How to use sidecar proxies for routing inbound traffic to multiple containers in a pod

I’ve been playing around with Istio to understand its complexities, and I ran into a challenge that I haven’t figured out how to address or if it’s not supported altogether. Within my k8s sandbox environment (pre-istio), I have a pod with multiple containers that all have their own ports they listen on. Rather than exposing all of these ports to the cluster, a single port is exposed for an envoy container to listen on that routes requests internally throughout the pod.

Envoy Routing Path

Browser --https://pod1:5000/containerA/serviceapi--> pod1:envoy --127.0.0.1:5001/serviceapi--> pod1:containerA

Since then I adopted Istio to handle ingress routing which works great for all standard pods that don’t have multiple containers listening, however with the service mesh and envoy, this introduces some additional complexity surrounding configuring timeouts and other network settings between envoy and Istio.

Routing With Istio Service Mesh

Browser --https://mysite.com/pod1/containerA/serviceapi--> ingress-gateway --pod1:5000/containerA/serviceapi--> pod1:sidecarproxy --> pod1:envoy --127.0.0.1:5001/serviceapi...--> pod1:containerA

My goal is to not have to expose multiple ports on my pod just to route to individual containers. Considering the sidecar proxy is mainly just an advanced envoy container, I figured I should be able to replace my envoy container with the sidecar and configure internal routing there. This apparently is more difficult than I thought. I have tried configuring a virtual service routing for the sidecar mesh and learned that:

  1. The virtual service routing does not appear to support configuring routes for a single sidecar and only supports sidecar routing configurations for the whole mesh, and
  2. This routing configuration for the service mesh only appears to apply to outbound requests (from the pod) and not inbound requests (to the pod).

I am likely missing something here or this feature isn’t directly supported by Istio yet, but it would seem that the only alternative is to create an Envoy Filter (which I can apply to a specific sidecar using label selections) and inject raw envoy routing configurations. However I can’t seem to get that to work either. I don’t get validation errors. It appears to just be ignored (or not matched).

Has anyone else tried to build this workflow? If so, how did you do it? And if you used an Envoy Filter for it, do you have a sample configuration that I can reference, please?