Issue with VS in istio 1.1.1

#1

Experiencing another issue with istio1.1.1 where a gateway and vs that worked in 1.0.6 no longer work the same. The behavior I am observing is that randomly either the /osquery or /enroll endpoints returns no healthy upstream (per creation of the vs). ie if I delete the vs and recreate it, either the agent-config or the kafka-proxy seems to work, but not both (and on occasion neither work)

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kafka-proxy-gateway
  annotations:
    kubernetes.io/ingress.class: external
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - port:
      number: 443
      name: https-kakfa-ingress
      protocol: HTTPS
    hosts:
    - "kafka-proxy.platformdev.aveng.net"
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: kafka-proxy
spec:
  hosts:
  - "kafka-proxy.platformdev.aveng.net"
  gateways:
  - kafka-proxy-gateway
  http:
  - route:
    - destination:
        port:
          number: 8080
          name: http2-kafka-proxy
        host: kafka-proxy.default.svc.cluster.local
    match:
    - uri:
        prefix: /osquery
  - route:
    - destination:
        port:
          number: 8080
          name: http2-agent-config
        host: agent-config.default.svc.cluster.local
    match:
    - uri:
        prefix: /enroll
    - uri:
        prefix: /configure
0 Likes

#2

remove port.name from virtual service

0 Likes

#3

That worked thanks and now looking at the documentation https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/#PortSelector I see that it should not have been there. But why is this even being accepted and not validated for accuracy?

0 Likes

#4

The validator accepts port.name because it is defined in the schema, but annotated to not be included in the doc:

So the issue is why? I think we need to fix this either by making it work or removing it entirely.

0 Likes

#5

That said, the other odd thing in this example is that both the port.name and port.number fields were set. I would have expected the oneof in the PortSelector to make that fail to validate.

0 Likes

#6

@frankbu do you want me to open a github issue on this?

0 Likes

#7

Greg already fixed it in https://github.com/istio/istio/pull/13054. Don’t you love how agile our community is? :slight_smile:

0 Likes