Istio config bug

[Zorgji]

Bug brief

I'm testing Istio with gateway API and httproutes. It's all accessible and working well. But in Kiali saying as below img.

If I put full name like dev-grafana.monitoring.svc.cluster.local, Istio config is fine but can't route to the App anymore.

Environment

Currently I'm running

• Kiali version: v1.78.0
• Istio version: 1.20.0
• Kubernetes version: 1.26
• Other notable environmental factors: Gateway API, HTTPROUTES

[jshaughn]

@hhovsepy Perhaps the validation here is too aggressive?

[hhovsepy]

Hi @Zorgji , in this screenshot it still shows an error message over 'dev-grafana.monitoring.svc.cluster.local' service in FQDN, does this service exist with this FQDN?

[Zorgji]

Hi @hhovsepy Yes yes It does exist.

[Zorgji]

@jshaughn Likely so

[hhovsepy]

@Zorgji thanks you, I think I need more info to reproduce the issue.
Validations take name of the service set in Istio config and convert it to FQDN ( if it is not set as FQDN ), using the namespace of config itself. Then always comparing that FQDN with the Services from Istio Service Registry.
The shown error can happen if:

1. Service with this name does not exist, or Service is in different namespace than the Istio config. For instance dev-grafana Service is not in monitoring but in istio-system namespace.
2. Service exists but is exported to different namespace, or exported to "~" which means invisible.
3. Istio Service Registry is not started, then there will be Error in Kiali logs and many other Errors in UI validations.

If non of the above is the case, I need the steps you used to deploy dev-grafana.

[Zorgji]

@hhovsepy Thanks for clarifying 🙏
For above deployment, I've 3 ns gateway-api, monitoring, istio-system

1. svc dev-grafana exists in monitoring ns
2. httproutes also in the same ns monitoring not exported to other ns
3. not really sure about istio registry but It routes to the correct svc. I mean I can access grafana dashboard for example

---

Now I redeploy all in istio-system ns a new Gateway API (with istio gc) and a httproutes to access kiali.
All going well, but still the same if I set svc I can access this below pic, validation still showing error.

If I put FQDN, it's all gone and httproutes complained "serviceName invalid; the name of the Service must be used, not the hostname." I'm quite sure validation will be fine like above scenario. But couldn't access anymore

[hhovsepy]

Thank you @Zorgji, you are right, the issue is in validations.
I will make a fix.

[Zorgji]

Thanks man @hhovsepy really appreciate it 🙏

[hhovsepy]

@Zorgji can I ask you to check what is the value set in Kiali configmap or CR for property istio_identity_domain? It should be 'svc.cluster.local'.
Because in your screenshot you set value kiali for service name and it still shows error.

[Zorgji]

@hhovsepy In httproute you have to set its svc name to reference. didn't see that istio_identity_domain flag in configmap. And I don't think it's related.

[Zorgji]

To be more clear, I didn't use istio gateway and virtual service. I'm using Gateway API with Istio GatewayClass and httproutes. Everything is working, except showing that validation error. that's it.

[hhovsepy]

I was able to reproduce and fix the second part of the issue, when Kiali accepts FQDN as a Service name.
But the initial issue when Service 'kiali' set as a service name is showing error I cannot reproduce:

[Zorgji]

nice! which image tag I need to use?

[hhovsepy]

@Zorgji I mean the issue is fixed partially, and the fix will be available on upcoming Kiali v1.79 in 6 weeks.
However the error message when you set kiali or dev-grafana as a service name, I was not able to reproduce on my environment with Istio 1.20 and Kiali 1.78 or latest, it appears only in the case when I set the istio_identity_domain: in Kiali configmap with
empty value or something different than svc.cluster.local.
BTW the validation errors can be ignored by setting property in Kiali configmap:

  validations:
    ignore: ["KIA1201", "KIA1401"]

[Zorgji]

Thanks man @hhovsepy Now I put the istio_identity_domain error is still showing, if I set validation ignore like you said error is gone.