Invalid alpha3 rule breaking the entire mesh (for example by generating invalid MTLS settings) #4314
Description
Update: the original bug was fixed by making the alpha3 rule valid. What remains is adding back
the original invalid rule as a regression, and fixing the code to not generate invalid MTLS settings
(ignore the rule).
This seems to be the only alpha3 test failing right now - and only in MTLS.
A bit hard to figure out from logs - to repro I suggest running only that test (commenting out all other route tests), and check the sidecar output.
Traced it down to:
Offending document key: #/ssl_context/verify_subject_alt_name
[2018-03-16 00:52:08.052][17][warning][upstream] external/envoy/source/server/lds_subscription.cc:68] lds: fetch failure: tcp proxy: unknown cluster 'out.orig-dst-cluster-tcp' in TCP route
[2018-03-16 00:52:09.015][17][warning][upstream] external/envoy/source/common/upstream/cds_subscription.cc:67] cds: fetch failure: JSON at lines 494-507 does not conform to schema.
Invalid schema: #/definitions/ssl_context/properties/verify_subject_alt_name
Schema violation: type
Offending document key: #/ssl_context/verify_subject_alt_name
Which in turn corresponds to:
{
"name": "out.v2.pilot-auth-test.svc.cluster.local|grpc",
"service_name": "v2.pilot-auth-test.svc.cluster.local|grpc",
"connect_timeout_ms": 5000,
"type": "sds",
"lb_type": "round_robin",
"ssl_context": {
"cert_chain_file": "/etc/certs/cert-chain.pem",
"private_key_file": "/etc/certs/key.pem",
"ca_cert_file": "/etc/certs/root-cert.pem",
"verify_subject_alt_name": null
},
"features": "http2"
},
For reference the rule is:
v1alpha3/rule-regex-route.yaml.tmpl
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: default-route
spec:
hosts:
- c
http:
- match:
- headers:
foo:
regex: "b.*"
source_labels:
version: v1
route:
- destination:
name: c
subset: v2
weight: 100
- route:
- destination:
name: v2
weight: 100