JayDub
November 1, 2021, 12:48pm
1
Hi everyone!
I’m having trouble with a certain configuration:
From my application containers i want to call a resource which resides outside of the mesh, and let Istio do the TLS.
In short, i want to call http://abc.def.local:2080 in my application, and have Istio send it to abc.def.local:2443 with TLS.
Hence i created a serviceentry, virtualservice and destinationrule, just like for any other such case.
I ran into this problem though:abc.def.ghi.local seems to work.abc.local works too.abc.def.local loses its .local suffix.
Does anyone have any pointers where this behaviour may be coming from?
ServiceEntry:
kind: ServiceEntry
Istioctl proxy-config routes output:
istioctl pc route debug-pod | grep 2080
JayDub
November 2, 2021, 1:49pm
2
This turned out to be a known bug.
opened 08:26PM - 19 Oct 21 UTC
### Bug Description
In some cases, istio cuts off first-level domain in route… s domains. Reproducing:
* Create cluster with `clusterDomain: aaa.bbb.not-example.wtf`.
* In namespace `test`, enable istio and deploy the sleep app to it.
* Create two `ServiceEntry`-es:
```
---
kind: ServiceEntry
apiVersion: networking.istio.io/v1alpha3
metadata:
name: aaa
namespace: test
spec:
endpoints:
- address: aaa.example.wtf
ports:
http-7777: 7777
exportTo:
- .
hosts:
- aaa.example.wtf
location: MESH_EXTERNAL
ports:
- name: http-7777
number: 7777
protocol: HTTP
resolution: DNS
---
kind: ServiceEntry
apiVersion: networking.istio.io/v1alpha3
metadata:
name: bbb
namespace: test
spec:
endpoints:
- address: bbb.example.net
ports:
http-8888: 8888
exportTo:
- .
hosts:
- bbb.example.net
location: MESH_EXTERNAL
ports:
- name: http-8888
number: 8888
protocol: HTTP
resolution: DNS
```
* Check the routes for port 8888 (everything is fine and domains are as expected):
```
# istioctl -n test pc routes sleep-557747455f-95ff6 --name 8888 -o yaml
- name: "8888"
validateClusters: false
virtualHosts:
- domains:
- bbb.example.net
- bbb.example.net:8888
includeRequestAttemptCount: true
name: bbb.example.net:8888
routes:
...
```
* Check the routes for port 7777 (the domains are inconsistent, first-level "wtf" is missing):
```
# istioctl -n test pc routes sleep-557747455f-95ff6 --name 7777 -o yaml
- name: "7777"
validateClusters: false
virtualHosts:
- domains:
- aaa.example
- aaa.example:7777
includeRequestAttemptCount: true
name: aaa.example.wtf:7777
routes:
...
```
### Version
```prose
# istioctl version
client version: 1.11.2
control plane version: 1.10.1
data plane version: 1.10.1 (6 proxies)
# kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"ca643a4d1f7bfe34773c74f79527be4afd95bf39", GitTreeState:"clean", BuildDate:"2021-07-15T21:04:39Z", GoVersion:"go1.16.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.3", GitCommit:"0000000000000000000000000000000000000000", GitTreeState:"archive", BuildDate:"2021-07-21T15:25:26Z", GoVersion:"go1.16.3", Compiler:"gc", Platform:"linux/amd64"}
```
### Additional Information
_No response_