Virtual Service: Multiple route -> destinations with TLS?


Hi, I’ve successfully applied traffic splitting with Istio and http. However I’m trying to apply the same logic with HTTPS (and therefore tls).

If I apply the following:

I get the following error:

admission webhook "" denied the request: configuration is invalid: TLS route must have exactly one destination

If I comment one destination, the VirtualService gets installed, but obviously now I only have one subset, therefore making the whole green/blue deployment exercise a bit pointless.

Any suggestions on how could I solve this?


What version of Istio are you using? I can’t pin-point the exact release this was fixed in, but I believe it was one of the 1.0.x patches, if not 1.0.0 itself. I confirmed on my 1.1 release candidate test cluster that this config is accepted:

kind: VirtualService
  name: tls-test
  - ingressgateway
  - '*'
  - match:
    - port: 443
      - "localhost"
    - destination:
        host: one
      weight: 50
    - destination:
        host: two
      weight: 50