mirror of
https://github.com/holos-run/holos.git
synced 2026-03-20 09:15:02 +00:00
c07f35ecd6
Problem: When the ingress default Gateway AuthorizationPolicy/authpolicy-custom rule is in place the choria machine room holos controller fails to connect to the provisioner broker with the following error: ``` ❯ holos controller run --config=agent.cfg WARN[0000] Starting controller version 0.68.1 with config file /home/jeff/workspace/holos-run/holos/hack/choria/agent/agent.cfg leader=false WARN[0000] Switching to provisioning configuration due to build defaults and missing /home/jeff/workspace/holos-run/holos/hack/choria/agent/agent.cfg WARN[0000] Setting anonymous TLS mode during provisioning component=server connection=coffee.home identity=coffee.home WARN[0000] Initial connection to the Broker failed on try 1: invalid websocket connection component=server connection=coffee.home identity=coffee.home WARN[0000] Initial connection to the Broker failed on try 2: invalid websocket connection component=server connection=coffee.home identity=coffee.home WARN[0002] Initial connection to the Broker failed on try 3: invalid websocket connection component=server connection=coffee.home identity=coffee.home ``` This problem is caused because the provisioning token url is set to `wss://jeff.provision.dev.k2.holos.run:443` which has the port number specified. Solution: Follow the upstream istio guidance of [Writing Host Match Policies][1] to match host headers with or without the port specified. Result: The controller is able to connect to the provisioner broker: [1]: https://istio.io/latest/docs/ops/best-practices/security/#writing-host-match-policies