From 0a0b861ee78f8649131196030d60495fc04e212d Mon Sep 17 00:00:00 2001
From: Or Ozeri <oro@il.ibm.com>
Date: Thu, 29 Feb 2024 15:32:20 +0200
Subject: [PATCH] cl-dataplane: Disable controlplane TLS session keys

This commit disables envoy from using TLS session keys
when connecting to the controlplane.
Enabling session keys produces big TLS client hello packets,
which cause a "buffer full" error on the controlplane's SNI proxy.

Signed-off-by: Or Ozeri <oro@il.ibm.com>
---
 cmd/cl-dataplane/app/envoyconf.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cmd/cl-dataplane/app/envoyconf.go b/cmd/cl-dataplane/app/envoyconf.go
index 3afb9218..a0b23d83 100644
--- a/cmd/cl-dataplane/app/envoyconf.go
+++ b/cmd/cl-dataplane/app/envoyconf.go
@@ -92,6 +92,7 @@ static_resources:
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         sni: {{.controlplaneGRPCSNI}}
+        max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
         common_tls_context:
           tls_certificate_sds_secret_configs:
           - name: {{.certificateSecret}}
@@ -120,6 +121,7 @@ static_resources:
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
         sni: {{.peerName}}
+        max_session_keys: 0 # TODO: remove once controlplane no longer uses inet.af/tcpproxy
         common_tls_context:
           tls_certificate_sds_secret_configs:
           - name: {{.certificateSecret}}