Open dhiaayachi opened 1 month ago
Upgraded to 1.17.2 via the helm chart and am seeing the terminating gateway is broken by #19954
agent/xds/clusters.go:1626 incorrectly restricts envoy to looking at URI SANs that match the hostname provided in config.
However certificates will have a DNS SAN with the hostname value. As a result outbound TLS connections fail on certificate errors.
I believe the fix is to use SanType: envoy_tls_v3.SubjectAltNameMatcher_DNS
Working config pre-upgrade (1.17.1):
Failing config from 1.17.2:
Upgraded to 1.17.2 via the helm chart and am seeing the terminating gateway is broken by #19954
agent/xds/clusters.go:1626 incorrectly restricts envoy to looking at URI SANs that match the hostname provided in config.
However certificates will have a DNS SAN with the hostname value. As a result outbound TLS connections fail on certificate errors.
I believe the fix is to use SanType: envoy_tls_v3.SubjectAltNameMatcher_DNS
Working config pre-upgrade (1.17.1):
Failing config from 1.17.2: