istio: filterChainMatch not set on a gateway with `*` hosts and a TLS virtual service with `sni_domains`.

Describe the bug filterChainMatch not set on a gateway with * hosts and a TLS virtual service with sni_domains.

Expected behavior If I define a gateway with hosts “*”, and two TLS rules, one with sni_domains “www.google.com” and another one with sni_domains “edition.cnn.com”, I expected two corresponding filterChains be configured.

Steps to reproduce the bug Follow the steps in https://github.com/istio/istio.github.io/pull/1687, the Direct HTTPS traffic through an egress gateway section.

Dump ADS and see that there is no filterChainMatch on the listener of the egress gateway.

Version Istio: https://gcsweb.istio.io/gcs/istio-prerelease/daily-build/master-20180705-09-15/

Kubernetes: Client Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.2”, GitCommit:“5fa2db2bd46ac79e5e00a4e6ed24191080aa463b”, GitTreeState:“clean”, BuildDate:“2018-01-18T21:11:08Z”, GoVersion:“go1.9.2”, Compiler:“gc”, Platform:“darwin/amd64”} Server Version: version.Info{Major:“1”, Minor:“9+”, GitVersion:“v1.9.8-2+af27ab4b096122”, GitCommit:“af27ab4b096122049e65b75ee29ac115b1d58f6b”, GitTreeState:“clean”, BuildDate:“2018-06-14T04:07:19Z”, GoVersion:“go1.9.3”, Compiler:“gc”, Platform:“linux/amd64”}

Is Istio Auth enabled or not? No

Environment Kubernetes on IBM Cloud Container Service.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 16 (16 by maintainers)

Most upvoted comments

@rshriram @ijsnellf The configuration above works!! However, @ijsnellf please note a redundant envoy.tcp_proxy to edition.cnn.com at the last filterChain without a filterChainMatch.

+1
vadimeisenbergibm on Jul 9, 2018

@rshriram The same problem with one VirtualService.

+1
vadimeisenbergibm on Jul 6, 2018
Read more comments on GitHub
← istio: Filter Chain Match Trie logic leads to unexpected matches leading to various bugs
istio: Frequent LDS ACK ERROR →