My solution has two statefulsets of the same software (Openfire) so that I can provide a separate OIDC client to the admin console and a web chat endpoint. Everything with the auth flow works perfectly. However, the software provides a hazelcast clustering capability which will keep the two in sync. That communicates tcp inside the same namespace. I made a headless service to allow that to happen. No matter how open I made my rules, I could not get them to cluster until I put it in sidecar mode and also modified some UDS operator generated DENY rules on the authservice and jwt to ignore traffic on the clustering port (since these rules are evaluated first).
I would like to come up with a solution that would not require me to alter generated rules, and possibly a way to make it work in ambient mode as well (but that is a nice to have). Is there a better way to allow it to ignore a known tcp port and not sending it down the auth workflow so that the two pods in services involved in auth can talk to each other without it going through the auth workflow? Or maybe there is configuration that will currently allow it to work properly that I might not know about ?
Thanks,
Christopher Bellow
My solution has two statefulsets of the same software (Openfire) so that I can provide a separate OIDC client to the admin console and a web chat endpoint. Everything with the auth flow works perfectly. However, the software provides a hazelcast clustering capability which will keep the two in sync. That communicates tcp inside the same namespace. I made a headless service to allow that to happen. No matter how open I made my rules, I could not get them to cluster until I put it in sidecar mode and also modified some UDS operator generated DENY rules on the authservice and jwt to ignore traffic on the clustering port (since these rules are evaluated first).
I would like to come up with a solution that would not require me to alter generated rules, and possibly a way to make it work in ambient mode as well (but that is a nice to have). Is there a better way to allow it to ignore a known tcp port and not sending it down the auth workflow so that the two pods in services involved in auth can talk to each other without it going through the auth workflow? Or maybe there is configuration that will currently allow it to work properly that I might not know about ?
Thanks,
Christopher Bellow