Normally DestinationRule sets trafficPolicy for a certain hostname or a hostname wildcard. In my environment there is a desire to mix pods with and without sidecars in single namespace. In this case hostname wildcard does not work and defining DestinationRule per each host would be tedious.
I was experimenting to see if it is possible to write a DestinationRule that would choose different trafficPolicy according to label in destination service. Syntactically following record was accepted but it does not work.
apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: default namespace: demo spec: host: "*.local" # trafficPolicy: # tls: # mode: ISTIO_MUTUAL subsets: # This does not work: subset inherits top level TLS mode # and if removing top level, they have no effect. # see also command "istioctl authn tls-check" for current TLS status - name: inside-mesh labels: istio: enabled trafficPolicy: tls: mode: ISTIO_MUTUAL - name: outside-mesh labels: istio: disabled trafficPolicy: tls: mode: DISABLE
I assume subsets are not intended to be used like this?
Is there any other approach to dynamically select TLS mode according to destination service (besides hostname)?