Describe the bug
After creating a wildcard destinationrule CDS gets marked as stale.
State before adding the rule
$ istioctl proxy-status
NAME CDS LDS EDS RDS PILOT VERSION
fedora-59b86d6b4b-grpm2.dev SYNCED SYNCED SYNCED (100%) SYNCED istio-pilot-597dd58685-tgts5 1.1.0
State before adding the rule
$ istioctl proxy-status -n dev fedora-59b86d6b4b-grpm2
--- Pilot Clusters
+++ Envoy Clusters
@@ -1,28 +1,26 @@
{
"dynamicActiveClusters": [
{
"cluster": {
"name": "BlackHoleCluster",
- "type": "STATIC",
"connectTimeout": "1s"
}
},
{
"cluster": {
"name": "PassthroughCluster",
"type": "ORIGINAL_DST",
"connectTimeout": "1s",
"lbPolicy": "ORIGINAL_DST_LB"
}
},
{
"cluster": {
"name": "inbound|15020|mgmt-15020|mgmtCluster",
- "type": "STATIC",
"connectTimeout": "1s",
"loadAssignment": {
"clusterName": "inbound|15020|mgmt-15020|mgmtCluster",
"endpoints": [
{
"lbEndpoints": [
{
Listeners Match
Routes Match (RDS last loaded at Tue, 02 Apr 2019 11:12:49 EDT)Now we add a destination rule like so:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: src-ext-dd-agent-https
namespace: istio-system
spec:
hosts:
- "*.agent.datadoghq.com"
location: MESH_EXTERNAL
ports:
- number: 80
name: http-port
protocol: HTTP
- number: 443
name: http-port-for-tls-origination
protocol: HTTP
resolution: NONE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: src-ext-dd-agent-https
namespace: istio-system
spec:
hosts:
- "*.agent.datadoghq.com"
tls:
- match:
- port: 80
sni_hosts:
- "*.agent.datadoghq.com"
route:
- destination:
host: "*.agent.datadoghq.com"
port:
number: 443
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: src-ext-dd-agent-https
namespace: istio-system
spec:
host: "*.agent.datadoghq.com"
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLEState after adding the rule
$ istioctl proxy-status
NAME CDS LDS EDS RDS PILOT VERSION
fedora-59b86d6b4b-grpm2.dev STALE (Never Acknowledged) SYNCED SYNCED (100%) SYNCED istio-pilot-597dd58685-tgts5 1.1.0
State after adding the rule
$ istioctl proxy-status -n dev fedora-59b86d6b4b-grpm2
--- Pilot Clusters
+++ Envoy Clusters
@@ -1,28 +1,26 @@
{
"dynamicActiveClusters": [
{
"cluster": {
"name": "BlackHoleCluster",
- "type": "STATIC",
"connectTimeout": "1s"
}
},
{
"cluster": {
"name": "PassthroughCluster",
"type": "ORIGINAL_DST",
"connectTimeout": "1s",
"lbPolicy": "ORIGINAL_DST_LB"
}
},
{
"cluster": {
"name": "inbound|15020|mgmt-15020|mgmtCluster",
- "type": "STATIC",
"connectTimeout": "1s",
"loadAssignment": {
"clusterName": "inbound|15020|mgmt-15020|mgmtCluster",
"endpoints": [
{
"lbEndpoints": [
{
@@ -781,26 +779,14 @@
"lbPolicy": "ORIGINAL_DST_LB",
"circuitBreakers": {
"thresholds": [
{
"maxRetries": 1024
}
]
- },
- "tlsContext": {
- "commonTlsContext": {
-
- }
- },
- "metadata": {
- "filterMetadata": {
- "istio": {
- "config": "/apis/networking/v1alpha3/namespaces/istio-system/destination-rule/src-ext-dd-agent-https"
- }
- }
}
}
},
{
"cluster": {
"name": "outbound|443||istio-galley.istio-system.svc.cluster.local",
"type": "EDS",
@@ -1124,27 +1110,21 @@
}
},
{
"cluster": {
"name": "outbound|80||*.agent.datadoghq.com",
"type": "ORIGINAL_DST",
"connectTimeout": "1s",
- "circuitBreakers": {
- "thresholds": [
- {
- "maxRetries": 1024
- }
- ]
- },
- "metadata": {
- "filterMetadata": {
- "istio": {
- "config": "/apis/networking/v1alpha3/namespaces/istio-system/destination-rule/src-ext-dd-agent-https"
- }
- }
+ "lbPolicy": "ORIGINAL_DST_LB",
+ "circuitBreakers": {
+ "thresholds": [
+ {
+ "maxRetries": 1024
+ }
+ ]
}
}
},
{
"cluster": {
"name": "outbound|80||tracing.istio-system.svc.cluster.local",
"type": "EDS",
Listeners Match
Routes Match (RDS last loaded at Tue, 02 Apr 2019 11:20:03 EDT)In istio-proxy logs i see this error:
[2019-04-02 15:20:03.938][19][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_mux_subscription_lib/common/config/grpc_mux_subscription_impl.h:70] gRPC config for type.googleapis.com/envoy.api.v2.Cluster rejected: cluster: cluster type 'original_dst' may only be used with LB type 'original_dst_lb'
Version
istio 1.1.1
aws eks 1.11
Installation
for i in helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
helm template helm/istio --name istio --namespace istio-system \
--set global.mtls.enabled=true \
--set global.controlPlaneSecurityEnabled=true \
--set global.outboundTrafficPolicy.mode=REGISTRY_ONLY \
--set gateways.istio-ingressgateway.enabled=false \
--set gateways.istio-egressgateway.enabled=false \
--set grafana.enabled=false \
--set prometheus.enabled=false \
--set mixer.enabled=true \
--set tracing.enabled=true \
--set kiali.enabled=true > istio.yaml
kubectl create ns istio-system
kubectl apply -f istio.yaml
Environment
EKS
Describe the bug
After creating a wildcard destinationrule CDS gets marked as stale.
State before adding the rule
State before adding the rule
$ istioctl proxy-status -n dev fedora-59b86d6b4b-grpm2 --- Pilot Clusters +++ Envoy Clusters @@ -1,28 +1,26 @@ { "dynamicActiveClusters": [ { "cluster": { "name": "BlackHoleCluster", - "type": "STATIC", "connectTimeout": "1s" } }, { "cluster": { "name": "PassthroughCluster", "type": "ORIGINAL_DST", "connectTimeout": "1s", "lbPolicy": "ORIGINAL_DST_LB" } }, { "cluster": { "name": "inbound|15020|mgmt-15020|mgmtCluster", - "type": "STATIC", "connectTimeout": "1s", "loadAssignment": { "clusterName": "inbound|15020|mgmt-15020|mgmtCluster", "endpoints": [ { "lbEndpoints": [ { Listeners Match Routes Match (RDS last loaded at Tue, 02 Apr 2019 11:12:49 EDT)Now we add a destination rule like so:
State after adding the rule
State after adding the rule
$ istioctl proxy-status -n dev fedora-59b86d6b4b-grpm2 --- Pilot Clusters +++ Envoy Clusters @@ -1,28 +1,26 @@ { "dynamicActiveClusters": [ { "cluster": { "name": "BlackHoleCluster", - "type": "STATIC", "connectTimeout": "1s" } }, { "cluster": { "name": "PassthroughCluster", "type": "ORIGINAL_DST", "connectTimeout": "1s", "lbPolicy": "ORIGINAL_DST_LB" } }, { "cluster": { "name": "inbound|15020|mgmt-15020|mgmtCluster", - "type": "STATIC", "connectTimeout": "1s", "loadAssignment": { "clusterName": "inbound|15020|mgmt-15020|mgmtCluster", "endpoints": [ { "lbEndpoints": [ { @@ -781,26 +779,14 @@ "lbPolicy": "ORIGINAL_DST_LB", "circuitBreakers": { "thresholds": [ { "maxRetries": 1024 } ] - }, - "tlsContext": { - "commonTlsContext": { - - } - }, - "metadata": { - "filterMetadata": { - "istio": { - "config": "/apis/networking/v1alpha3/namespaces/istio-system/destination-rule/src-ext-dd-agent-https" - } - } } } }, { "cluster": { "name": "outbound|443||istio-galley.istio-system.svc.cluster.local", "type": "EDS", @@ -1124,27 +1110,21 @@ } }, { "cluster": { "name": "outbound|80||*.agent.datadoghq.com", "type": "ORIGINAL_DST", "connectTimeout": "1s", - "circuitBreakers": { - "thresholds": [ - { - "maxRetries": 1024 - } - ] - }, - "metadata": { - "filterMetadata": { - "istio": { - "config": "/apis/networking/v1alpha3/namespaces/istio-system/destination-rule/src-ext-dd-agent-https" - } - } + "lbPolicy": "ORIGINAL_DST_LB", + "circuitBreakers": { + "thresholds": [ + { + "maxRetries": 1024 + } + ] } } }, { "cluster": { "name": "outbound|80||tracing.istio-system.svc.cluster.local", "type": "EDS", Listeners Match Routes Match (RDS last loaded at Tue, 02 Apr 2019 11:20:03 EDT)In istio-proxy logs i see this error:
Version
istio 1.1.1
aws eks 1.11
Installation
Environment
EKS