We (CloudFoundry mesh networking team) are trying to enable mTLS via MCP. We were able to configure Destination Rules (code below), which seems like it’s the only part that can be configured in the Protos currently.
Unfortunately, this isn’t working. We’ve identified a discrepancy in Envoy’s
config_dump between a working kube deployment, and a non-working CF deployment, that we think might point to the problem.
In CF, this has added a
tls_context to all the
dynamic_active_clusters, which has all the information we would expect. However, connections fail while negotiating.
In Kube, there’s a section under
dynamic_active_listeners that has a
tls_context, and the clusters do not. How can we get our config to look like this through MCP?
I can provide full dumps of our CF envoy config (and the kube envoy config we’re comparing it to) if desired.
PS I tried joining the Slack, but sign ups appear closed which is unfortunate. If you’d like to have a real-time conversation you can find us in the Cloud Foundry slack in #istio.