John Howard
John Howard
I think this likely needs some envoy support to get RDS health efficiently.. right now we do https://github.com/istio/istio/blob/43e1879a43efc00888c14fbc81de62c0ecfdd1d9/pilot/cmd/pilot-agent/status/util/stats.go#L31-L34 which isn't including rds.
The tricky part with RDS is we may have 0 routes - thats fine. We may have 10 routes, with 5 NACKed -- this _can_ also be fine, if the...
The GW API is about the _header name_, this is taking about the header value
cc @inteon
> Also, do you know where in code this is normally auto-set when we are not using GetConfigForClient? `credentials.NewTLS()` from gRPC auto adds it > Could you add a tests/...
> @howardjohn In order to test istio 1.24, we will have to add a file here: https://github.com/cert-manager/istio-csr/tree/main/make/config/istio. > > We can locally test the test using the following command: `ISTIO_VERSION="1.24.0-alpha.0"...
The errors were in the istio-proxy logs in my experience
Do you want to add all of this to Istiod? In the past when we did this type of thing we ran an actual sidecar for istio control plane itself
Why do we need sds here? Can't spire just mount the cert with a csi volume?
> If we require people to build and ship a custom sidecar to use a non-default CA, then I feel like that's a signal we are too tightly coupled to...