You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our API allows to configure only 1 remote peer, but we want to connect more meshes. However, we must know the identity of the configured peers to determine where an instance of an exported service come from, so we must also extend the Remote struct with the identity that will include: trust domain, namespace, service account and service name. First 3 properties are required to match spiffe ID, and the last one is required to properly set SNI in the destination rule for TLS origination.
Note that the identities must be unique, so when we connect meshes using the same trust domain, then federation controllers must have unique service account or namespace.
Server can determine the identity from the XFCC header set by the ingress gateway.
The text was updated successfully, but these errors were encountered:
Our API allows to configure only 1 remote peer, but we want to connect more meshes. However, we must know the identity of the configured peers to determine where an instance of an exported service come from, so we must also extend the
Remote
struct with the identity that will include: trust domain, namespace, service account and service name. First 3 properties are required to match spiffe ID, and the last one is required to properly set SNI in the destination rule for TLS origination.The API should look as follows:
Alternatively, the identity could include
spiffe
andsni
. Then it would be:Note that the identities must be unique, so when we connect meshes using the same trust domain, then federation controllers must have unique service account or namespace.
Server can determine the identity from the XFCC header set by the ingress gateway.
The text was updated successfully, but these errors were encountered: