ROX-21779 Add envoy active listener #1602
Conversation
| filter_chains: | ||
| - filter_chain_match: |
There was a problem hiding this comment.
This whole filter chain was an attempt at using sni-based certificate selection, which doesn't work with openshift ingress
| @@ -859,87 +859,15 @@ objects: | |||
| address: 0.0.0.0 | |||
| port_value: 9001 | |||
| listener_filters: | |||
| - name: tls_inspector | |||
There was a problem hiding this comment.
TLS inspector was also added to perform SNI-based routing. No longer needed
| - transport_socket: | ||
| name: envoy.transport_sockets.tls | ||
| typed_config: | ||
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext | ||
| full_scan_certs_on_sni_mismatch: true |
There was a problem hiding this comment.
This was added to try selecting the proper certificate
| - certificate_chain: {filename: "/secrets/active-tls/tls.crt"} | ||
| private_key: {filename: "/secrets/active-tls/tls.key"} |
There was a problem hiding this comment.
This listener doesn't use this certificate, it was added to try resolving the correct cert
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johannes94, ludydoo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Openshift ingress does not forward SNI headers, so envoy is unable to distinguish requests coming from fleet-manager-envoy vs fleet-manager-active services, and unable to resolve the correct certificate.
The solution is to add a separate listener on a different port, to server the fleet-manager-active service and use the correct certificate.