kuma
kuma copied to clipboard
Published
20 hours ago •
kumahq
kumahq
SNI too long when there are many tags
What happened?
Reported by one of our customer, they hit the following error when they were playing with routing (not sure if it's related to Virtual Outbound or regular traffic policies):
config was previously rejected by Envoy. Applying backoff before resending it {"backoff": "5s", "nodeID": "kong-mesh-dev.demo-packaging-6659768c56-4sgtj.demo-pg-c0ee522c-p7efabec-s85f83a7", "reason": "Error adding/updating cluster(s) http-test-server_kong-monitoring_svc_8080-379d218bfdddbea1: Proto constraint validation failed (UpstreamTlsContextValidationError.Sni: value length must be at most 255 bytes): common_tls_context {
alpn_protocols: \"kuma\"
tls_certificate_sds_secret_configs {
name: \"identity_cert:secret:kong-mesh-dev\"
sds_config {
ads {
}
resource_api_version : V3
}
}
combined_validation_context {
default_validation_context {
match_typed_subject_alt_names {
san_type: URI
matcher {
exact: \"spiffe://kong-mesh-dev/http-test-server_kong-monitoring_svc_8080\"
}
}
}
validation_context_sds_secret_config {
name: \"mesh_ca:secret:kong-mesh-dev\"
sds_config {
ads {
}
resource_api_version: V3
}
}
}
}
sni: \"http-test-server_kong-monitoring_svc_8080{k8s.kuma.io/service-port=8080,mesh=kong-mesh-dev,mesh.apixp/componentName=http-test-server,mesh.apixp/orgName=customer,mesh.apixp/orgUnitName=gtdp,mesh.apixp/productName=api-gateway,mesh.apixp/projectNameOrCustomName=eu-dev}\"
"}
Proto constraint validation failed (UpstreamTlsContextValidationError.Sni: value length must be at most 255 bytes was mitigated by reducing the length of the tag names and/or values
Triage: an idea - we could hash the sni on both client and in zone ingress
