Open bozaro opened 1 month ago
Thanks for the report. This is definitely not looking correct
I can't reproduce this issue.
The bug is that if there is a DestinationRule
that matches the hostname in the current namespace (even if it does not match the workloadSelector
), then the DestinationRule
will not be searched in the namespace with the service:
https://github.com/istio/istio/blob/a1ff4e10a8d39d51fe54af40cf4157043fce92ef/pilot/pkg/model/push_context.go#L1128-L1149
Is this the right place to submit this?
Bug Description
I have two namespaces:
echo-server
withecho
server (xDS);echo-client
withecho
service client (xDS).Both client and server use proxyless xDS setup with
grpc-agent
sidecar.In
echo-server
namespace I haveDestinationRule
andPeerAuthentication
with enabling mTLS forecho
service.In this configuration
echo-client
works fine.After creating another
DestinationRule
inecho-client
namespace with host*
andworkloadSelector
for unrelatedDeployment
(with exactly sametrafficPolicy
)echo-client
lost mTLS setting forecho.echo-server.svc.cluster.local
service.Version
Additional Information
Resources looks like: