transport_socket_matches doesn't update properly when endpoint metadata updates #16536
Description
If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged appropriately.
Title: transport_socket_matches doesn't update properly when endpoint metadata updates
Description:
When an endpoint metadata is updated, the transport_socket_matches doesn't update accordingly
Repro steps:
Envoy config:
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 15000
node:
id: id
cluster: test
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: outbound
http_filters:
- name: envoy.router
clusters:
- name: outbound
connect_timeout: 0.25s
type: EDS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
max_requests_per_connection: 1
common_lb_config:
locality_weighted_lb_config: {}
eds_cluster_config:
eds_config:
path: ./eds.yaml
transport_socket_matches:
- match:
tlsMode: istio
name: tlsMode-istio
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: httpbin.org
- match: {}
name: tlsMode-disabled
transport_socket:
name: envoy.transport_sockets.raw_bufferWhere eds.yaml is one of:
"EDS tls"
resources:
- "@type": type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
clusterName: outbound
endpoints:
- lbEndpoints:
- endpoint:
address:
socketAddress:
address: 127.0.0.1
portValue: 8080
metadata:
filterMetadata:
envoy.transport_socket_match:
tlsMode: istioor "EDS no tls"
resources:
- "@type": type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
clusterName: outbound
endpoints:
- lbEndpoints:
- endpoint:
address:
socketAddress:
address: 127.0.0.1
portValue: 8080I ran mitmdump -p 8080 --mode reverse:http://httpbin.org -v locally as the upstream server which will accept HTTPS and HTTP and give info about which was used.
Behavior:
- With "EDS TLS", https is used
- With "EDS no TLS", plaintext is used
- If I start with "EDS TLS", then switch to "EDS no TLS", HTTPS is still used, and vice versa
When I do the switch, I can see envoy logging
transport socket match, socket tlsMode-disabled selected for host with address 127.0.0.1:8080
transport socket match, socket tlsMode-istio selected for host with address 127.0.0.1:8080
transport socket match, socket tlsMode-disabled selected for host with address 127.0.0.1:8080
transport socket match, socket tlsMode-istio selected for host with address 127.0.0.1:8080
but the behavior isn't actually changing.
cc @incfly