l8huang

> Can you write a proposal first? see [RFC: Support Envoy Native Subset Load Balancing](https://docs.google.com/document/d/1qvd2nnvsTBQdRrSCwTs6zX1S0e2wh37uI49uqBhtdRw/edit?resourcekey=0-rlhqTrOa7s2baqF3i8_S1A)

Not sure if `fallback` is the expected behavior, because the feature request mentioned that: > **When there is no healthy endpoint** in upstream cluster svc-a or svc-b, the request should...

This feature request is for terminating case. Clients are verifying the cert, but all certs are corp-signed.

app-sidecar doesn't have the real corp-signed certs, a wildcard cert will be used, basically app-sidecar is playing man-in-the-middle attack.

cert security is another topic we need to address. > In order for this to work you need to give it to the entire mesh. the mesh is in secured...

If I understand this correctly, that means if a malware in pod mimics a XDS connection to istiod, it can make a SDS request to get the cert/key, right? So,...

SDS checks if secret and proxy are in same namespace and proxy's service account is authorized to access Secrets in same namespace. But the cert/key for terminating HTTPS shouldn't be...

Looks like wildcard cert is not a good idea. If putting the cert/key related issue away firstly, let assume regular certs are used and they are stored in workload namespace,...

Thanks for sharing this information, I found the PR https://github.com/istio/api/pull/1529 which removed the [ServerTLSSettings](https://github.com/istio/api/pull/1529/files#diff-b5c11342f04ad3d19dfae95e24f1dc629a5ea5ef41929c4d18132ebced2f4dfeL569-L579). Not sure if the only reason is it's unimplemented or there are some other reasons as...

cool, the config option `pcie_root_port` is also useful for dpu/smartNIC -- the VFIO network devices are dynamically allocated according to Pod's network setting 👍