Tetrate Istio SubscriptionVersion: NextTIS1109 - Protocol Mismatch Between Gateway and VirtualService
A protocol mismatch between the Gateway and VirtualService can lead to traffic routing issues, as the expected protocols do not align, preventing proper communication and routing.
By aligning the protocols, you guarantee that the Gateway can correctly route traffic based on the rules defined in the VirtualService.
Examples
-
Protocol Mismatch Configuration
Gateway Configuration:
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: gateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- httpbin.example.com
port:
name: https
number: 443
protocol: HTTPS # Gateway configured for HTTPS
tls:
mode: SIMPLE
credentialName: httpbin-credentialVirtualService Configuration with Incorrect Protocol:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: httpbin-vs
spec:
gateways:
- istio-system/gateway
hosts:
- httpbin.example.com
tcp: # Using TCP instead of HTTP/HTTPS
- match:
- port: 443
route:
- destination:
host: httpbin
port:
number: 8000
weight: 100Explanation: The Gateway is configured for HTTPS traffic, but the VirtualService is using TCP routing rules. This mismatch will prevent proper traffic routing.
Recommendation
-
Align Gateway and VirtualService Protocols
Correct VirtualService Configuration:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: httpbin-vs
spec:
gateways:
- istio-system/gateway
hosts:
- httpbin.example.com
http: # Changed from tcp to http for HTTPS traffic
- match:
- port: 443
route:
- destination:
host: httpbin
port:
number: 8000
weight: 100By aligning the protocols in the Gateway and VirtualService configurations, you ensure that traffic is correctly routed based on the defined rules.