Virtual Service: Multiple route -> destinations with TLS?

Hi, I’ve successfully applied traffic splitting with Istio and http. However I’m trying to apply the same logic with HTTPS (and therefore tls).

If I apply the following:
pulse-deployment

I get the following error:

admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: TLS route must have exactly one destination

If I comment one destination, the VirtualService gets installed, but obviously now I only have one subset, therefore making the whole green/blue deployment exercise a bit pointless.

Any suggestions on how could I solve this?

What version of Istio are you using? I can’t pin-point the exact release this was fixed in, but I believe it was one of the 1.0.x patches, if not 1.0.0 itself. I confirmed on my 1.1 release candidate test cluster that this config is accepted:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: tls-test
spec:
  gateways:
  - ingressgateway
  hosts:
  - '*'
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "localhost"
    route:
    - destination:
        host: one
      weight: 50
    - destination:
        host: two
      weight: 50