Skip to content

Commit

Permalink
cl-dataplane: Disable controlplane TLS session keys
Browse files Browse the repository at this point in the history
This commit disables envoy from using TLS session keys
when connecting to the controlplane.
Enabling session keys produces big TLS client hello packets,
which cause a "buffer full" error on the controlplane's SNI proxy.

Signed-off-by: Or Ozeri <[email protected]>
  • Loading branch information
orozery committed Feb 29, 2024
1 parent 9d7251f commit 1c090f1
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions cmd/cl-dataplane/app/envoyconf.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ static_resources:
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: {{.controlplaneGRPCSNI}}
max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
common_tls_context:
tls_certificate_sds_secret_configs:
- name: {{.certificateSecret}}
Expand Down Expand Up @@ -120,6 +121,7 @@ static_resources:
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: {{.peerName}}
max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
common_tls_context:
tls_certificate_sds_secret_configs:
- name: {{.certificateSecret}}
Expand Down

0 comments on commit 1c090f1

Please sign in to comment.