Referencing the bookinfo yaml here : My gateway looks like :
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
name: https
number: 443
protocol: https
tls:
mode: PASSTHROUGH
hosts:
- "*"
Configuring it to accept https from all host. However, in the VirtualService, I want to achieve a URL match based routing. This is how my current configuration for VS looks.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
tls:
- match:
- uri:
prefix: /productpage
- port: 443
sniHosts:
- "*"
route:
- destination:
host: productpage
port:
number: 9080
On deploying it fails with the error, "TLS match must have at least one SNI host". The same VS configuration works if I remove the uri match criteria.
Is there a way to have URI match based routing for TLS while keeping generic sniHosts (as my host is common and I need to route to a particular app based on url prefixes)?
In Istio, VirtualService TLS Match does not contains URI based routing (link) . TLS is kind of opaque connection which can perform only host based routing (as hostname is present in the client hello tcp handshake).
In order to achieve path based routing, you will need to terminate the TLS as the gateway level and perform routing based on http. HTTP messages are transparent messages where L7 routing can be applied by istio or any other intermitient layer.
Another alternative is to use nginx or any other reverse proxy (which performs the ssl termination and route the call to appropirate service directly). In short, in order to perform L7 based routing (path based one of them), you will need to decrypt the request (TLS termination) whether it is done at istio end or application end.