John Howard
John Howard
I cannot reproduce the double endpoints, can you give more info
If anything I would expect this to validate `testbox-https.internal.test-ca-signed-cert` as the SAN. A SAN must be verified, so I don't think a mode to not verify it other than insecureSkipVerify...
> Is there a plan to move VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI to proper apis (specially ENABLE_AUTO_SNI) @howardjohn @kfaseela `VERIFY_CERTIFICATE_AT_CLIENT` is insecureSkipVerify on DR. Auto SNI is effectively "explicitly set the SNI...
Standard mesh calls do not use auto_sni and already have used a custom Istio SNI format. Might not apply to your usage if you use MUTUAL, though.
@ramaraochavali are there specific concerns you have with either of these fields for your usage?
@ramaraochavali does it work if you set `sni: ""` explicitly?
Ah we probably cannot detect unset vs `""`
WDS works well for ztunnel because its the source of truth for things. Its IMO a poor choice when its decoupled from the rest of the routing flow (reminds me...
> Because we know that was not a good solution. Not every endpoint is in a cluster to start with, you have to support pass-through cases just the same way....
TBH I am a bit confused by the position here. In the past, hadn't you advocated for deriving more metadata from trusted attributes? I.e. get the namespace, identity, etc from...