Description:
I am unable to use Backends with BackendTLSPolicy for self signed certificates. I'm unsure if I'm just doing something wrong with an external auth service with a self signed cert (e.g. self-signed.example.com) or if a bigger problem is happening with the test environments.
Here are the docs for what I'm trying to do with v1.7.1:
https://gateway.envoyproxy.io/latest/tasks/security/oidc/#connect-to-an-oidc-provider-with-self-signed-certificate
It will result in the gateway logging "not found" and doing nothing when it is in fact there via kubectl
"error": "OIDC: backend myns/backend-keycloak not found"
Looking through the RBAC it seems envoy should have access to get the backends from any namespace there.
There is a unit test for exactly this that makes me wonder if a bigger issue is happening. It passes but the only way it seems like it could is if the test environment was running completely different CRDs than what is in the releases.
For example this line for SecurityPolicy custom resource has tcpKeepalive in the wrong place: https://github.com/envoyproxy/gateway/blob/v1.7.1/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml#L77
Seems tcpKeepalive is under backendSettings not backendSettings.retry: https://github.com/envoyproxy/gateway/blob/v1.7.1/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml#L1700
So if you try to run this on the release you'll be met with errors trying to apply the manifest:
failed to create typed patch object (oidc-test; gateway.envoyproxy.io/v1alpha1, Kind=SecurityPolicy): .spec.oidc.provider.backendSettings.retry.tcpKeepalive: field not declared in schema.
Here is an easier way to see tcpKeepalive missing here:
kubectl explain securitypolicy.spec.oidc.provider.backendSettings.retry
GROUP: gateway.envoyproxy.io
KIND: SecurityPolicy
VERSION: v1alpha1
FIELD: retry <Object>
DESCRIPTION:
Retry provides more advanced usage, allowing users to customize the number
of retries, retry fallback strategy, and retry triggering conditions.
If not set, retry will be disabled.
FIELDS:
numAttemptsPerPriority <integer>
NumAttemptsPerPriority defines the number of requests (initial attempt +
retries)
that should be sent to the same priority before switching to a different
one.
If not specified or set to 0, all requests are sent to the highest priority
that is healthy.
numRetries <integer>
NumRetries is the number of retries to be attempted. Defaults to 2.
perRetry <Object>
PerRetry is the retry policy to be applied per retry attempt.
retryOn <Object>
RetryOn specifies the retry trigger condition.
If not specified, the default is to retry on
connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes(503).Another problem is whether eg 1.7.1. even sees backends with btls configs using v1beta3. However, creating the backendtlspolicy as v1 doesn't fix my problem either. Just further confuses what the e2e tests are actually testing.
My only point with the e2e tests is I don't know whats going on here other than I don't think its testing configurations that end users will run into. So I don't know if thats why it passes there but doesn't pass out in the wild.
Repro steps:
Try to run something like this on a real envoy gateway 1.7.1 release or just try to do this configuration at all. Watch the gateway logs which will say the backend is not found as it processes.
https://github.com/envoyproxy/gateway/blob/v1.7.1/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
Environment:
- Envoy Gateway 1.7.1
- Kubernetes 1.33.7
Description:
I am unable to use Backends with BackendTLSPolicy for self signed certificates. I'm unsure if I'm just doing something wrong with an external auth service with a self signed cert (e.g. self-signed.example.com) or if a bigger problem is happening with the test environments.
Here are the docs for what I'm trying to do with v1.7.1:
https://gateway.envoyproxy.io/latest/tasks/security/oidc/#connect-to-an-oidc-provider-with-self-signed-certificate
It will result in the gateway logging "not found" and doing nothing when it is in fact there via kubectl
Looking through the RBAC it seems envoy should have access to get the backends from any namespace there.
There is a unit test for exactly this that makes me wonder if a bigger issue is happening. It passes but the only way it seems like it could is if the test environment was running completely different CRDs than what is in the releases.
For example this line for SecurityPolicy custom resource has
tcpKeepalivein the wrong place: https://github.com/envoyproxy/gateway/blob/v1.7.1/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml#L77Seems
tcpKeepaliveis underbackendSettingsnotbackendSettings.retry: https://github.com/envoyproxy/gateway/blob/v1.7.1/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml#L1700So if you try to run this on the release you'll be met with errors trying to apply the manifest:
Here is an easier way to see
tcpKeepalivemissing here:Another problem is whether eg 1.7.1. even sees backends with btls configs using v1beta3. However, creating the backendtlspolicy as
v1doesn't fix my problem either. Just further confuses what the e2e tests are actually testing.My only point with the e2e tests is I don't know whats going on here other than I don't think its testing configurations that end users will run into. So I don't know if thats why it passes there but doesn't pass out in the wild.
Repro steps:
Try to run something like this on a real envoy gateway 1.7.1 release or just try to do this configuration at all. Watch the gateway logs which will say the backend is
not foundas it processes.https://github.com/envoyproxy/gateway/blob/v1.7.1/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
Environment: