Is it possible to limit the DestinationRule scope in OpenShift Service Mesh 2.x?

Solution In Progress - Updated -

Issue

  • Istiod (Pilot) sends cluster configuration to the OpenShift Service Mesh resources. There are some parts of the configuration that are targeted to only one resource, for instance certificates in below DestinationRule:
spec:
  exportTo:
  - .
  host: xxxxxx-logger.ingress.apps.yyyyyyyyyy
  trafficPolicy:
    loadBalancer:
      simple: ROUND_ROBIN
    portLevelSettings:
    - port:
        number: 443
      tls:
        caCertificates: /etc/istio/egressgateway-ca-certs/ca.pem
        clientCertificate: /etc/istio/egressgateway-certs/tls.crt
        mode: MUTUAL
        privateKey: /etc/istio/egressgateway-certs/tls.key
        sni: xxxxxx-logger.ingress.apps.yyyyyyyyyy
  • This configurations reaches both ingress gateways and egress gateways but ingress gateways cannot access the path ending in an ACK ERROR in istiod:
2021-10-13T05:40:43Z    warn    ads    ADS:CDS: ACK ERROR 10.0.0.40:36374 router~10.0.0.40~ingress-xxxx-yyyyyyyyyy.xxxxxxxxxxxxxxxxxx-yyyyyyyyy (xxx.yyyy) Internal:Error adding/updating cluster(s) outbound|443||xxxx.yyyyy Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem, outbound|443||xxxx.yyy: Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem, outbound|443||logger.ingress.xxx.yyy: Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem
  • The ACK ERR provokes the XDS Status goes to STALE (Never Acknowledged).

Environment

  • Red Hat OpenShift Container Platform (RHOCP)

    • 4.9 and later

  • OpenShift Service Mesh

    • 2.1 and later

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content