others-How to resolve envoy initializing error ?
How to resolve envoy initializing error?
Problem
When we start envoy+spire agent in kubernetes, we would get this error:
[2020-07-24 07:12:37.542][1][critical][main] [source/server/server.cc:95] error initializing configuration '/etc/envoy/envoy.yaml': TlsCertificateSdsApi: node 'id' and 'cluster' are required. Set it either in 'node' config or via --service-node and --service-cluster options.
[2020-07-24 07:12:37.542][1][info][main] [source/server/server.cc:606] exiting
TlsCertificateSdsApi: node 'id' and 'cluster' are required. Set it either in 'node' config or via --service-node and --service-cluster options.
Solution
Add this option to envoy container
node:
id: "id_01"
cluster: "cluster_01"
The whole envoy yaml is as follows:
apiVersion: v1
kind: ConfigMap
metadata:
name: ec-web-envoy-config
namespace: envoy
data:
envoy.yaml: |
admin:
access_log_path: /var/log/envoy_admin_access.log
address:
socket_address:
address: 0.0.0.0
port_value: 9901
node:
id: "id_01"
cluster: "cluster_01"
static_resources:
listeners:
- name: ingress-listener
address:
socket_address:
address: 0.0.0.0
port_value: 8000
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
idle_timeout: 1s
forward_client_cert_details: sanitize_set
set_current_client_cert_details:
uri: true
codec_type: auto
access_log:
- name: envoy.file_access_log
config:
path: "/var/log/envoy_access.log"
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: ec-web
http_filters:
- name: envoy.router
- name: mtls-listener-requesting-ec-backend
address:
socket_address:
address: 127.0.0.1
port_value: 9000
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
idle_timeout: 1s
forward_client_cert_details: sanitize_set
set_current_client_cert_details:
uri: true
codec_type: auto
access_log:
- name: envoy.file_access_log
config:
path: "/var/log/envoy_access.log"
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: requesting-ec-backend
http_filters:
- name: envoy.router
clusters:
- name: spire_agent
connect_timeout: 0.25s
http2_protocol_options: {}
hosts:
- pipe:
path: /run/spire/sockets/agent.sock
- name: ec-web
connect_timeout: 0.25s
type: strict_dns
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
address: 127.0.0.1
port_value: 10000
- name: requesting-ec-backend
connect_timeout: 0.25s
type: strict_dns
lb_policy: ROUND_ROBIN
hosts:
- socket_address:
address: ec-backend
port_value: 8000
tls_context:
common_tls_context:
tls_certificate_sds_secret_configs:
- name: "spiffe://example.com/ns/spire/ec-web"
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
envoy_grpc:
cluster_name: spire_agent
combined_validation_context:
default_validation_context:
verify_subject_alt_name:
- "spiffe://example.com/ns/spire/ec-backend"
validation_context_sds_secret_config:
name: "spiffe://example.com/ns/spire/sa/spire-agent"
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
envoy_grpc:
cluster_name: spire_agent
The documents
The –service-node and –service-cluster documents are as follows:
–service-node (optional) Defines the local service node name where Envoy is running. The local service node name is first sourced from the Bootstrap node message’s id field. This CLI option provides an alternative method for specifying this value and will override any value set in bootstrap configuration. It should be set if any of the following features are used: statsd, CDS, and HTTP tracing, either via this CLI option or in the bootstrap configuration.
–service-cluster * (optional)* Defines the local service cluster name where Envoy is running. The local service cluster name is first sourced from the Bootstrap node message’s cluster field. This CLI option provides an alternative method for specifying this value and will override any value set in bootstrap configuration. It should be set if any of the following features are used: statsd, health check cluster verification, runtime override directory, user agent addition, HTTP global rate limiting, CDS, and HTTP tracing, either via this CLI option or in the bootstrap configuration.