Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-2207

validation_context.trusted_ca.inline_bytes in cluster config stops working since proxyv2-rhel8:2.1.1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False

      As per title, "validation_context.trusted_ca.inline_bytes" stops working and envoy produces the following error:

      [2022-10-27T06:52:35.676Z] "GET /healthz HTTP/1.1" 503 UF 0 209 2 - "-" "Knative-Ingress-Probe" "b991dc1d-95be-4ce9-ac10-08ae44fc307d" "hello-example.default" "10.244.1.44:8112"

      Here is the cluster config which does not work.

      $ curl http://localhost:9001/config_dump?resource=dynamic_active_clusters > cluster.txt

{
 "configs": [
  {
   "@type": "type.googleapis.com/envoy.admin.v3.ClustersConfigDump.DynamicCluster",
   "version_info": "d1e32936-2057-405c-b7b7-5cd134494666",
   "cluster": {
    "@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
    "name": "default/hello-example-00001",
    "type": "STATIC",
    "connect_timeout": "5s",
    "transport_socket": {
     "name": "envoy.transport_sockets.tls",
     "typed_config": {
      "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
      "common_tls_context": {
       "validation_context": {
        "trusted_ca": {
         "inline_bytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURiRENDQWxTZ0F3SUJBZ0lRTHM2UzBEOUNzaUxEOUw4M1lseXFMREFOQmdrcWhraUc5dzBCQVFzRkFEQXUKTVJRd0VnWURWUVFLRXd0cmJtRjBhWFpsTG1SbGRqRVdNQlFHQTFVRUF4TU5ZMjl1ZEhKdmJDMXdiR0Z1WlRBZQpGdzB5TWpFd01qWXdOVFV3TXpGYUZ3MHpNakV3TWpNd05UVXdNekZhTUM0eEZEQVNCZ05WQkFvVEMydHVZWFJwCmRtVXVaR1YyTVJZd0ZBWURWUVFERXcxamIyNTBjbTlzTFhCc1lXNWxNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUYKQUFPQ0FROEFNSUlCQ2dLQ0FRRUFucDVoYTR6TVdqWnJRYjBnQ2h0YXhNUENvdVZza1pVVW4vcC9CV1dYbHZXMApsM3IrazhoY2Zla0VyL2N2cDBtNUpHYmhtQWRISTNidUxXY2RXR2R0VzE5QXBUcHJQNy9JL2FlL3M3Q3dmR3ZwCllDMDNROCs0YnFZbDJrSUxMTDJnZndLeDFxZjNoT29UeVp6aVlDN2xmODl5Z1ZZam9rY2RUS3MwcWo0T0lKSGkKaHNnc2ZldHk2Mkdkbi84VzdCQ08wNzZFalZWdmo5UXpmem5KOWxaZ0JOVGdwQm5tVGpBNlEwZUQrY2xUanJQTAoxQnc4RURPaGV2Yk5ueUptV1FaVjVKTUlhV1Njd0J3Zk8yL0xqOW1yNmR3dklLNklqemZMUDlNNzlONGcwNG94CkVPVi92RGI4RmhCM0RjQWJaaHpaRXhxR05UVjB6WGRPY1Z3RDdYbmRuUUlEQVFBQm80R0ZNSUdDTUE0R0ExVWQKRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEd1lEVlIwVApBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVY0dQUWtDMGhUbEFRcUtwZXRFNXZEamIvby9zd0lRWURWUjBSCkJCb3dHSUlXWkdGMFlTMXdiR0Z1WlM1cmJtRjBhWFpsTG1SbGRqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUEKQ0lNazBjREV4ZGwrWU9VbzVjYTZDemlPeTNJeUtLT1RJY1dwSkdnQUQxcXlPY1JYVzk1V3lhN3VCSjZtbkNmcgpsUzJUSGxhZEVkY2QwQi8yZUlnNkZPWXFOVXZ1YzZZVHc3ekp5eVhSL1NQemtTZjRxVm5Ya0x0NW5HWkFkNFVQCjk2NGt3ZDVQMTl0L1Z0emY2VS95UThhOVQxbm1kRCtkYUp3YkJReTJudkw3M2R4MDZKZTlVM2MyTWNtZzlOakYKcWtHRW5ydTRJWnhLTmJMRTBESWRyYnF4UjAvdW1hV0lMRDBFRnRtY09lR0w1N3VYRmRUcXpUUzFqd1I3WkgvbQpwR1NwRGt2TnpCOVJCTG9uaTF4d09yWjBTT1Z3R2JqK0VldkJ1bkJMUVJpUHJYYUxJOVZTUFIzaTJrT0dmOUk4ClpBL0EvdXh6QjFTbzIxVkVVZVlYUEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
        },
        "match_subject_alt_names": [
         {
          "exact": "data-plane.knative.dev"
         }
        ]

  ... snip ...

      Note:

      • Removing "validation_context.trusted_ca.inline_bytes" works.
      • quay.io/maistra-dev/proxyv2-ubi8:2.2-daily-2022-10-04 also does NOT work.
      • registry.redhat.io/openshift-service-mesh/proxyv2-rhel8:2.1.0 works with the same config.
      • Upstream envoy image docker.io/envoyproxy/envoy:v1.20-latest and docker.io/envoyproxy/envoy:v1.21-latest also work with the same cluster config.

              rhn-support-twalsh Tim Walsh
              rhn-support-knakayam Kenjiro Nakayama (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: