John Howard

Oh I think its simpler, the test is just broken: ``` $ openssl s_server -accept 9999 -cert ca-cert-alt-2.pem -key ca-key-alt-2.pem Using default temp DH parameters error setting private key 40F7FA89237D0000:error:05800074:x509...

And its not documented how it is generated... yay. I don't know how the test works at all. Oh, actually looks like it doesn't actually assert anything :grimacing:

I assume this is due to https://github.com/istio/istio/blob/954dcf909cb451095fdc06102e29da959a3ac5b4/pilot/pkg/xds/endpoints/ep_filters.go#L129-L136. I don't really know what we can do here. The only info we know about the gateway is what IP and cluster its...

Does failover really work but failoverPriority doesn't? that doesn't seem to make sense. Automatically using the common labels feels like it will be problematic outside if simple cases. Especially if...

Ah I get it now. Despite the gateway endpoints have the fake Locality set (https://github.com/istio/istio/blob/954dcf909cb451095fdc06102e29da959a3ac5b4/pilot/pkg/xds/endpoints/ep_filters.go#L129-L136), the failover code is reading the _envoy Endpoint_ info which has locality set. So I...

Basically, logically if I have 10 remote network endpoints, we would have 10 endpoints in envoy, all which can have the original metadata. We happen to optimize this down to...

I think we could implement this in Istio by apply the locality LB config _then_ deduping. Instead of deduping then applying locality LB config

Does https://github.com/envoyproxy/envoy/issues/22417 apply even if the endpoint is in a different priority level? What I was trying to express would allow 'the idea with separate endpoint for every label set...

This very much is not expected: ``` $ istioctl pc l shell-6d8bcd654d-w2ldz | rg aws 0.0.0.0 443 SNI: sts.us-east-2.amazonaws.com Cluster: outbound|443||sts.us-east-2.amazonaws.com 0.0.0.0 443 SNI: *.s3.dualstack.us-east-2.amazonaws.com Cluster: outbound|443||*.s3.dualstack.us-east-2.amazonaws.com ``` is what...

you can also just curl http://localhost:15000/config_dump in the contianer, then pass it to istioctl with `-f`