istio: Istio do not federate between k8s clusters which implements Istio multi-primary on different networks and uses Spire for its cert management
Bug Description
I am raising this issue here as suggested by Spire members. We performed detailed debugging and discussion around the issue which can be found here: https://github.com/spiffe/spire/issues/3503
The linked Spire issue has very detailed information on how to reproduce the issue and i would suggest to go through it for more context.
Setup: Istio is configured as multi-primary with two clusters belonging to two different trust domain. Spire is used for providing workload identity with federation enabled between both the clusters.
Issue: A workload from cluster 1(aws in the pic) cannot terminate its mTLS to the other cluster when both the clusters are federated via Spire.
Debugging and conclusions:
- Spire maintainers where able to replicate the issue and concluded that Spire is able to provide the certs and federated CA to envoy successfully. check the secret section below.
- Spire members have requested to get your views around envoy cluster configuration and the programming to CA Certs to be used for mTLS termination. Check the cluster dump and also note the validation context. It has only one Spiffe id mentioned.
"combined_validation_context": {
"default_validation_context": {
"match_subject_alt_names": [
{
"exact": "spiffe://google.com/ns/sample/sa/default"
}
]
}
- The envoy error with cluster2 ( google in the pic) mentions SSLV3_ALERT_CERTIFICATE_UNKNOWN and do not mention about spiffe validation failure. The secret is configured with 2 CAs. Check the secret section below.
2022-10-15T10:39:52.424767Z debug envoy connection [C146] TLS error: 268436502:SSL routines:**OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN**
2022-10-15T10:39:52.424780Z debug envoy connection [C146] closing socket: 0
2022-10-15T10:39:52.424824Z debug envoy connection [C146] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.424859Z trace envoy connection [C146] raising connection event 0
2022-10-15T10:39:52.424905Z trace envoy conn_handler [C146] connection on event 0
- you can get the full details of debugging and discussion with Spire members here: https://github.com/spiffe/spire/issues/3503
Details:
Curl on cluster 1 receives this error:
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
Envoy on other cluster receives this error:
2022-10-15T10:39:52.419167Z debug envoy filter original_dst: new connection accepted
2022-10-15T10:39:52.419262Z trace envoy filter original_dst: set destination to 10.241.1.8:5000
2022-10-15T10:39:52.419278Z debug envoy filter tls inspector: new connection accepted
2022-10-15T10:39:52.419291Z trace envoy filter tls inspector: recv: 517
2022-10-15T10:39:52.419313Z trace envoy filter tls:onALPN(), ALPN: istio-http/1.1,istio,http/1.1
2022-10-15T10:39:52.419330Z debug envoy filter tls:onServerName(), requestedServerName: outbound_.5000_._.helloworld.sample.svc.cluster.local
2022-10-15T10:39:52.419399Z trace envoy misc enableTimer called on 0x55e2b1ee4080 for 3600000ms, min is 3600000ms
2022-10-15T10:39:52.419448Z debug envoy conn_handler [C146] new connection from 10.241.1.6:58350
2022-10-15T10:39:52.419474Z trace envoy connection [C146] socket event: 3
2022-10-15T10:39:52.419486Z trace envoy connection [C146] write ready
2022-10-15T10:39:52.420578Z trace envoy connection [C146] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.420705Z trace envoy connection [C146] read ready. dispatch_buffered_data=0
2022-10-15T10:39:52.420744Z trace envoy connection [C146] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.424542Z trace envoy connection [C146] socket event: 3
2022-10-15T10:39:52.424707Z trace envoy connection [C146] write ready
2022-10-15T10:39:52.424750Z trace envoy connection [C146] ssl error occurred while read: SSL
2022-10-15T10:39:52.424767Z debug envoy connection [C146] TLS error: 268436502:SSL routines:**OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN**
2022-10-15T10:39:52.424780Z debug envoy connection [C146] closing socket: 0
2022-10-15T10:39:52.424824Z debug envoy connection [C146] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.424859Z trace envoy connection [C146] raising connection event 0
2022-10-15T10:39:52.424905Z trace envoy conn_handler [C146] connection on event 0
2022-10-15T10:39:52.424918Z debug envoy conn_handler [C146] adding to cleanup list
2022-10-15T10:39:52.424929Z trace envoy main item added to deferred deletion list (size=1)
2022-10-15T10:39:52.424941Z trace envoy main clearing deferred deletion list (size=1)
2022-10-15T10:39:52.432818Z debug envoy filter original_dst: new connection accepted
2022-10-15T10:39:52.432913Z trace envoy filter original_dst: set destination to 10.241.1.8:5000
2022-10-15T10:39:52.432929Z debug envoy filter tls inspector: new connection accepted
2022-10-15T10:39:52.432942Z trace envoy filter tls inspector: recv: 517
2022-10-15T10:39:52.432967Z trace envoy filter tls:onALPN(), ALPN: istio-http/1.1,istio,http/1.1
2022-10-15T10:39:52.432984Z debug envoy filter tls:onServerName(), requestedServerName: outbound_.5000_._.helloworld.sample.svc.cluster.local
2022-10-15T10:39:52.433065Z trace envoy misc enableTimer called on 0x55e2b1ee4080 for 3600000ms, min is 3600000ms
2022-10-15T10:39:52.433086Z debug envoy conn_handler [C147] new connection from 10.241.1.6:58354
2022-10-15T10:39:52.433166Z trace envoy connection [C147] socket event: 3
2022-10-15T10:39:52.433209Z trace envoy connection [C147] write ready
2022-10-15T10:39:52.433493Z trace envoy connection [C147] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.433679Z trace envoy connection [C147] read ready. dispatch_buffered_data=0
2022-10-15T10:39:52.433698Z trace envoy connection [C147] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.438301Z trace envoy connection [C147] socket event: 3
2022-10-15T10:39:52.438685Z trace envoy connection [C147] write ready
2022-10-15T10:39:52.438821Z trace envoy connection [C147] ssl error occurred while read: SSL
2022-10-15T10:39:52.438896Z debug envoy connection [C147] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.439010Z debug envoy connection [C147] closing socket: 0
2022-10-15T10:39:52.440473Z debug envoy connection [C147] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.440731Z trace envoy connection [C147] raising connection event 0
2022-10-15T10:39:52.440776Z trace envoy conn_handler [C147] connection on event 0
2022-10-15T10:39:52.440874Z debug envoy conn_handler [C147] adding to cleanup list
2022-10-15T10:39:52.440920Z trace envoy main item added to deferred deletion list (size=1)
2022-10-15T10:39:52.440939Z trace envoy main clearing deferred deletion list (size=1)
2022-10-15T10:39:52.464980Z debug envoy filter original_dst: new connection accepted
2022-10-15T10:39:52.465038Z trace envoy filter original_dst: set destination to 10.241.1.8:5000
2022-10-15T10:39:52.465045Z debug envoy filter tls inspector: new connection accepted
2022-10-15T10:39:52.465052Z trace envoy filter tls inspector: recv: 517
2022-10-15T10:39:52.465073Z trace envoy filter tls:onALPN(), ALPN: istio-http/1.1,istio,http/1.1
2022-10-15T10:39:52.465083Z debug envoy filter tls:onServerName(), requestedServerName: outbound_.5000_._.helloworld.sample.svc.cluster.local
2022-10-15T10:39:52.465158Z trace envoy misc enableTimer called on 0x55e2b19a1c80 for 3600000ms, min is 3600000ms
2022-10-15T10:39:52.465199Z debug envoy conn_handler [C148] new connection from 10.241.1.6:58360
2022-10-15T10:39:52.465220Z trace envoy connection [C148] socket event: 3
2022-10-15T10:39:52.465224Z trace envoy connection [C148] write ready
2022-10-15T10:39:52.465663Z trace envoy connection [C148] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.465673Z trace envoy connection [C148] read ready. dispatch_buffered_data=0
2022-10-15T10:39:52.465678Z trace envoy connection [C148] ssl error occurred while read: WANT_READ
2022-10-15T10:39:52.473615Z trace envoy connection [C148] socket event: 3
2022-10-15T10:39:52.473658Z trace envoy connection [C148] write ready
2022-10-15T10:39:52.473751Z trace envoy connection [C148] ssl error occurred while read: SSL
2022-10-15T10:39:52.473760Z debug envoy connection [C148] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.473765Z debug envoy connection [C148] closing socket: 0
2022-10-15T10:39:52.473908Z debug envoy connection [C148] TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
2022-10-15T10:39:52.473934Z trace envoy connection [C148] raising connection event 0
2022-10-15T10:39:52.473942Z trace envoy conn_handler [C148] connection on event 0
2022-10-15T10:39:52.473944Z debug envoy conn_handler [C148] adding to cleanup list
Cluster dump from Cluser2:
"outbound|5000||helloworld.sample.svc.cluster.local"
{
"@type": "type.googleapis.com/envoy.config.cluster.v3.Cluster",
"name": "outbound|5000||helloworld.sample.svc.cluster.local",
"type": "EDS",
"eds_cluster_config": {
"eds_config": {
"ads": {},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
},
"service_name": "outbound|5000||helloworld.sample.svc.cluster.local"
},
"connect_timeout": "10s",
"lb_policy": "LEAST_REQUEST",
"circuit_breakers": {
"thresholds": [
{
"max_connections": 4294967295,
"max_pending_requests": 4294967295,
"max_requests": 4294967295,
"max_retries": 4294967295,
"track_remaining": true
}
]
},
"metadata": {
"filter_metadata": {
"istio": {
"default_original_port": 5000,
"services": [
{
"name": "helloworld",
"host": "helloworld.sample.svc.cluster.local",
"namespace": "sample"
}
]
}
}
},
"common_lb_config": {
"locality_weighted_lb_config": {}
},
"filters": [
{
"name": "istio.metadata_exchange",
"typed_config": {
"@type": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange",
"protocol": "istio-peer-exchange"
}
}
],
"transport_socket_matches": [
{
"name": "tlsMode-istio",
"match": {
"tlsMode": "istio"
},
"transport_socket": {
"name": "envoy.transport_sockets.tls",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
"common_tls_context": {
"tls_params": {
"tls_minimum_protocol_version": "TLSv1_2",
"tls_maximum_protocol_version": "TLSv1_3"
},
"alpn_protocols": [
"istio-peer-exchange",
"istio"
],
"tls_certificate_sds_secret_configs": [
{
"name": "default",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "sds-grpc"
}
}
],
"set_node_on_first_message_only": true,
"transport_api_version": "V3"
},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
}
}
],
"combined_validation_context": {
"default_validation_context": {
"match_subject_alt_names": [
{
"exact": "spiffe://google.com/ns/sample/sa/default"
}
]
},
"validation_context_sds_secret_config": {
"name": "ROOTCA",
"sds_config": {
"api_config_source": {
"api_type": "GRPC",
"grpc_services": [
{
"envoy_grpc": {
"cluster_name": "sds-grpc"
}
}
],
"set_node_on_first_message_only": true,
"transport_api_version": "V3"
},
"initial_fetch_timeout": "0s",
"resource_api_version": "V3"
}
}
}
},
"sni": "outbound_.5000_._.helloworld.sample.svc.cluster.local"
}
}
},
{
"name": "tlsMode-disabled",
"match": {},
"transport_socket": {
"name": "envoy.transport_sockets.raw_buffer",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.raw_buffer.v3.RawBuffer"
}
}
}
]
}
Secret dump:
{
"@type": "type.googleapis.com/envoy.admin.v3.SecretsConfigDump",
"dynamic_active_secrets": [
{
"name": "default",
"version_info": "2",
"last_updated": "2022-10-15T10:35:38.847Z",
"secret": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
"name": "default",
"tls_certificate": {
"certificate_chain": {
"inline_bytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREakNDQWZhZ0F3SUJBZ0lRR3EwOWliZTVYNDl4T2VZRklVby81akFOQmdrcWhraUc5dzBCQVFzRkFEQWUKTVFzd0NRWURWUVFHRXdKVlV6RVBNQTBHQTFVRUNoTUdVMUJKUmtaRk1CNFhEVEl5TVRBeE5URXdNelV5T0ZvWApEVEl5TVRBeE5URXhNelV6T0Zvd1JURUxNQWtHQTFVRUJoTUNWVk14RGpBTUJnTlZCQW9UQlZOUVNWSkZNU1l3CkpBWURWUVFERXgxb1pXeHNiM2R2Y214a0xYWXlMVFUyTldRM1pHUTNaaTFqY0RnMmFEQlpNQk1HQnlxR1NNNDkKQWdFR0NDcUdTTTQ5QXdFSEEwSUFCRDMreXU0T25oTDVrZW4vVGR5K0FCdWhQRTJvSnVWeGUzWXJtWkhEOXdPQgpyd1BsQjhBNHE0bjhHR1NPVm9qUDJrY3Y1TEJrZGFjeS9JeHNNOUhmbHZLamdlc3dnZWd3RGdZRFZSMFBBUUgvCkJBUURBZ09vTUIwR0ExVWRKUVFXTUJRR0NDc0dBUVVGQndNQkJnZ3JCZ0VGQlFjREFqQU1CZ05WSFJNQkFmOEUKQWpBQU1CMEdBMVVkRGdRV0JCUnlFNVFuZkFGUWVmMlU4enRkVEhDSlVOc0lvREFmQmdOVkhTTUVHREFXZ0JRVgpzK0pMN2dCTzVoZW1GcU11c1c1bnJKUDhEakJwQmdOVkhSRUVZakJnZ2gxb1pXeHNiM2R2Y214a0xYWXlMVFUyCk5XUTNaR1EzWmkxamNEZzJhSUlWYUdWc2JHOTNiM0pzWkM1ellXMXdiR1V1YzNaamhpaHpjR2xtWm1VNkx5OW4KYjI5bmJHVXVZMjl0TDI1ekwzTmhiWEJzWlM5ellTOWtaV1poZFd4ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQgpBUUJrRDFnaHVvOFZhTUVBOXJMQ3A0VHM0cnV4QmV5K0FnWnBQMTRvM1I4RHhJSStHWFJDOStHS3RXOGNrQUxWClBrYXRMT1E3NEJCSXk0UHJiaGdQRkVVQ0wvaE9Kb24wazVmS29LbnA0OEFZZTQ2Tk5nckxzZEp3YVhzZzhmdVcKRGE2bExndlZQMkN6ckJxN3FHeHIxbjdJUytzQk1VL3dCaU9BbHlFb3lCTFJIbFg3N3I5dkpIOXNaVW9IckVaMApEMnBIVCtwb3RhNlVMcWQ5OHRIbzN4bnY2R0JxdnZuNXRCUTR3bWVSSnFKTlRTbWZTQ2ZrdmljTjE2VUN3ckNQCm9BeWhWYWJRRUVzcTd4bnFTclZqK2dmcXFQNzlSMldreERra0FOYS9CTUNna0RtM0p5ajJSYmFTYTZCWllhLzgKNnF6YW9wNlFFejJ1RlhoYkxPWW1wYlRoCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
},
"private_key": {
"inline_bytes": "W3JlZGFjdGVkXQ=="
}
}
}
},
{
"name": "ROOTCA",
"version_info": "1",
"last_updated": "2022-10-15T10:35:38.910Z",
"secret": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret",
"name": "ROOTCA",
"validation_context": {
"trusted_ca": {},
"custom_validator_config": {
"name": "envoy.tls.cert_validator.spiffe",
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig",
"trust_domains": [
{
"name": "aws.com",
"trust_bundle": {
"inline_bytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKVENDQWcyZ0F3SUJBZ0lRQ1NqMGxNQ2IybVhnVUZOMDRiMFBWREFOQmdrcWhraUc5dzBCQVFzRkFEQWUKTVFzd0NRWURWUVFHRXdKVlV6RVBNQTBHQTFVRUNoTUdVMUJKUmtaRk1CNFhEVEl5TVRBeE5URXdNamt5TTFvWApEVEl5TVRBeE5qRXdNamt6TTFvd0hqRUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQW9UQmxOUVNVWkdSVENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBSzZpUW5ucEsyQ3RXS3VrbTIvT0tJaDIKL1R2NGlTRGlWKzZROFZkWUJRRmQxcmVsUkEzaU0rRjRyQUgvZXFEOHFhSzJGajY5TkJTWGlWNytXdktvZHM4OQpHZW8xUGczV3o0cjl5aE56c0tXN0xuOGprbUFSMmY5RlgzUXAzR2h2QWZDR1V0aU02NkZHSXFsUUZNTmVWNVlCCm9DbzkwVG00TFpwYk1xTXFiZkkxcUlwYm5GUmFZclltU2t1NFB3ZzJVeWlxQUxvbUNEOThjcmQ3VUVUU1Rva1oKUFV5OCsrNXZwclBGSlhQQkg3VzlZdmRrelh5bUt4YXl5N1NPOUtma1JIc2NuWnNxLzhtb1owYndNaFhid2RjMwo2TjVhTFd2WXdDSytxL1ZoY0loRkh2MnJBUWYvcTNzVzh1OEkxdUZ2bzg5Mng3NVArNFpzdFBpMDZjT0Y0UXNDCkF3RUFBYU5mTUYwd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZEQXhST0R2bWNwQTA4UjVLV2RNRFQrczFWNFNNQnNHQTFVZEVRUVVNQktHRUhOd2FXWm1aVG92TDJGMwpjeTVqYjIwd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFFYWVSRytoNG1hUEo5Vm9UanpYSE1nM1dzMVBKMVNSCkF4bzZ2YmszNUhxc0pRbUVnQ1hiZzlsODkvTXBJYUMySzNmQXJBRGdweEhCSU1oRWplZlhJZGFQRnloZDRjYmEKODg3QTF1V0RaOXhFUjNJU0ttek50Y09aRlA2S2dPWTlrMXpLNGp2cTJtdHRYdko2cTZlL1RXRDkrTjhBVS91Uwp1eGw3V3pkVGwrRUlNQ2FyNkRCMlVidUtLY1hQWnBUenVYMWtxSXV4N002Q3kzT1lOTlJ4MzhSKzZ2WWZrdGtuCjF4MlNINnc5blJMeGhlQ3BGeVBhWHc0RFFqOE55RGUvcWpaci9ReFhmRG4zQysyUms0alRQUFdZWTlscExxMGsKNVRxQXlndVpUZ2VLbDNJdXpMcXlBMlJ0Y3p0S3ZoOHF0UmFES0lleHZCWEFTQ054YWRVVUR0Zz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
}
},
{
"name": "google.com",
"trust_bundle": {
"inline_bytes": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLRENDQWhDZ0F3SUJBZ0lRUCtVVFh5SlhRVUFVMlhGU0dhSDBkekFOQmdrcWhraUc5dzBCQVFzRkFEQWUKTVFzd0NRWURWUVFHRXdKVlV6RVBNQTBHQTFVRUNoTUdVMUJKUmtaRk1CNFhEVEl5TVRBeE5URXdNamsxT1ZvWApEVEl5TVRBeE5qRXdNekF3T1Zvd0hqRUxNQWtHQTFVRUJoTUNWVk14RHpBTkJnTlZCQW9UQmxOUVNVWkdSVENDCkFTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTUc4UTBGYlhBUHBweW92UGNvVnlRRDMKdnh2OERpczlSQlc1WE9vSzRPd0FPMTlxYXFMbjAyWHRGUXBEblJ1bzhJVzhPLzJxbjU2Sytzc1BBS2JkTUtMbwpXYXJrZGdERVlTZFJzdTFlYmhlb2cxSmgzTVJ4YTJBUFJtVkpzeVJ6S1FxM284ZVBwM1ZPcEk5OGFSaE9LWXZCCmIwdERkTGtWU0NJaFJZZ0VaQXVoVHI1WlByZGdEYmJTSThtSmFnaTg2cldtR2xCYlR5VFh4ZTVkQitxQmtxc2kKUURpbHRCNU1xUTRBWEg4S2Mxbk5FZFlTL2RlSi9iVDZvM2cwZDhyUFI3bXJ4alVLN1Fhb1Q5eS8wQ1RjbU5ESQpFWVhMTGtGMHBtU3YwaWx6QjlUaU5NNDlyOER0QkxKdk1rWjg2ckpPWWEwQk1IMWJodDZTa1hob2RYRUpYRzhDCkF3RUFBYU5pTUdBd0RnWURWUjBQQVFIL0JBUURBZ0VHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME8KQkJZRUZCV3o0a3Z1QUU3bUY2WVdveTZ4Ym1lc2svd09NQjRHQTFVZEVRUVhNQldHRTNOd2FXWm1aVG92TDJkdgpiMmRzWlM1amIyMHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS2UxT21LQ1pGejE3RklrYkROTUlxVExtNTRRCmt2VlRSZXdSR0FYWUQ0aXJlcDltR01PMjBXeTUxQ1cxSmFyN1JrenV0WENNQjZGYy9WYXdMb3k4bE9CL0xNc2wKRjlicGRJKzgzUmZrcWVsY1hvRWt3dEhvTXdBZHE0RG9yZVpKUVVRbGlZaDQvTDlHUkVIa1JyTDV1WWhmSURsaQpLK3pkenVRYkRzbzlZc1M0SVByYkc3QndsWmpaYVRBT1lmT0V6N0oxeTk2YWp4ZzhZeFdKSG1Kb3ViTTBtclRrCnJtN0lUbnBSZ1h1U3NySy9LSFpqMHdiNTgza1prQVVxL0lldFdiQkt0a3pITVNSK2dDT0FkbUR6b0wralVlWXkKUDFkelhqdmdMQ0RDVWJZSzArUG8zcWtjaTZGYTlKNGxQR2drc1djSFRrTkpuajlqWGU2L1FNbk5SdUE9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
}
}
]
}
}
}
}
}
]
}
]
}
- entire envoy config attached: helloworld-v2-config-dump.json.zip
Version
istio 1.14.4
Additional Information
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 38 (20 by maintainers)
Hi @danehans , Yes i have not mentioned them. My use-case was to manage the entire cert and federation via Spire.
@sudeeptoroy you can avoid using
trustDomainAliasesif you set env.PILOT_SKIP_VALIDATE_TRUST_DOMAIN = “true”. The only potential downside is it removes the SAN validation that happens before the authz filter. But if the principals in your authz policies have the trust domains (i.e. aren’t suffix-only matches), then the current check doesn’t provide any extra validation