cl-dataplane: Disable controlplane TLS session keys

This commit disables envoy from using TLS session keys when connecting to the controlplane. Enabling session keys produces big TLS client hello packets, which cause a "buffer full" error on the controlplane's SNI proxy. Signed-off-by: Or Ozeri <[email protected]>
clusterlink-net · Mar 3, 2024 · 0a0b861 · 0a0b861
1 parent 71e53fa
commit 0a0b861
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/cmd/cl-dataplane/app/envoyconf.go b/cmd/cl-dataplane/app/envoyconf.go
@@ -92,6 +92,7 @@ static_resources:
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         sni: {{.controlplaneGRPCSNI}}
+        max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
         common_tls_context:
           tls_certificate_sds_secret_configs:
           - name: {{.certificateSecret}}
@@ -120,6 +121,7 @@ static_resources:
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         sni: {{.peerName}}
+        max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
         common_tls_context:
           tls_certificate_sds_secret_configs:
           - name: {{.certificateSecret}}