How to resolve envoy initializing error?

Problem

When we start envoy+spire agent in kubernetes, we would get this error:

[2020-07-24 07:12:37.542][1][critical][main] [source/server/server.cc:95] error initializing configuration '/etc/envoy/envoy.yaml': TlsCertificateSdsApi: node 'id' and 'cluster' are required. Set it either in 'node' config or via --service-node and --service-cluster options.

[2020-07-24 07:12:37.542][1][info][main] [source/server/server.cc:606] exiting
TlsCertificateSdsApi: node 'id' and 'cluster' are required. Set it either in 'node' config or via --service-node and --service-cluster options.

Solution

Add this option to envoy container

node:
      id: "id_01"
      cluster: "cluster_01"

The whole envoy yaml is as follows:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ec-web-envoy-config
  namespace: envoy
data:
  envoy.yaml: |
    admin:
      access_log_path: /var/log/envoy_admin_access.log
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 9901
    node:
      id: "id_01"
      cluster: "cluster_01"
    static_resources:
      listeners:
      - name: ingress-listener
        address:
          socket_address:
            address: 0.0.0.0
            port_value: 8000
        filter_chains:
        - filters:
          - name: envoy.http_connection_manager
            config:
              idle_timeout: 1s
              forward_client_cert_details: sanitize_set
              set_current_client_cert_details:
                  uri: true
              codec_type: auto
              access_log:
              - name: envoy.file_access_log
                config:
                  path: "/var/log/envoy_access.log"
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                    route:
                      cluster: ec-web
              http_filters:
              - name: envoy.router
      - name: mtls-listener-requesting-ec-backend
        address:
          socket_address:
            address: 127.0.0.1
            port_value: 9000
        filter_chains:
        - filters:
          - name: envoy.http_connection_manager
            config:
              idle_timeout: 1s
              forward_client_cert_details: sanitize_set
              set_current_client_cert_details:
                  uri: true
              codec_type: auto
              access_log:
              - name: envoy.file_access_log
                config:
                  path: "/var/log/envoy_access.log"
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: local_service
                  domains: ["*"]
                  routes:
                  - match:
                      prefix: "/"
                    route:
                      cluster: requesting-ec-backend
              http_filters:
              - name: envoy.router
      clusters:
      - name: spire_agent
        connect_timeout: 0.25s
        http2_protocol_options: {}
        hosts:
          - pipe:
              path: /run/spire/sockets/agent.sock
      - name: ec-web
        connect_timeout: 0.25s
        type: strict_dns
        lb_policy: ROUND_ROBIN
        hosts:
          - socket_address:
              address: 127.0.0.1
              port_value: 10000
      - name: requesting-ec-backend
        connect_timeout: 0.25s
        type: strict_dns
        lb_policy: ROUND_ROBIN
        hosts:
          - socket_address:
              address: ec-backend
              port_value: 8000
        tls_context:
          common_tls_context:
            tls_certificate_sds_secret_configs:
              - name: "spiffe://example.com/ns/spire/ec-web"
                sds_config:
                  api_config_source:
                    api_type: GRPC
                    grpc_services:
                      envoy_grpc:
                        cluster_name: spire_agent
            combined_validation_context:
              default_validation_context:
                verify_subject_alt_name:
                  - "spiffe://example.com/ns/spire/ec-backend"
              validation_context_sds_secret_config:
                name: "spiffe://example.com/ns/spire/sa/spire-agent"
                sds_config:
                  api_config_source:
                    api_type: GRPC
                    grpc_services:
                      envoy_grpc:
                        cluster_name: spire_agent

The documents

The –service-node and –service-cluster documents are as follows:

–service-node (optional) Defines the local service node name where Envoy is running. The local service node name is first sourced from the Bootstrap node message’s id field. This CLI option provides an alternative method for specifying this value and will override any value set in bootstrap configuration. It should be set if any of the following features are used: statsd, CDS, and HTTP tracing, either via this CLI option or in the bootstrap configuration.

–service-cluster * (optional)* Defines the local service cluster name where Envoy is running. The local service cluster name is first sourced from the Bootstrap node message’s cluster field. This CLI option provides an alternative method for specifying this value and will override any value set in bootstrap configuration. It should be set if any of the following features are used: statsd, health check cluster verification, runtime override directory, user agent addition, HTTP global rate limiting, CDS, and HTTP tracing, either via this CLI option or in the bootstrap configuration.