Automatically set outbound (envoy as client) SNI based on host/authority #27847
Comments
|
I think this would need Envoy support if we want to get it from the Host header - despite the linked issue I don't think this is present. However, we could do it based on the host of the configured cluster, which could work in cases like k8s services, or non-wildcard ServiceEntries potentionally. |
I guess thats what |
|
Envoy already supports this for upstream clusters https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#how-do-i-configure-sni-for-clusters - Does it solve this usecase? |
|
Thanks rama, I missed that
…On Tue, Oct 13, 2020, 12:59 AM Rama Chavali ***@***.***> wrote:
Envoy already supports this for upstream clusters
https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#how-do-i-configure-sni-for-clusters
- Does it solve this usecase?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#27847 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXLHWHBX7D6FMPBHL2DSKQCHNANCNFSM4SJ3VCOA>
.
|
|
If both set, which one takes effect? |
|
So is this as simple as exposing the underlying Envoy auto_sni and auto_san_validation protocol options (https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-upstreamhttpprotocoloptions-auto-sni)? And as @hzxuzhonghu menitoned, determining how those settings interact with a manually set SNI field? |
We also need to make sure its only set for non-mtls destinations |
If both are set, the auto_sni and auto_san_validation takes effect. |
|
So i suggest setting auto_sni and auto_san_validation only when it is not explicitly set |
istio-policy-bot
added
the
lifecycle/stale
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-11-11. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
istio-policy-bot
added
the
lifecycle/automatically-closed
|
Is there already an implementation of the auto_san and auto_sni property in the ClientTLSSetting or someone working on one? Did someone find the possibility to configure them via a custom EnvoyFilter? |
|
While Istio isn't directly supporting the auto_sni and auto_san_validation envoy configuration properties, they can also be set via a custom EnvoyFilter: |
Describe the feature request
I would like Istio to be able to automatically set the outbound (envoy as client) SNI based on host/authority.
Currently, for all egress cases where I am doing TLS origination AND the destination host expects SNI to be set, I need to use a DestinationRule with a subset like
to manually set the SNI value.
Having to do this for every egress destination is painful.
Describe alternatives you've considered
Lua Envoy filter.
or
CRD for egress destinations, and a controller which would manage the underlying VirtualService, DestinationRule, ServiceEntry and Gateway resources.
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-upstreamhttpprotocoloptions-auto-sni
envoyproxy/envoy#2690
The text was updated successfully, but these errors were encountered: