Describe the bugTLSContexts are deprecated for TLS termination (which requires a secret), but are still the only way to provide advanced configuration for TLS origination (which does not require a secret) beyond "turn it on" such as specifying the TLS version to use, or what hostname to send in SNI. However, the validator checks that the TLSContext has secret, and discards it otherwise. This means that even if I don't want Emissary to use a client cert, I have to provide one anyway.
observe that Emissary discards the TLSContext, saying
2022-09-01 03:27:43 diagd 1.14.4-dev.26+g2b01994c2 [P19TAEW] DEBUG: my-tlsclient.default.1: <RichStatus BAD error='TLSContext myt-tlsclient has no certificate information at all?' hostname='tcpmappingtlsoriginationcontexttest' version='1.14.4-dev.26+g2b01994c2'>
Observe that it does not originate TLS when speaking to the upstream.
Expected behavior
I expected it to originate TLS with the given SNI information.
Versions (please complete the following information):
Ambassador: Tip of release/v1.14
Kubernetes environment: Kubeception, with a 1.18.7 cluster
Additional context
I only tested with 1.14, but it looks like that code is unchanged on master.
Describe the bug
TLSContexts
are deprecated for TLS termination (which requires a secret), but are still the only way to provide advanced configuration for TLS origination (which does not require a secret) beyond "turn it on" such as specifying the TLS version to use, or what hostname to send in SNI. However, the validator checks that theTLSContext
has secret, and discards it otherwise. This means that even if I don't want Emissary to use a client cert, I have to provide one anyway.To Reproduce
Expected behavior I expected it to originate TLS with the given SNI information.
Versions (please complete the following information):
release/v1.14
Additional context I only tested with 1.14, but it looks like that code is unchanged on
master
.