Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-8987

federation: missing egress SAN in upstream TLS configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • Maistra
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Traffic splitting stops working for some period of time - probably the federation resync period - when a local instance of a service is scaled to 0.

      The problem disappear when the following DestinationRule is applied:

      apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
spec: 
  host: reviews
  trafficPolicy: 
    tls: 
      mode: ISTIO_MUTUAL
      subjectAltNames: 
      - "spiffe://prod-mesh.local/ns/prod-bookinfo/sa/bookinfo-reviews" # local service SA
      - "spiffe://prod-mesh.local/ns/prod-mesh/sa/stage-mesh-egress-service-account" # local egress SA

      v2.3:

      "combined_validation_context": {
    "default_validation_context": {
        "match_subject_alt_names": [
        {
        "exact": "spiffe://prod-mesh.local/ns/prod-bookinfo/sa/bookinfo-reviews"
        },
        {
        "exact": "spiffe://prod-mesh.local/ns/prod-mesh/sa/stage-mesh-egress-service-account"
        }
        ]
    }

      v2.4+:

      "combined_validation_context": {
    "default_validation_context": {
        "match_subject_alt_names": [
        {
        "exact": "spiffe://prod-mesh.local/ns/prod-bookinfo/sa/bookinfo-reviews"
        }
        ]
    }

      This regression was introduced to v2.4 and it was probably caused by this upstream change: https://github.com/istio/istio/pull/40863.

              Unassigned Unassigned
              jewertow@redhat.com Jacek Ewertowski
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: