You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hmmmmmmm. @rgs1, do you have a minimal config to hand to reproduce this? There are some subtleties with TCPMappings; I want to make sure I'm looking at the scenario you're wrestling with.
If you apply this, you'll see that the listener gets assigned the TLS cert for the first hosts (hosts are sorted when they need to be looked up to be attached to a listener), instead of the one that should match the hostBinding.
For HTTP chains, hosts are properly filtered out if their namespace and selector don't match:
https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L790
However, for TCP chains all hosts are considered regardless:
https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L184
Filtering would have to happen here:
https://github.com/emissary-ingress/emissary/blob/master/python/ambassador/envoy/v3/v3listener.py#L184
Ideally hostBinding would apply to all mappings, otherwise you might end with the wrong certificate for some TCPMappings.
The text was updated successfully, but these errors were encountered: