JayDub
November 1, 2021, 12:48pm
1
Hi everyone!
I’m having trouble with a certain configuration:
From my application containers i want to call a resource which resides outside of the mesh, and let Istio do the TLS.
In short, i want to call http://abc.def.local:2080 in my application, and have Istio send it to abc.def.local:2443 with TLS.
Hence i created a serviceentry, virtualservice and destinationrule, just like for any other such case.
I ran into this problem though:
There are routes being created in envoy. But the .local suffix seems to get lost in the domain names that the routes are bound to.
This only happens for domain names that consist of exactly three elements.
abc.def.ghi.local seems to work.
abc.local works too.
Only abc.def.local loses its .local suffix.
Does anyone have any pointers where this behaviour may be coming from?
ServiceEntry:
kind: ServiceEntry
metadata:
name: abc-example
spec:
hosts:
- “abc.local”
- “abc.def.local”
- “abc.def.ghi.local”
location: MESH_EXTERNAL
ports:
- name: http-out-1
number: 2080
protocol: HTTP
- name: https-out-1
number: 2443
protocol: HTTPS
resolution: DNS
Istioctl proxy-config routes output:
istioctl pc route debug-pod | grep 2080
2080 abc.def.ghi.local /*
2080 abc.def /* ##### .local suffix is missing here!
2080 abc.local /*
JayDub
November 2, 2021, 1:49pm
2
This turned out to be a known bug.
opened 08:26PM - 19 Oct 21 UTC
### Bug Description
In some cases, istio cuts off first-level domain in route… s domains. Reproducing:
* Create cluster with `clusterDomain: aaa.bbb.not-example.wtf`.
* In namespace `test`, enable istio and deploy the sleep app to it.
* Create two `ServiceEntry`-es:
```
---
kind: ServiceEntry
apiVersion: networking.istio.io/v1alpha3
metadata:
name: aaa
namespace: test
spec:
endpoints:
- address: aaa.example.wtf
ports:
http-7777: 7777
exportTo:
- .
hosts:
- aaa.example.wtf
location: MESH_EXTERNAL
ports:
- name: http-7777
number: 7777
protocol: HTTP
resolution: DNS
---
kind: ServiceEntry
apiVersion: networking.istio.io/v1alpha3
metadata:
name: bbb
namespace: test
spec:
endpoints:
- address: bbb.example.net
ports:
http-8888: 8888
exportTo:
- .
hosts:
- bbb.example.net
location: MESH_EXTERNAL
ports:
- name: http-8888
number: 8888
protocol: HTTP
resolution: DNS
```
* Check the routes for port 8888 (everything is fine and domains are as expected):
```
# istioctl -n test pc routes sleep-557747455f-95ff6 --name 8888 -o yaml
- name: "8888"
validateClusters: false
virtualHosts:
- domains:
- bbb.example.net
- bbb.example.net:8888
includeRequestAttemptCount: true
name: bbb.example.net:8888
routes:
...
```
* Check the routes for port 7777 (the domains are inconsistent, first-level "wtf" is missing):
```
# istioctl -n test pc routes sleep-557747455f-95ff6 --name 7777 -o yaml
- name: "7777"
validateClusters: false
virtualHosts:
- domains:
- aaa.example
- aaa.example:7777
includeRequestAttemptCount: true
name: aaa.example.wtf:7777
routes:
...
```
### Version
```prose
# istioctl version
client version: 1.11.2
control plane version: 1.10.1
data plane version: 1.10.1 (6 proxies)
# kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"ca643a4d1f7bfe34773c74f79527be4afd95bf39", GitTreeState:"clean", BuildDate:"2021-07-15T21:04:39Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"0000000000000000000000000000000000000000", GitTreeState:"archive", BuildDate:"2021-07-21T15:25:26Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"linux/amd64"}
```
### Additional Information
_No response_