXdOZ3lMRVA3blM0Wlh5a3hzRmJZU3VWM2JJZ0Y3YlQvdXEKYTVRaXJlK0M2MGd1aEZicExjUGgyWjZVZmdJZDY5R2xRekhNVlljbUxHalZRdXlBdDRGTU1rVGZWRWw1STRPYQorMml0M0J2aWhWa0toVXo4eTVSUjVLYnFKZkdwNFoyMEZoNmZ0dG9DRmJlT0RtdkJzWUpGbVVRUytpZm95TVkvClAzUjAzU3U3ZzVpSXZuejd0bWt5ZG9OQzhuR1JEemRENUM4Zkp2clZJMVVYNkpSR3lMS3Q0NW9RWHQxbXhLMTAKNUthTjJ6TlYyV3RIc2FKcDlid3JQSCtKaVpHZVp5dnVoNVV3ckxkSENtcUs3c205VG9kR3p0VVpZMFZ6QWM0cQprWVZpWFk4Z1VqZk5tK2NRclBPMWtOOENBd0VBQWFPQmd6Q0JnREFPQmdOVkhROEJBZjhFQkFNQ0FxUXdIUVlEClZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQk1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWUQKVlIwT0JCWUVGR01EQlBQaUJGSjNtdjJvQTlDVHFqZW1GVFYyTUI4R0ExVWRFUVFZTUJhQ0NXeHZZMkZzYUc5egpkSUlKYkc5allXeG9iM04wTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDLzE3UXdlT3BHZGIxTUVCSjhYUEc3CjNzSy91dG9XTFgxdGpmOFN1MURnYTZDRFQvZVRXSFpyV1JmODFLT1ZZMDdkbGU1U1JJREsxUWhmYkdHdEZQK1QKdlprcm9vdXNJOVVTMmFDV2xrZUNaV0dUbnF2TG1Eb091anFhZ0RvS1JSdWs0bVFkdE5Ob254aUwvd1p0VEZLaQorMWlOalVWYkxXaURYZEJMeG9SSVZkTE96cWIvTU54d0VsVXlhVERBa29wUXlPV2FURGtZUHJHbWFXamNzZlBHCmFPS293MHplK3pIVkZxVEhiam5DcUVWM2huc1V5UlV3c0JsbjkrakRKWGd3Wk0vdE1sVkpyWkNoMFNsZTlZNVoKTU9CMGZDZjZzVE1OUlRHZzVMcGw2dUlZTS81SU5wbUhWTW8zbjdNQlNucEVEQVVTMmJmL3VvNWdJaXE2WENkcAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
           credentialsFactoryName: envoy.grpc_credentials.file_based_metadata
           statPrefix: ads
-          targetUri: 127.0.0.1:5678
+          targetUri: localhost:5678
   cdsConfig:
     ads: {}
   ldsConfig: