Normally DestinationRule sets trafficPolicy for a certain hostname or a hostname wildcard. In my environment there is a desire to mix pods with and without sidecars in single namespace. In this case hostname wildcard does not work and defining DestinationRule per each host would be tedious.
I was experimenting to see if it is possible to write a DestinationRule that would choose different trafficPolicy according to label in destination service. Syntactically following record was accepted but it does not work.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: demo
spec:
host: "*.local"
# trafficPolicy:
# tls:
# mode: ISTIO_MUTUAL
subsets:
# This does not work: subset inherits top level TLS mode
# and if removing top level, they have no effect.
# see also command "istioctl authn tls-check" for current TLS status
- name: inside-mesh
labels:
istio: enabled
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
- name: outside-mesh
labels:
istio: disabled
trafficPolicy:
tls:
mode: DISABLE
I assume subsets are not intended to be used like this?
Is there any other approach to dynamically select TLS mode according to destination service (besides hostname)?