DestinationRule with subsets for selecting TLS mode?


#1

Normally DestinationRule sets trafficPolicy for a certain hostname or a hostname wildcard. In my environment there is a desire to mix pods with and without sidecars in single namespace. In this case hostname wildcard does not work and defining DestinationRule per each host would be tedious.

I was experimenting to see if it is possible to write a DestinationRule that would choose different trafficPolicy according to label in destination service. Syntactically following record was accepted but it does not work.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: default
  namespace: demo
spec:
  host: "*.local"
#  trafficPolicy:
#    tls:
#      mode: ISTIO_MUTUAL
  subsets:
# This does not work: subset inherits top level TLS mode
# and if removing top level, they have no effect.
# see also command "istioctl authn tls-check" for current TLS status
  - name: inside-mesh
    labels:
      istio: enabled
    trafficPolicy:
      tls:
        mode: ISTIO_MUTUAL
  - name: outside-mesh
    labels:
      istio: disabled
    trafficPolicy:
      tls:
        mode: DISABLE

I assume subsets are not intended to be used like this?

Is there any other approach to dynamically select TLS mode according to destination service (besides hostname)?