Google HTTP(S) load balancer limitation regarding XFCC headers for mTLS
search cancel

Google HTTP(S) load balancer limitation regarding XFCC headers for mTLS

book

Article ID: 298050

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

While troubleshooting an issue with Mutual TLS (mTLS), Support have determined that the HTTP infrastructure load balancer (LB) used in GCP is unable to pass x-forwarded-client-cert (XFCC) headers. This makes it impossible for mTLS to handshake successfully as the certificate is not passed to Gorouter to complete the TLS handshake.

Environment

Product Version: 2.8

Resolution

Google Cloud Platform recommends using an (Internal/External) TCP Load Balancer ahead of the Tanzu Application Service (TAS) foundation which can be configured to pass xfcc headers. Additional information on GCPs load balancer offerings can be found here: Load balancer features.

Powered by Wolken Software