SNI too long when there are many tags

[bcollard]

What happened?

Reported by one of our customer, they hit the following error when they were playing with routing (not sure if it's related to Virtual Outbound or regular traffic policies):

config was previously rejected by Envoy. Applying backoff before resending it  {"backoff": "5s", "nodeID": "kong-mesh-dev.demo-packaging-6659768c56-4sgtj.demo-pg-c0ee522c-p7efabec-s85f83a7", "reason": "Error adding/updating cluster(s) http-test-server_kong-monitoring_svc_8080-379d218bfdddbea1: Proto constraint validation failed (UpstreamTlsContextValidationError.Sni: value length must be at most 255 bytes): common_tls_context {
  alpn_protocols: \"kuma\"
  tls_certificate_sds_secret_configs {
    name: \"identity_cert:secret:kong-mesh-dev\"
    sds_config {
      ads {
      }
      resource_api_version : V3
    }
  }
  combined_validation_context {
    default_validation_context {
      match_typed_subject_alt_names {
        san_type: URI
        matcher {
          exact: \"spiffe://kong-mesh-dev/http-test-server_kong-monitoring_svc_8080\"
        }
      }
    }
    validation_context_sds_secret_config {
      name: \"mesh_ca:secret:kong-mesh-dev\"
      sds_config {
        ads {
        }
        resource_api_version: V3
      }
    }
  }
}
sni: \"http-test-server_kong-monitoring_svc_8080{k8s.kuma.io/service-port=8080,mesh=kong-mesh-dev,mesh.apixp/componentName=http-test-server,mesh.apixp/orgName=customer,mesh.apixp/orgUnitName=gtdp,mesh.apixp/productName=api-gateway,mesh.apixp/projectNameOrCustomName=eu-dev}\"
"}

Proto constraint validation failed (UpstreamTlsContextValidationError.Sni: value length must be at most 255 bytes was mitigated by reducing the length of the tag names and/or values

[nicoche]

Hey! Same issue spotted for us 🙂

[jakubdyszkiewicz]

Triage: an idea - we could hash the sni on both client and in zone ingress

[lahabana]

@jakubdyszkiewicz this is fixed with the new MeshService right?