We use Istio for deployment of our services and have configured TLS SNI based routing rules. Here’s a snippet of our .yaml file :
spec: gateways: - istio-system/istio-ingressgateway hosts: - service.com - deployment0.com - deployment1.com tls: - match: - port: 8443 sniHosts: - service.com route: - destination: host: service.local port: number: 8443 - match: - port: 8443 sniHosts: - deployment0.com route: - destination: host: deployment-0.local port: number: 8443 - match: - port: 8443 sniHosts: - deployment1.com route: - destination: host: deployment-1.local port: number: 8443
deployment-1.local refer to K8s stateful pods and
service.local to the K8s service front-ending the pods
So, when a request from a client carries SNI (in
ClientHello packet) as
deployment0.com, it gets routed by Istio to the stateful pod
deployment-0.local. However, if that pod is down at this moment, Istio seems to send a HTTP 503 response code to the client.
Instead of HTTP 503 being sent, is there a way to enforce Istio to send the request to any other available pod, if the pod, it is supposed to send the request to, is down ?