-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP request failed after ISTIO_META_DNS_AUTO_ALLOCATE enabled #39080
Comments
same as #29224 |
@hzxuzhonghu Hi,there maybe a little difference with #29224. apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: external-auto
spec:
hosts:
- example.com
ports:
- name: tcp
number: 9444
protocol: TCP
resolution: DNS I define a TCP port in this ServiceEntry. Resolve apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: auto-tls
spec:
hosts:
- "example.com"
gateways:
- mesh
tcp:
- match:
- port: 9444
route:
- destination:
host: sni-proxy
subset: example-com-9444
port:
number: 443 It works well. But |
This is expected IMO. Original_dst will not work with this mode, as noted. When you define your svc entry for 9444, you are saying its ONLY on port 9444 (not 80). So you hit passthrough which ends up breaking. Its not possible for us to somehow only return the fake IP for port 9444 since DNS is not port-aware. ISTIO_META_DNS_AUTO_ALLOCATE is not something that can ever be 100% reliable |
@howardjohn Alright. Another question. |
There is no such way now |
If you want the opposite (opt-in to allocate) you can basically DIY it by just setting a random IP in the ServiceEntry.address YAML. That is basically what the feature does. |
@howardjohn Great. Thank you for your reminding. |
Bug Description
There is a ServiceEntry for
example.com
, port 9444 as TCP protocol.HTTP requests to
example.com:80
will also succeed.After I enable
ISTIO_META_DNS_AUTO_ALLOCATE
, HTTP requests toexample.com:80
always failed. Got 503 connection failureIstio allocs a new IP for
example.com
. Destination of connections to this host will be changed to this IP and passthrough cluster will use ORIGIN DST to connect and fail.Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: