3

In our kubernetes cluster we are using istio, with mutual tls for the communication between the pods inside the mesh. Everything is working fine, but now we would like to introduce a VirtualService to able to do traffic shifting for canary deployments. We configured everything according to the istio documentation, but for some reason, the VirtualService seems just to be ignored, our canary version does not receive any traffic, even with a 50/50 traffic split.

Note, we are only talking about traffic inside the mesh, there is no external traffic, it's exclusively between pods in the same namespace.

Our setup:

Service of our application 'parser-service'

# service parser-service
spec:
  clusterIP: 172.20.181.129
  ports:
  - name: https-web
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    service: parser-service
  type: ClusterIP

Service of the canary version

# service parser-service-canary
spec:
  clusterIP: 172.20.30.101
  ports:
  - name: https-web
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    service: parser-service-canary
  type: ClusterIP

This is what we tried, a VirtualService that should split traffic 50/50

spec:
  gateways:
  - mesh
  hosts:
  - parser-service
  tls:
  - match:
    - port: 80
      sniHosts:
      - parser-service
    route:
    - destination:
        host: parser-service
        port:
          number: 80
      weight: 50
    - destination:
        host: parser-service-canary
        port:
          number: 80
      weight: 50

I think we misunderstood something, but we can't figure out what it is. The traffic is still routed 100% to parser-service and istioctl x describe pod parser-service-xxx-xxx also shows no VirtualService, which suggests to me that the VirtualService is just ignored.

Pod: parser-service-7cfd596dbb-hjqd9
   Pod Revision: 1-14-6
   Pod Ports: 8080 (parser-service), 15090 (istio-proxy)
Suggestion: add 'version' label to pod for Istio telemetry.
--------------------
Service: parser-service
   Port: https-web 80/HTTPS targets pod port 8080
DestinationRule: istio-mutual for "*.mynamespace.svc.cluster.local"
   Traffic Policy TLS Mode: ISTIO_MUTUAL
--------------------
Effective PeerAuthentication:
   Workload mTLS mode: PERMISSIVE

I think it has something to do with the fact that we named our ports https-web so that the traffic between the istio-sidecars is encrypted. When we use 'http-web' as port names and HTTP Match instead of tls in the VirtualService, the traffic split works fine.

Would appreciate any hints or pointers in the right direction

badger864
  • 31
  • 3

1 Answers1

2

As you suggested, Istio derives protocol information from the protocol name and will try to use HTTPS on your port 80/8080. You should name them http-web. Additionally, your VS wants to match traffic via TLS-SNI-header on a port 80. Don't use a tls matcher but a http matcher and let it use the host-header to capture your traffic and then distribute to both versions. Istio will take care to add mTLS between two Istio-enabled pods (given that your trafficPolicy is set to ISTIO_MUTUAL which seems to be true in your istioctl output.

sfudeus
  • 21
  • 1
  • 1