istio: 0.8 Not being able to use hosts different of "*" on VirtualService for (Ingress) Gateways

Hi.

Istio 0.8 running on IBM Cloud Private 2.1.0.2 with k8s 1.9.1

When I tray to set a hostname instead of the wildecard “*” in the VirtualService “hosts” I always get 404 code.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "books.example.com" (instead of "*")

These are my objects:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "books.example.com"

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "books.example.com"
  gateways:
  - bookinfo-gateway
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage.istio-apps.svc.cluster.local
        port:
          number: 9080

I also tested without quotes so books.example.com instead of “books.example.com”

I have tried also with the example described in https://istio.io/docs/tasks/traffic-management/ingress/

I the logs of the pod istio-ingressgateway-xxxx this is the trace:

Calling http://books.example.com:31380/productpage in the browser

[2018-06-03T07:34:08.917Z] “GET /productpage HTTP/1.1” 404 NR 0 0 2 - “10.186.234.215” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36” “b9ef69ff-cb28-993d-b1b8-5d3aa8df6cb4” “books.example.com:31380” “-”

31380 is the nodeport of istio-ingressgateway pointing to port 80.

If I substitute the hosts “books.example.com” with “*” it works.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 20 (15 by maintainers)

Most upvoted comments

@jxadro Also test your case as follows:

[root@gyliu-icp-1 cases]# istioctl get gateway -oyaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1alpha3","kind":"Gateway","metadata":{"annotations":{},"name":"bookinfo-gateway","namespace":"default"},"spec":{"selector":{"istio":"ingressgateway"},"servers":[{"hosts":["liugya.example.com"],"port":{"name":"http","number":80,"protocol":"HTTP"}}]}}
  creationTimestamp: null
  name: bookinfo-gateway
  namespace: default
  resourceVersion: "1884784"
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - liugya.example.com
    port:
      name: http
      number: 80
      protocol: HTTP
---

[root@gyliu-icp-1 cases]# istioctl get virtualservices -oyaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1alpha3","kind":"VirtualService","metadata":{"annotations":{},"name":"bookinfo","namespace":"default"},"spec":{"gateways":["bookinfo-gateway"],"hosts":["liugya.example.com"],"http":[{"match":[{"uri":{"exact":"/productpage"}},{"uri":{"exact":"/login"}},{"uri":{"exact":"/logout"}},{"uri":{"prefix":"/api/v1/products"}}],"route":[{"destination":{"host":"productpage","port":{"number":9080}}}]}]}}
  creationTimestamp: null
  name: bookinfo
  namespace: default
  resourceVersion: "1884786"
spec:
  gateways:
  - bookinfo-gateway
  hosts:
  - liugya.example.com
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
---

[root@gyliu-icp-1 cases]# curl --resolve liugya.example.com:$INGRESS_PORT:$INGRESS_HOST -HHost:liugya.example.com -I http://liugya.example.com:$INGRESS_PORT/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4415
server: envoy
date: Thu, 07 Jun 2018 04:36:58 GMT
x-envoy-upstream-service-time: 1212

The log from productpage istio-proxy:

[2018-06-07T04:36:58.056Z] "GET /details/0 HTTP/1.1" 200 - 0 178 7 7 "-" "python-requests/2.18.4" "b28466cc-fffe-96a0-a79b-da9ca6ead7d7" "details:9080" "10.1.43.56:9080"
[2018-06-07T04:36:58.067Z] "GET /reviews/0 HTTP/1.1" 200 - 0 295 1187 1186 "-" "python-requests/2.18.4" "b28466cc-fffe-96a0-a79b-da9ca6ead7d7" "reviews:9080" "10.1.43.59:9080"
[2018-06-07T04:36:58.046Z] "HEAD /productpage HTTP/1.1" 200 - 0 0 1212 1209 "9.111.255.29" "curl/7.29.0" "b28466cc-fffe-96a0-a79b-da9ca6ead7d7" "liugya.example.com" "127.0.0.1:9080"

gyliu513 on Jun 7, 2018

So when using curl I have to set the host header: -H "Host: books.example.com", the reason is because the port comes into play with Istio and Envoy’s routing semantics.

When using a node port that’s not 80 (typical HTTP port), Curl sets the header for Host to include the port, IE: Host: books.example.com:38000, because Envoy relies on the :authority or Host header to match exactly to domains, this fails routing, hence the 404.

bobbytables on Jun 4, 2018