Gateways can't have dots in their name

[prune998]

Describe the bug
When a gateway contains a dot (.) in it's name, no virtualservices can be attached to it.

Expected behavior
either :

• we can use dots in gateway names
• Galley should reject the creation of a gateway with a dot in the name

Steps to reproduce the bug
I'm using a simple hello-world image + service like :

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: hello
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "false"
      labels:
        run: hello
    spec:
      containers:
      - image: gcr.io/google-samples/hello-app:1.0
        name: hello
        ports:
        - containerPort: 8080
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    run: hello
  name: hello
spec:
  ports:
  - port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    run: hello
  sessionAffinity: None
  type: ClusterIP

Create a gateway manifest containing a dot in the name like :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gw-hello.notworking
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - www.external-url.com
    port:
      name: http-hello
      number: 80
      protocol: HTTP

Add a VirtualService that route from this gateway :

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-hello
spec:
  gateways:
  - gw-hello.notworking
  hosts:
  - www.external-url.com
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: hello.default.svc.cluster.local
        port:
          number: 8080

You can check the listener created for the IngressGateway like :
istioctl proxy-config listeners -n istio-system istio-ingressgateway-5798d55d79-nhpfc --port 80 -o json
You should see a route from RDS named http.80
Then check the route :
istioctl proxy-config routes -n istio-system istio-ingressgateway-5798d55d79-nhpfc --name http.80 -o json

The resulting route is just the default blackhole on port 80.

When you change the gateway name and remove the dot, everything is fine :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gw-hello
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - www.external-url.com
    port:
      name: http-hello
      number: 80
      protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: vs-hello
spec:
  gateways:
  - gw-hello
  hosts:
  - www.external-url.com
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: hello.default.svc.cluster.local
        port:
          number: 8080

This is even more obvious with https, as the route names are concatenated like https.443.https-hello.gw-hello.default

Version

istioctl version --remote
client version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.1"}
citadel version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}
egressgateway version: version.BuildInfo{Version:"bdda7cfcf5ba1397e6e0e2629d53114c9ea8fc14", GitRevision:"bdda7cfcf5ba1397e6e0e2629d53114c9ea8fc14", User:"mjog", Host:"devinstance.c.mixologist-142215.internal", GolangVersion:"go1.10.1", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.0-snapshot.4-592-gbdda7cf"}
galley version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}
ingressgateway version: version.BuildInfo{Version:"bdda7cfcf5ba1397e6e0e2629d53114c9ea8fc14", GitRevision:"bdda7cfcf5ba1397e6e0e2629d53114c9ea8fc14", User:"mjog", Host:"devinstance.c.mixologist-142215.internal", GolangVersion:"go1.10.1", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.0-snapshot.4-592-gbdda7cf"}
pilot version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}
policy version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}
sidecar-injector version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}
telemetry version: version.BuildInfo{Version:"1.1.2", GitRevision:"2b1331886076df103179e3da5dc9077fed59c989-dirty", User:"root", Host:"35adf5bb-5570-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Modified", GitTag:"1.1.1"}

kubectl version
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.0", GitCommit:"641856db18352033a0d96dbc99153fa3b27298e5", GitTreeState:"clean", BuildDate:"2019-03-26T00:04:52Z", GoVersion:"go1.12.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.6", GitCommit:"ab91afd7062d4240e95e51ac00a18bd58fddd365", GitTreeState:"clean", BuildDate:"2019-02-26T12:49:28Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

Installation
using helm template

Environment
hosted on Azure AKS

[rshriram]

aren't kubernetes names supposed to be DNS1123 labels (no dots)? if gateway name has dots, then it is trouble. In Istio 1.0.x, we asked people to refer to cross namesapce gateawys as gatewayname.namesapce.svc.cluster.local.. But starting in 1.1, we are asking people to refer to gateways as namespace/name [consistent with the way we are referring to services in the Sidecar CRD object].

As a backward compatibility measure, we continue to parse the old format as well, but internally we convert it into namespace/name format. So I guess what happened here is that our simple minded parsing ( split(gatewayName, '.')[1]/split(gatewayName, '.')[0]) doesn't work.

So yes, we should add validation to ensure that the Gateway Object's name does not contain a dot.

[prune998]

As far as I remember, I also tried to reference the gateway (in a VirtualService) as namespace/gateway, and it was rejected by Galley.

I switched the GW name to not use dots at all, and created my virtualService in the same namespace, using the plain GW name.

Still, this situation is under-documented and not enforced as needed.
Thanks for your answer @rshriram

[frankbu]

Fixed by #13351

Doc also improved to mention namespace/ syntax: istio/api#901