Bridge-To-Kubernetes icon indicating copy to clipboard operation
Bridge-To-Kubernetes copied to clipboard

Published 20 hours ago verified publisher icon Azure

forwarding in the envoy doesn't deal with `https` correctly

Open GKilm opened this issue 2 years ago • 8 comments

Describe the bug When the protocol in the debugged pod is https, forwarding is not handled correctly with https.

Mention the platform you are using

  • System : Windows 10
  • Remote Machine : Centos 7.9
  • vscode version: 1.74.3

To Reproduce Steps to reproduce the behavior:

  1. to debug the pod which protocol is https
  2. invoke the service

Additional context I has tried to edit the config about envoy which is /etc/envoy/envoy.yaml,it works. But I cann't revise the envoy depoyment and the envoy configmap in the cluster,they are always restored right away.How are they controlled?

Here are some of my attempts that might be helpful. envoy.yaml

static_resources:
  listeners:
  - name: listener_30888_30888
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 30888
    listener_filters:
    - name: envoy.filters.listener.http_inspector
    filter_chains:
    - filter_chain_match:
        application_protocols:
        - http/1.0
        - http/1.1
        - h2c
      filters:
      - name: envoy.http_connection_manager
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: auto
          stat_prefix: listener_30888_30888
          route_config:
            name: listener_30888_30888_route
            virtual_hosts:
            - name: listener_30888_30888_route_default
              domains:
              - '*'
              routes:
              - match:
                  headers:
                  - name: kubernetes-route-as
                    exact_match: root-g
                  prefix: /
                route:
                  cluster: service_debug_withHeader_kubernetes-route-as_root-g_30888_30888
                  timeout: 0s
                  idle_timeout: 0s
              - match:
                  prefix: /
                route:
                  cluster: service_original_clone_30888_30888
                  timeout: 0s
                  idle_timeout: 0s
          http_filters:
          - name: envoy.filters.http.router
        # to add
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
            common_tls_context:
              tls_certificates:
                - certificate_chain:
                    filename: "/etc/yunion/pki/service.crt"
                  private_key:
                    filename: "/etc/yunion/pki/service.key"  
clusters:
  - name: service_original_clone_30888_30888
    connect_timeout: 1.00s
    type: strict_dns
    load_assignment:
      cluster_name: service_original_clone_30888_30888
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: default-region-cloned-routing-svc.onecloud
                port_value: 30888
  - name: service_debug_withHeader_kubernetes-route-as_root-g_30888_30888
    connect_timeout: 1.00s
    type: static
    load_assignment:
      cluster_name: service_debug_withHeader_kubernetes-route-as_root-g_30888_30888
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 10.40.216.46
                port_value: 30888
    # to add
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext

The file mentioned in tls_certificates is added manually. With the transport_socket added, forwarding is ok.

reference

GKilm avatar Feb 03 '23 08:02 GKilm