Tags: kumahq/kuma
Tags
fix(sni): use old sni format and transport matches on mixed env (#16944) ## Motivation MeshMultiZoneService is a global resource, so its KRI always has zone == "". The condition gating the new KRI-based SNI was: ``` useKRISni := zone == "" || isLocalMeshService || meshCtx.ZonesWithMeshScopedProxy[zone] ``` The zone == "" branch fired for every MZMS, so we always sent the KRI SNI regardless of whether the remote zones could match it. That matters because an MZMS aggregates MeshServices from several zones into a single Envoy cluster, and the two kinds of zone proxy match different SNIs: - a new mesh-scoped zone proxy matches only the KRI SNI; - a legacy ZoneIngress matches only the old hash-based SNI. The two sets don't overlap, so no single cluster-wide SNI works once an MZMS spans both. Picking the KRI SNI breaks the legacy zones; picking the hash SNI breaks the new ones. ## Implementation information Set the SNI per endpoint instead of per cluster. The cluster keeps the KRI SNI as its default transport socket (used by the local zone and any zone with a mesh-scoped proxy), and every remote zone that only has a legacy ZoneIngress gets a `transport_socket_match` keyed on the `kuma.io/zone` endpoint metadata carrying the hash-based SNI. Envoy then picks the right socket for each endpoint by its zone. This only applies when the proxy has a WorkloadIdentity — without one, new-proxy zones aren't reachable anyway, so that path keeps the old hash-based SNI unchanged. `classifyMZMSEndpointZones` returns the legacy zones plus whether any endpoint wants the default KRI SNI. --------- Signed-off-by: Lukasz Dziedziak <lukidzi@gmail.com>
fix(goldenfiles): update meshhttproute gateway (#16848) ## Motivation PR #16782 removed redundant exact `/` route matches from gateway virtual hosts but missed updating the `gateway-builtingateway-with-multiple-listeners.routes.golden.yaml` golden file, causing `meshhttproute` plugin tests to fail on `release-2.13`. This is a backport of #16827. ## Implementation information Regenerated the golden file with `UPDATE_GOLDEN_FILES=true`. The diff removes the redundant exact `/` match route blocks (one per virtual host) that are now correctly omitted since the prefix `/` match already covers them. > Changelog: skip --------- Signed-off-by: Bart Smykla <bartek@smykla.com>
fix(goldenfiles): update meshhttproute gateway (#16850) ## Motivation PR #16782 removed redundant exact `/` route matches from gateway virtual hosts but missed updating the `gateway-builtingateway-with-multiple-listeners.routes.golden.yaml` golden file, causing `meshhttproute` plugin tests to fail on `release-2.12`. This is a backport of #16827. ## Implementation information Regenerated the golden file with `UPDATE_GOLDEN_FILES=true`. The diff removes the redundant exact `/` match route blocks (one per virtual host) that are now correctly omitted since the prefix `/` match already covers them. > Changelog: skip --------- Signed-off-by: Bart Smykla <bartek@smykla.com>
fix(goldenfiles): update meshhttproute gateway (#16849) ## Motivation PR #16782 removed redundant exact `/` route matches from gateway virtual hosts but missed updating the `gateway-builtingateway-with-multiple-listeners.routes.golden.yaml` golden file, causing `meshhttproute` plugin tests to fail on `release-2.11`. This is a backport of #16827. ## Implementation information Regenerated the golden file with `UPDATE_GOLDEN_FILES=true`. The diff removes the redundant exact `/` match route blocks (one per virtual host) that are now correctly omitted since the prefix `/` match already covers them. > Changelog: skip --------- Signed-off-by: Bart Smykla <bartek@smykla.com>
PreviousNext