-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cookie not applied in inter-namespace communication #50643
Comments
Your curl pod can see DestinationRule/VirtualService? You can check by |
yes, both:
I have tried adding both NSs in
|
Maybe we should modify the exportTo of destination service, https://istio.io/latest/docs/reference/config/annotations/#NetworkingExportTo I test with source ping.test-ohai, destination pong.ohai
|
added the annotation
but again, no
on the contrary, I can see the
|
The destination service is a headless service (StatefulSet). Is this perhaps the issue? Because if I change the kind, from StatefulSet to Deployment, I can see the cookie in curl. |
I'm not familiar with the conversion rules in this area. |
By far I am no expert and I am not familiar with LDS/RDS, but as I understand (please correct me if I am wrong) if the request was relevant with LDS, I should be able to see the destination service, in the output of On the contrary, for RDS, I should be able to see the destination service in the output of In the first scenario, I see nothing. I In the second, when the destination service is headless (StatefulSet) I get this:
and when the destination is a Deployment, the only thing that changes is the
with the IP |
I think headless might be the key. A headless service will be transformed into a Cluster of type ORIGINAL_DST,
When node is gateway rather than sidecar, headless service is still being translated into EDS, not ORIGINAL_DST.
|
Discussed in #50415
Originally posted by Raven6681 April 12, 2024
Hello,
I am trying to apply cookies on a service and my setup is the following:
EKS cluster version: 1.27
Istio version: 1.21.1
The Gateway sits behind an AWS ALB (gateway deployment installed with a NodePort service and the ALB as ingress).
If I hit the Gateway FQDN with curl, I can see the cookie (real path and fqdn have been substituted),
< set-cookie: istio="a9bbe686634a6ce8"; HttpOnly
:but when I am using curl from a pod within the cluster, hitting the service, I see no cookie:
I have enabled debug level in logs and I can see the cookie in the ingressgateway pod logs:
but not in the
istio-proxy
logs of the pod that originates the curl request:The text was updated successfully, but these errors were encountered: