Destination rule to set mTLS ignores port specification

Hi All,

I have two services on test namespace, one on port 26500 and one on port 80

nc-pod-svc ClusterIP 10.15.241.111 26500/TCP 82d
backend LoadBalancer 10.15.244.7 34.73.179.226 80:30295/TCP 89d

When I’m applying the following destination rule I would expect that only traffic to *.test.svc.cluster.local on port 80 will be encrypted.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: test-test-istio-mtls
  namespace: test
spec:
  host: "*.test.svc.cluster.local"
  trafficPolicy:
    port: 
      number: 80
    tls:
      mode: ISTIO_MUTUAL

But it applied to nc-pod-svc service on port 26500

{
 "version_info": "2019-11-26T12:35:06Z/39",
 "cluster": {
  "name": "outbound|26500||nc-pod-svc.test.svc.cluster.local",
  "type": "EDS",
  "eds_cluster_config": {
   "eds_config": {
    "ads": {},
    "initial_fetch_timeout": "0s"
   },
   "service_name": "outbound|26500||nc-pod-svc.test.svc.cluster.local"
  },
  "connect_timeout": "10s",
  "circuit_breakers": {
   "thresholds": [
    {
     "max_retries": 1024
    }
   ]
  },
  "tls_context": {
   "common_tls_context": {
    "tls_certificates": [
     {
      "certificate_chain": {
       "filename": "/etc/certs/cert-chain.pem"
      },
      "private_key": {
       "filename": "/etc/certs/key.pem"
      }
     }
    ],
    "validation_context": {
     "trusted_ca": {
      "filename": "/etc/certs/root-cert.pem"
     },
     "verify_subject_alt_name": [
      "spiffe://cluster.local/ns/test/sa/default"
     ]
    },
    "alpn_protocols": [
     "istio"
    ]
   },
   "sni": "outbound_.26500_._.nc-pod-svc.test.svc.cluster.local"
  },
  "metadata": {
   "filter_metadata": {
    "istio": {
     "config": "/apis/networking/v1alpha3/namespaces/test/destination-rule/test-test-istio-mtls"
    }
   }
  }
 },
 "last_updated": "2019-11-26T12:35:06.730Z"
},

Is this the expected behavior?

Maybe you have DestinationRule defined in higher level with “*.cluster.local”?

Found the problem, it was a misconfiguration, the destinationRule should look like:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: test-test-istio-mtls
  namespace: test
spec:
  host: "*.test.svc.cluster.local"
  trafficPolicy:
    portLevelSettings:
    - port: 
        number: 80
      tls:
        mode: ISTIO_MUTUAL

So it’s just YAML level indent syntax issue.

@idan_frimark have you ever considered auto mTLS? This can remove all the need to figure out DestinationRule for mTLS purpose.

@incfly Thanks, I want the ability to decide which in-cluster traffic will be encrypted and which not, so I’m not sure auto mTLS will be good for me currently.

You still have fully control over the mTLS enabled on which namespace/service. It’s only about removing extra step of configuring DestinationRule, which will be automatically configured.

@incfly thanks! I will give it a try.