search

istio / istio

Connect, secure, control, and observe services.
https://istio.io
Apache License 2.0
35.94k stars 7.75k forks source link

Gateway does not bind to wildcarded hosts when a VirtualService has "hosts" defined with a FQDN #53117

Open ismail44 opened 1 month ago

ismail44 commented 1 month ago

Is this the right place to submit this?

Bug Description

In our most basic setup, we have 7 VirtualServices and one Gateway. Our gateway is set to route traffic to hosts: *.

Our virtual services are all setup with wildcarded hosts: "*.ourdomain.com".

We are testing some functionality with one of our services so we've created a second deployment, service, and hence virtual service for this which will be hosted at "b.ourdomain.com". The original service we updated the virtual service with host: 'a.ourdomain.com'. We left our Gateway a hosts: '*'.

Basically, we have 2 versions of our front end, one that will be a new (b.ourdomain.com) and one that will be our default (a.ourdomain.com).

When we navigate to b.ourdomain.com the frontend loads, however, we get 404 errors when trying to get to all our other services which have VirtualServices that have hosts listings of "*.ourdomain.com".

What we did to fix this was update our gateway from a "*" hosts to each of our domains being spelled out and that works perfectly.

The question is, we would expect the routing from ingressgateway->Service to work even though we switch our 2 of our virtualservices to use non-wildcarded hosts.

Version

istioctl version
client version: 1.22.0
control plane version: 1.19.1
data plane version: 1.19.1 (2 proxies)

kubectl version
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.16-eks-2f46c53
WARNING: version difference between client (1.30) and server (1.27) exceeds the supported minor version skew of +/-1

Additional Information

The following Istio control plane revisions/versions were found in the cluster: Revision default: &version.MeshInfo{ { Component: "pilot", Revision: "default", Info: version.BuildInfo{Version:"1.19.1", GitRevision:"a780cd199d51787fab562748696d531e3d11c7a7", GolangVersion:"", BuildStatus:"Clean", GitTag:"1.19.1"}, }, }

The following proxy revisions/versions were found in the cluster: Revision default: Versions {1.19.1}

hzxuzhonghu commented 1 month ago

@ismail44 Hard to understand, can you provide your config yamls

ismail44 commented 1 month ago

Here are the VirtualService and Gateway Configs that we assume would work... 

kind: VirtualService
metadata:
  name: vs-domain-a
  namespace: our-ns
spec:
  gateways:
  - gateway-ns/gateway
  hosts:
  - domain-a.ourdomain.com
  http:
    match:
    - uri:
        exact: /
    route:
    - destination:
        host: domain-a-service
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: vs-domain-b
  namespace: our-ns
spec:
  gateways:
  - gateway-ns/gateway
  hosts:
  - domain-b.ourdomain.com
  http:
    match:
    - uri:
        exact: /
    route:
    - destination:
        host: domain-b-service
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: gateway-ns
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - *.ourdomain.com
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: our-domain-secret
      maxProtocolVersion: TLSV1_3
      minProtocolVersion: TLSV1_2
      mode: SIMPLE

As you can see... we have 2 almost identical VirtualServices... and we are trying to register them with a gateway that is wildcarded... domain-a should go to service-domain-a and domain-b should go to service-domain-b.

However, when we deploy with this Gateway, routing never happens, but when we spell out the domains, then routing happens as we expect.