I need to enable tls renegotiation for a specific outgoing domain via egress mtls origination with Istio 1.5.3. I’m using an EnvoyFilter like below:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: allow-tls-renegotiation
namespace: istio-system
spec:
configPatches:
- applyTo: CLUSTER
match:
cluster:
name: outbound|443||<domain>
load_assignment:
cluster_name: outbound|443||<domain>
patch:
operation: MERGE
value:
transportSocket:
name: envoy.transport_sockets.tls
typed_config:
"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext"
allow_renegotiation: true
workloadSelector:
labels:
istio: egressgateway
When I apply it the config of the corresponding UpstreamTlsContext is replaced completely and not updated as expected with the merge option of the patch.
So the resulting config looks like:
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext",
"allowRenegotiation": true
}
},
Instead of
"transportSocket": {
"name": "envoy.transport_sockets.tls",
"typedConfig": {
"@type": "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext",
"commonTlsContext": {
"tlsCertificates": [
{
"certificateChain": {
"filename": "/etc/..../tls.crt"
},
"privateKey": {
"filename": "[redacted]"
}
}
]
},
"sni": "<domain>",
"allowRenegotiation": true
}
},
Do someone succeed to update an object “type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext” properly with EnvoyFilter ?