In Istio, I was wondering why VirtualService and DestinationRule are separated into two separate config files? AFAICT, the DestinationRule defines the subset and the VirtualService routes to the subset. Obviously, they both do more than just that, but my question is, what could have been the design thought behind separating the two. Why couldn't we have defined the subset in the VirtualService yaml itself?
A follow-on question is: Why is the circuit-breaker rules configured in the destination rule, while the timeouts and retries are configured in the VirtualService? Again, I guess, I am unable to comprehend the reasoning behind this design decision. If that is clear, both questions may be answered simultaneously. Any help in understanding this conceptually will be much appreciated.
They were designed to provide a clear separation of routing from post-routing behaviors.
A VirtualService is used to describe the mapping (route rules) from one or more user-addressable destinations (hosts) to the actual destination workloads (services) inside the mesh.
A DestainationRule then defines the set of policies to be applied to a request after VirtualService routing has occurred. They are intended to be authored by service owners, describing the circuit breakers, load balancer settings, TLS settings, etc.
An overview of how they work is here.
My guess, which is no more than an intuition, is that this separation reflects a structural definition on one hand, and a behavioural definition on the other.
So, the DestinationRule isn't likely to change (except when you're introducing new versions) whereas VirtualServices is more a candidate for tweaking & fine-tuning.
Also decoupling the two allows you to keep only 1 DestinationRule config but juggle with several VirtualServices configs.
I guess the same reason could answer your second question, since defining timeouts and retries is more like fine-tuning.
Maybe there are also technical reasons for that which I'm unaware of...
A virtualservice is like a virtual host in traditional proxy applications, such as nginx. In the other hand, a destination rule is like a cluster defination, sucn as upstream server in nginx. Circuit Breaker is designed for protecting upstream servers, but retries and timeouts is response to report client errors .