Issue with VS in istio 1.1.1

Experiencing another issue with istio1.1.1 where a gateway and vs that worked in 1.0.6 no longer work the same. The behavior I am observing is that randomly either the /osquery or /enroll endpoints returns no healthy upstream (per creation of the vs). ie if I delete the vs and recreate it, either the agent-config or the kafka-proxy seems to work, but not both (and on occasion neither work)

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kafka-proxy-gateway
  annotations:
    kubernetes.io/ingress.class: external
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https-kakfa-ingress
      protocol: HTTPS
    hosts:
    - "kafka-proxy.platformdev.aveng.net"
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kafka-proxy
spec:
  hosts:
  - "kafka-proxy.platformdev.aveng.net"
  gateways:
  - kafka-proxy-gateway
  http:
  - route:
    - destination:
        port:
          number: 8080
          name: http2-kafka-proxy
        host: kafka-proxy.default.svc.cluster.local
    match:
    - uri:
        prefix: /osquery
  - route:
    - destination:
        port:
          number: 8080
          name: http2-agent-config
        host: agent-config.default.svc.cluster.local
    match:
    - uri:
        prefix: /enroll
    - uri:
        prefix: /configure

remove port.name from virtual service

That worked thanks and now looking at the documentation https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/#PortSelector I see that it should not have been there. But why is this even being accepted and not validated for accuracy?

The validator accepts port.name because it is defined in the schema, but annotated to not be included in the doc:

So the issue is why? I think we need to fix this either by making it work or removing it entirely.

That said, the other odd thing in this example is that both the port.name and port.number fields were set. I would have expected the oneof in the PortSelector to make that fail to validate.

@frankbu do you want me to open a github issue on this?

Greg already fixed it in https://github.com/istio/istio/pull/13054. Don’t you love how agile our community is? :slight_smile: