TLS match must have at least one SNI host

7/16/2020

Referencing the bookinfo yaml here : My gateway looks like :

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      name: https
      number: 443
      protocol: https
    tls:
      mode: PASSTHROUGH
    hosts:
    - "*" 

Configuring it to accept https from all host. However, in the VirtualService, I want to achieve a URL match based routing. This is how my current configuration for VS looks.

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bookinfo
spec:
  hosts:
  - "*"
  gateways:
  - bookinfo-gateway
  tls:
  - match:
    - uri:
        prefix: /productpage
    - port: 443
      sniHosts:
      - "*"
    route:
    - destination:
        host: productpage
        port:
          number: 9080

On deploying it fails with the error, "TLS match must have at least one SNI host". The same VS configuration works if I remove the uri match criteria.

Is there a way to have URI match based routing for TLS while keeping generic sniHosts (as my host is common and I need to route to a particular app based on url prefixes)?

-- Jim
azure-aks
istio
kubernetes
kubernetes-ingress

1 Answer

7/17/2020

In Istio, VirtualService TLS Match does not contains URI based routing (link) . TLS is kind of opaque connection which can perform only host based routing (as hostname is present in the client hello tcp handshake).

In order to achieve path based routing, you will need to terminate the TLS as the gateway level and perform routing based on http. HTTP messages are transparent messages where L7 routing can be applied by istio or any other intermitient layer.

Another alternative is to use nginx or any other reverse proxy (which performs the ssl termination and route the call to appropirate service directly). In short, in order to perform L7 based routing (path based one of them), you will need to decrypt the request (TLS termination) whether it is done at istio end or application end.

-- Atul
Source: StackOverflow