MeshTLS doesn't set TLS version on delegated gateway #12107
Labels
Comments
lukidzi
added
triage/pending
lukidzi
added a commit
that referenced
this issue
Nov 27, 2024
## Motivation I noticed a flake and began investigating. I discovered the TLS version and cipher are not configured for the delegated gateway. Since the `MeshTLS` policy is a `from` policy and the delegated gateway has no inbound listener, the policy cannot be matched to any listener. The test passed because the request was sent before the configuration was fully delivered. ## Implementation information Excluded the test and added `MustPassRepeatedly(5)` to ensure better validation once the issue is resolved. ## Supporting documentation <!-- Is there a MADR? An Issue? A related PR? --> xref: #12107 <!-- > Changelog: skip --> <!-- Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)? --> Signed-off-by: Lukasz Dziedziak <[email protected]>
kumahq bot
pushed a commit
that referenced
this issue
Nov 27, 2024
I noticed a flake and began investigating. I discovered the TLS version and cipher are not configured for the delegated gateway. Since the `MeshTLS` policy is a `from` policy and the delegated gateway has no inbound listener, the policy cannot be matched to any listener. The test passed because the request was sent before the configuration was fully delivered. Excluded the test and added `MustPassRepeatedly(5)` to ensure better validation once the issue is resolved. <!-- Is there a MADR? An Issue? A related PR? --> xref: #12107 <!-- > Changelog: skip --> <!-- Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)? --> Signed-off-by: Lukasz Dziedziak <[email protected]>
kumahq bot
pushed a commit
that referenced
this issue
Nov 27, 2024
## Motivation I noticed a flake and began investigating. I discovered the TLS version and cipher are not configured for the delegated gateway. Since the `MeshTLS` policy is a `from` policy and the delegated gateway has no inbound listener, the policy cannot be matched to any listener. The test passed because the request was sent before the configuration was fully delivered. ## Implementation information Excluded the test and added `MustPassRepeatedly(5)` to ensure better validation once the issue is resolved. ## Supporting documentation <!-- Is there a MADR? An Issue? A related PR? --> xref: #12107 <!-- > Changelog: skip --> <!-- Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)? --> Signed-off-by: Lukasz Dziedziak <[email protected]>
kumahq bot
pushed a commit
that referenced
this issue
Nov 27, 2024
I noticed a flake and began investigating. I discovered the TLS version and cipher are not configured for the delegated gateway. Since the `MeshTLS` policy is a `from` policy and the delegated gateway has no inbound listener, the policy cannot be matched to any listener. The test passed because the request was sent before the configuration was fully delivered. Excluded the test and added `MustPassRepeatedly(5)` to ensure better validation once the issue is resolved. <!-- Is there a MADR? An Issue? A related PR? --> xref: #12107 <!-- > Changelog: skip --> <!-- Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)? --> Signed-off-by: Lukasz Dziedziak <[email protected]>
kumahq bot
pushed a commit
that referenced
this issue
Nov 27, 2024
I noticed a flake and began investigating. I discovered the TLS version and cipher are not configured for the delegated gateway. Since the `MeshTLS` policy is a `from` policy and the delegated gateway has no inbound listener, the policy cannot be matched to any listener. The test passed because the request was sent before the configuration was fully delivered. Excluded the test and added `MustPassRepeatedly(5)` to ensure better validation once the issue is resolved. <!-- Is there a MADR? An Issue? A related PR? --> xref: #12107 <!-- > Changelog: skip --> <!-- Uncomment the above section to explicitly set a [`> Changelog:` entry here](https://github.com/kumahq/kuma/blob/master/CONTRIBUTING.md#submitting-a-patch)? --> Signed-off-by: Lukasz Dziedziak <[email protected]>
bartsmykla
added
triage/accepted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
While investigating the flake, I noticed that the TLS version for the delegated gateway was not set at all. Since MeshTLS is a 'from' policy, and the delegated gateway does not have a listener (inbound), no policy is matched.
https://github.com/kumahq/kuma/blob/master/pkg/plugins/policies/core/matchers/dataplane.go#L304
User impact
The user is unable to configure TLS version and cipher for delegated gateway
Possible solutions
tosection and allow defining TLS version/CipherThe text was updated successfully, but these errors were encountered: