-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CrossMesh MeshGateway listener does not work when MeshGatewayRoute hostnames are set #8076
Comments
While this is a bug because we're sending invalid configuration, it's not clear exactly how the The TLS SNI of connections to the mesh gateway is a Kuma internal SNI, so we can't match on e.g. |
I see, I think I misunderstood the purpose of the listener hostname and mesh gateway hostnames. What I'm trying to do is call a service from one mesh from a pod in another mesh using host routing. Because MeshGateway only has one hostname, this means that (unless I'm misunderstanding) I have one vhost and have to use path routing in the MeshGatewayRoutes to select the services (or use one gateway per exposed service). Ideally, I'd like to use MeshGatewayRoutes to define exported hosts for the other mesh to call, e.g. servce1.mesh1.mesh, etc. FWIW, I was able to get cross-mesh host routing working using the MeshGatewayRoute hostnames: ttreptow@6abf451#diff-ad441c05e85b5598449acabae1ac6a08e6dcd3017ec295b06bfa87f4633c05ed (obviously very experimental, I've only tested my specific use case so there could be unintended side-effects) |
You definitely didn't misunderstand the purpose of the hostnames, that's how they work of course for external gateways. It's a very reasonable feature request and we could also handle adding VIPs for hostnames in routes. Feel free to open a PR with what you have! The only issue will be matching the SNI in the Envoy config but I could potentially imagine a way around that by adding tags to the used SNI name. EDIT: that is to say, I suspect all of your |
What happened?
I have a MeshGateway with a listener set up with no hostname set (defaults to '*') and crossMesh enabled. I'm trying to add MeshGatewayRoutes that have hostnames specified.
When the below configuration is set, the gateway proxy throws errors like
Looking at the generated Envoy config, I see that it is trying to set two identical filter chains for that listener.
Digging into the code, I think what is happening is that RedistributeWildcardRoutes is creating two host name configs, one for the route's host name (assuming you have one route with one hostname set) and one for the wildcard.
The problem with having multiple hosts is that crossMesh enabled sets the protocol to HTTPS with no TLS mode set, then in configureTls the switch block never sets
envoy_listeners.MatchServerNames(hostnames...),
as it does for other https modes.The net effect is that the filter chains have identical matching blocks (since they are missing hostname matching) which causes the error.
MeshGateway:
Note that the hostname is not set and crossMesh is
true
MeshGatewayRoute:
MeshGatewayInstance:
The namespace is tagged with
kuma.io/mesh: mesh1
and the gateway dataplace does seem to get the correct meshThe text was updated successfully, but these errors were encountered: