Virtual Service: Multiple route -> destinations with TLS?

alzamabar · January 26, 2019, 4:23pm

Hi, I’ve successfully applied traffic splitting with Istio and http. However I’m trying to apply the same logic with HTTPS (and therefore tls).

If I apply the following:
pulse-deployment

I get the following error:

admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: TLS route must have exactly one destination

If I comment one destination, the VirtualService gets installed, but obviously now I only have one subset, therefore making the whole green/blue deployment exercise a bit pointless.

Any suggestions on how could I solve this?

ZackButcher · February 27, 2019, 2:31am

What version of Istio are you using? I can’t pin-point the exact release this was fixed in, but I believe it was one of the 1.0.x patches, if not 1.0.0 itself. I confirmed on my 1.1 release candidate test cluster that this config is accepted:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tls-test
spec:
  gateways:
  - ingressgateway
  hosts:
  - '*'
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "localhost"
    route:
    - destination:
        host: one
      weight: 50
    - destination:
        host: two
      weight: 50

Topic		Replies	Views
How to originate TLS when forwarding to external ServiceEntry Networking	14	375	July 17, 2023
How To: Ingress Gateway + TLS Termination and Routing -> HTTPS Service Networking	1	1045	August 10, 2023
Istio Ingress http redirect to https Networking	1	4408	February 1, 2021
Multiple Gateways with SSL and cert-manager Networking	1	706	October 30, 2019
TLS termination at ingress edge for HTTPS only? Networking	1	2360	March 26, 2020

Virtual Service: Multiple route -> destinations with TLS?

Related Topics