I'm using Envoy and trying to create a dynamic configuration using Sovereign control-plane. I add a section match_typed_subject_alt_names into config and then on the envoy side call /config_dump and this section is just not present. Don't understand what happens.
Config on the Sovereign side looks like I expect it. This is what I see when use Sovereign UI to check what config it sends to Envoy (some parts of the config removed):
{
resources: [
{
name: "name1-elb",
type: "STRICT_DNS",
load_assignment: {
cluster_name: "name1-elb",
endpoints: [
{
lb_endpoints: [
{
endpoint: {
address: {
socket_address: {
address: "host1.net",
port_value: 443
}
}
}
},
{
endpoint: {
address: {
socket_address: {
address: "host2.net",
port_value: 443
}
}
}
}
]
}
]
},
transport_socket: {
name: "envoy.transport_sockets.tls",
typed_config: {
@type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
max_session_keys: 0,
allow_renegotiation: false,
common_tls_context: {
tls_params: {
tls_minimum_protocol_version: "TLSv1_2",
tls_maximum_protocol_version: "TLSv1_3"
},
validation_context: {
trusted_ca: {
filename: "/etc/ssl/certs/certificates.crt"
},
match_typed_subject_alt_names: [
{
san_type: "DNS",
matcher: {
exact: "host1.net"
}
},
{
san_type: "DNS",
matcher: {
exact: "host2.net"
}
}
],
allow_expired_certificate: false
}
}
}
},
@type: "type.googleapis.com/envoy.api.v2.Cluster"
}
]
}
and this is what I see when use /config_dump on the envoy side:
{
dynamic_active_clusters: [
{
cluster: {
@type: "type.googleapis.com/envoy.config.cluster.v3.Cluster",
name: "name1-elb",
type: "STRICT_DNS",
transport_socket: {
name: "envoy.transport_sockets.tls",
typed_config: {
@type: "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext",
common_tls_context: {
tls_params: {
tls_minimum_protocol_version: "TLSv1_2",
tls_maximum_protocol_version: "TLSv1_3"
},
validation_context: {
trusted_ca: {
filename: "/etc/ssl/certs/certificates.crt"
}
}
},
max_session_keys: 0
}
},
load_assignment: {
cluster_name: "name1-elb",
endpoints: [
{
lb_endpoints: [
{
endpoint: {
address: {
socket_address: {
address: "host1.net",
port_value: 443
}
}
}
},
{
endpoint: {
address: {
socket_address: {
address: "host2.net",
port_value: 443
}
}
}
}
]
}
]
},
respect_dns_ttl: true
}
}
]
}
As you can see, no match_typed_subject_alt_names section is present. I also tried to add different matchers with no success.
Any ideas what happens there?