varunvallabhan52
commented
2 years ago Thank you for submitting the feature request to AWS Private CA Issue plugin. We will review the request and get back to you.
Open ceastman-r7 opened 2 years ago
varunvallabhan52
commented
2 years ago Thank you for submitting the feature request to AWS Private CA Issue plugin. We will review the request and get back to you.
varunvallabhan52
commented
2 years ago We would like to have some further clarification. Is this referring to the requests from the plugin -> acm-pca?
ceastman-r7
commented
2 years ago This is for outgoing https requests from the aws-acm-pca-aws-privateca-issuer pod to external endpoints. Currently Istio just sees outbound tcp connections on port 443 but since tls server name / sni is not set Istio can't tell what hostname the connection is for.
ceastman-r7
commented
2 years ago For instance:
varunvallabhan52
commented
2 years ago Thank you for the clarification. We will review the information and get back to you.
divyansh-gupta
commented
2 years ago Hi @ceastman-r7 . We have placed this change in our priority queue, thank you for the suggestion.
Describe why this change is needed
In an Istio enabled environment when egress filtering is enabled, Istio uses the hostname / sni to do egress hostname matching.
If there is no tls server name / sni then Istio can't match the oubound tcp port 443 connection so it would block it.
Describe solutions and alternatives considered (optional)
Istio sidecar resource can allow all but that defeats the purpose of having Istio perform egress filtering.
Is there anything else you would like to add?
No response