Regex-based matching in Istio Virtual Service HTTPRequestMatch

Networking
1

Hey guys,

I am trying to create a Virtual Service using the regex matcher for URI under the HTTPMatchRequest.

HTTPMatchRequest

Here is the YAML file that I have at the moment. The regexes are valid and do match the query URI using online tools like regex101.com. However, I get 404 for the APIs.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: acp-cloudentity-acp-levitate
  namespace: iam-ce
spec:
  hosts:
    - "diablo.local.test.com"
  gateways:
    - external-gateway.istio-system
    - internal-gateway.istio-system
  http:
    - match:
        # We only expose OAuth and OIDC paths publicly
        # We are only allowing tenants with UUIDs access
        ## This one was an attempt to broaden the regex to accommodate everything after /default/
        - uri: 
            regex: '\/auth\/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\/default\/.*'
        # - uri:
        #     regex: '\/auth\/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\/default\/oauth2.*'
        # - uri:
        #     regex: '\/auth\/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\/default\/\.well\-known\/.*'
        # - uri:
        #     regex: '\/auth\/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\/default\/userinfo'
        # - uri:
        #     regex: '\/auth\/[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}\/default\/login.*'
      route:
        - destination:
            host: acp-cloudentity-acp-levitate.iam-ce.svc.cluster.local
            port:
              number: 8443
      corsPolicy:
        allowOrigins:
          - exact: "*"
        allowMethods:
          - POST
          - GET
          - PUT
          - OPTIONS
        allowCredentials: true
        allowHeaders:
          - auth0-client
          - Content-Type
          - Accept
          - Authorization
        maxAge: "24h"

I previously tried adding regex match URIs for separate APIs like /oauth2, /.well-known, /userinfo, /login but that didn’t work. So I tried to broaden the regex search to accept everything after /default.

The API that fails with 404 but does match with regex is:

https://test-corp-gw-split.saas.test.com/auth/7bdb84e1-2814-4d8e-8d3f-5a88ebbb4836/default/oauth2/authorize?client_id=default&scope=openid%20introspect_tokens%20offline_access&response_type=code&redirect_uri=https%3A%2F%2Ftest-corp-gw-split.saas.test.com%2Fui%2Fapi%2Fauth%2Fcallback%2Fce&state=lQ9ZreQNJF1aStTTiV-OQMFaoxvIUANduYKLd7BHazA&code_challenge=6QbmImODa865zP5d4gGCB--wx_FqMvwfqbw2aLsXWdA&code_challenge_method=S256

https://test-corp-gw-split.saas.test.com/auth/7bdb84e1-2814-4d8e-8d3f-5a88ebbb4836/default/.well-known/openid-configuration

I would really appreciate some input on this. Does Istio have a different flavor of regex that is somehow not apparent?