Unable to create virtual service through Kiali UI. Istio 1.9.2 admission fails with "subset name is invalid: 1.0"

[somejfn]

Describe the bug
I was testing the creation of virtual services through Kiali and this was working just fine before on older Istio releases but now it fails admission control creating the simplest VS (see below). In Kiali v1.33 logs (debug enabled):

2021-04-19T14:46:24Z DBG Detected Istio version [1.9.2-15c0cc2ec638bb16f39cd39972ba3c71834af878-Clean]
2021-04-19T14:48:02Z ERR admission webhook "validation.istio.io" denied the request: configuration is invalid: subset name is invalid: 1.0
2021-04-19T14:48:02Z ERR admission webhook "validation.istio.io" denied the request: configuration is invalid: subset name is invalid: 1.0

The VS created (all options left to default values but this view):

Versions used
Kiali: v1.33 (via v1.33 operator)
Istio: 1.9.2
Kubernetes flavour and version: Kubeadm 1.19.2
Other note: I just upgraded the Kiali environment from v1.32/v1.33

To Reproduce
Steps to reproduce the behavior:

1. Select a service from Kiali UI
2. Create a request routing
3. In my case I have set an exact host header match to a random hostname
4. See Isio admission control error

Expected behavior

Virtual service config generated through UI should be valid.

My kiali CR:

apiVersion: kiali.io/v1alpha1
kind: Kiali
metadata:
  namespace: istio-system
  name: kiali
  labels:
    helm.sh/chart: kiali-operator-1.32.0
    app: kiali-operator
    app.kubernetes.io/name: kiali-operator
    app.kubernetes.io/instance: kiali-operator
    version: "v1.32.0"
    app.kubernetes.io/version: "v1.32.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: "kiali-operator"
annotations:
  ansible.sdk.operatorframework.io/verbosity: "1"
spec:
  api:
    namespaces:
      exclude:
      - "kube.*"
      - "saas.*"
      - "default"
  auth:
    strategy: "openid"
    openid:
      client_id: "kubernetes"
      issuer_uri: "https://keycloak-001.kd.io/auth/realms/kubernetes"
      insecure_skip_verify_tls: true
      username_claim: "email"
      disable_rbac: false
      scopes: ["openid", "groups", "email"]
  deployment:
    logger:
      log_level: debug
    accessible_namespaces:
    - '**'
    image_name: "internal.io/quay.io/kiali/kiali"
    image_version: "v1.33.0"
    ingress_enabled: false
  istio_component_namespaces:
    grafana: istio-system
    istiod: istio-system
    prometheus: istio-system
    tracing: istio-system
  server:    
    web_port: "80"
    web_fqdn: "kiali.a9igw.k8slab01.kd.io"
    web_schema: "http"
  external_services:
    grafana:
      in_cluster_url: "http://grafana.istio-system:3000"
      url: "http://grafana.a9igw.k8slab01.kd.io"

[somejfn]

Note the frontend service the virtual service is calling has these "app" and "version" labels selector set:

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: frontend
  name: frontend
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
    name: http-8080
  selector:
    app: frontend
    version: "1.0"

[lucasponce]

Hi, thanks for the issue, perhaps it's missing a sanity check in the "1.0" version.
Is that the version of the workload, isn't it ?

[somejfn]

Hi Lucas. That version label is found in the Deployment object:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: frontend
    version: "1.0"
  name: frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: frontend
      version: "1.0"
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: frontend
        version: "1.0"
    spec:
      containers:
      - image: docker-test.internal.io/jfn/parrot:0.1
        imagePullPolicy: IfNotPresent
        name: parrot
        ports:
        - containerPort: 8080
          name: http-8080

[lucasponce]

Thanks for confirming, yes, the 1.0 is missing a "" in the VS generation.

I'll prepare a fix for next release, thanks !

[somejfn]

Excellent ! I confirm removing that version label on both the deployment and service selector works. Thank you !

[lucasponce]

note that a potential workaround (for other users as well) it could be to start the version label with text to avoid the yaml convertion to number "1.0" -> "v1.0"

It's not a fix, but that should work meanwhile prepare a fix.

[somejfn]

I tried that and no luck:

configuration is invalid: subset name is invalid: v1.0

[lucasponce]

Ok, thanks for testing, the "." char seems it needs the "" always.

[lucasponce]

@somejfn I guess I need to revisit this issue.

The admission webhook is stopping / sending that error, so the name defined by the user is the wrong one:

lponce@neorecopolis:~/Software/istio-1.9.1$ kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-mysql.yaml 
virtualservice.networking.istio.io/reviews created
Error from server: error when creating "samples/bookinfo/networking/virtual-service-ratings-mysql.yaml": admission webhook "validation.istio.io" denied the request: configuration is invalid: subset name is invalid: v2-mysql.0

So, then here, Kiali is just propagating that, perhaps a enhancement for the future could be to warn user in case that some label may have a confusing or potentially syntax wrong name.

I'm afraid that workaround for the moment should be to use a different naming in the version label, like "v1.0" -> "v1_0" or something similar without a problem with the basic k8s schema for naming.

What do you think ?

So, I think then we can document it but it's not a bug that I can prevent an easy fix.

(I originally thought that I missed some basic quotes on resource generation and I was approaching that fix).