Is it possible to limit the DestinationRule scope in OpenShift Service Mesh 2.x?
Issue
- Istiod (Pilot) sends cluster configuration to the OpenShift Service Mesh resources. There are some parts of the configuration that are targeted to only one resource, for instance certificates in below
DestinationRule
:
spec:
exportTo:
- .
host: xxxxxx-logger.ingress.apps.yyyyyyyyyy
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
caCertificates: /etc/istio/egressgateway-ca-certs/ca.pem
clientCertificate: /etc/istio/egressgateway-certs/tls.crt
mode: MUTUAL
privateKey: /etc/istio/egressgateway-certs/tls.key
sni: xxxxxx-logger.ingress.apps.yyyyyyyyyy
- This configurations reaches both ingress gateways and egress gateways but ingress gateways cannot access the path ending in an ACK ERROR in istiod:
2021-10-13T05:40:43Z warn ads ADS:CDS: ACK ERROR 10.0.0.40:36374 router~10.0.0.40~ingress-xxxx-yyyyyyyyyy.xxxxxxxxxxxxxxxxxx-yyyyyyyyy (xxx.yyyy) Internal:Error adding/updating cluster(s) outbound|443||xxxx.yyyyy Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem, outbound|443||xxxx.yyy: Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem, outbound|443||logger.ingress.xxx.yyy: Invalid path: /etc/istio/egressgateway-ca-certs/ca.pem
- The ACK ERR provokes the XDS Status goes to STALE (Never Acknowledged).
Environment
-
Red Hat OpenShift Container Platform (RHOCP)
- 4.9 and later
-
OpenShift Service Mesh
- 2.1 and later
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.