VirtualService on http.matchRequest for port 443 is completly ignored.

[Arsen-Uulu]

Bug Description

I have created a ServiceEntry for a External service e.g example.com.

---
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: example
spec:
  hosts:
    - example.com
  location: MESH_EXTERNAL
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  resolution: NONE

then I created VirtualService for example.com

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test
spec:
  hosts:
    - example.com
  http:
    - match:
      - headers:
          x-identity:
            regex: "test"
      route:
        - destination:
            host:  my-example.default.svc.cluster.local
            port:
               number: 443
    - route:
       - destination: 
              host: example.com
              port:
                   number: 443

When I apply the above VirtualService, it gets created in route confiName 80, I wanted it to be created in route configName 443, to do so, I added - port: 443 to the below vs and applied

---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: test
spec:
  hosts:
    - example.com
  http:
    - match:
    - port: 443
      headers:
          x-identity:
            regex: "test"
      route:
        - destination:
            host:  my-example.default.svc.cluster.local
            port:
               number: 443
    - route:
       - destination: 
              host: example.com
              port:
                   number: 443

Now it's gone from 80 too, and it's not created in 443 as well.

The reason I want this to be in 443, because I have custom FilterChainMatch on 0.0.0.0:443 listener and I use routeConfigName 443.

Version

1.11
1.19

Additional Information

No response

[Arsen-Uulu]

@bianpengyuan can you take a look please?

[Arsen-Uulu]

I created a VirtualService for a pod running in Kubernetes

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test
spec:
  hosts:
  - mypod.default.svc.cluster.local
  http:
    - match:
        - port: 443
           uri:
              prefix: "/"
      route:
        - destination:
            host: mypod.default.svc.cluster.local

It's not creating it in route name 443, replacing that to 80, creates in route name 80

[bianpengyuan]

As you configured, 443 is a https port, which means proxy expects traffic to be encrypted and there won't be HTTP level route generated. Only SNI based route will be generated.

[Arsen-Uulu]

Well If I remove the port in this

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: test
spec:
  hosts:
  - mypod.default.svc.cluster.local
  http:
    - match:
       -  uri:
              prefix: "/"
      route:
        - destination:
            host: mypod.default.svc.cluster.local

istio does create in 80 and 443 as well.

[Arsen-Uulu]

@bianpengyuan I was able to resolve this issue. when I create ServiceEntry for the External Service I had to set protocol to http but the port will be 443.

This is for terminating the non-mesh TLS, and encrypting the traffic with Istio_MTLS, and on the other sidecar, terminate ISTIO_MTLS, reencrypt the traffic with my non-mesh certs before forwarding the traffic to my app.

[johnzheng1975]

However, I met the similar issue
#50997
@Arsen-Uulu @bianpengyuan do you know how to resolve it, thanks a lot