Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Envoy
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
Multi-cluster improvements
Git Pull Request:
https://github.com/envoyproxy/envoy/pull/40615
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Envoy should allow for duplicating endpoints to make it possible to route traffic to multiple remote ingresses through a single egress gateway. This is a necessary requirement to implement cross network egress gateway for ambient mode - read the ambient section in the design doc for more context.

Background context:

Currently, this is possible to apply different SNI per endpoint in a single cluster, but only if endpoints have unique addresses, e.g.

  clusters: 
  - name: server_cluster
    type: STRICT_DNS
    connect_timeout: 1s
    lb_policy: ROUND_ROBIN
    load_assignment: 
      cluster_name: server_cluster
      endpoints: 
      - lb_endpoints: 
        - endpoint: 
            address: { socket_address: { address: server1, port_value: 443 } }
          metadata: 
            filter_metadata: 
              envoy.transport_socket_match: { profile: server1 }
        - endpoint: 
            address: { socket_address: { address: server2, port_value: 443 } }
          metadata: 
            filter_metadata: 
              envoy.transport_socket_match: { profile: server2 }
    transport_socket_matches: 
    - name: tls_server1
      match: { profile: server1 }
      transport_socket: 
        name: envoy.transport_sockets.tls
        typed_config: 
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: server-1.local
    - name: tls_server2
      match: { profile: server2 }
      transport_socket: 
        name: envoy.transport_sockets.tls
        typed_config: 
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: server-2.local

However, it's not possible to apply different SNIs when routing traffic to single egress gateway:

  clusters: 
  - name: server
    connect_timeout: 1s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment: 
      cluster_name: server
      endpoints: 
      - lb_endpoints: 
        - endpoint: 
            address: 
              socket_address: { address: egress, port_value: 8443 }
          metadata: 
            filter_metadata: 
              envoy.transport_socket_match: 
                sni: "ingress1.local"
        - endpoint: 
            address: 
              socket_address: { address: egress, port_value: 8443 }
          metadata: 
            filter_metadata: 
              envoy.transport_socket_match: 
                sni: "ingress2.local"
    transport_socket_matches: 
    - name: "sni-ingress1"
      match: 
        sni: "ingress1.local"
      transport_socket: 
        name: envoy.transport_sockets.tls
        typed_config: 
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: "ingress1.local"
    - name: "sni-ingress2"
      match: 
        sni: "ingress2.local"
      transport_socket: 
        name: envoy.transport_sockets.tls
        typed_config: 
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: "ingress2.local"

Acceptance criteria:

Envoy should allow to duplicate endpoints with the same address and unique SNIs.

Assignee:: Jacek Ewertowski

Reporter:: Jacek Ewertowski

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/08/11 11:45 AM

Updated:: 2025/08/11 12:18 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide