Consistent Hashing not supported for TLS/TCP proxies?


Due to a restriction in Envoy’s http 1.1 parser, I’m forced to SNI route to one of my backend services using TCP. Unfortunately, this service is stateful: I need to ensure multiple flows from the same source arrive at the same pod. I decided to use consistent hashing based on the source IP to achieve this

It does not work.

I can see that the destination rule is associated with the cluster, so I didn’t mess that up. Looking further, I noticed that the envoy HashPolicy is normally set in the http route for http backends. There is no such construct in envoy’s tcp proxy: the hashPolicy is set directly in the tcpProxy’s configuration.

I dumped the istioctl proxy-config for the tcpPolicy, and didn’t see any hashPolicy set.

Looking through the istio source for hashPolicy, I can only find it being set for httpRoutes. Is this an oversight? Or am I doing something wrong? Is there anything I can do to enable consistent hashing?

This is the my traffic policy, fwiw:

        connectTimeout: 1500ms
        useSourceIp: true
      baseEjectionTime: 2s
      consecutiveGatewayErrors: 3
      interval: 5s