Duplicate HTTPS virtual services leads to "multiple filter chains with the same matching rules are defined" #30321
Description
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: ingressgateway
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- '*.example.com'
port:
name: https
number: 443
protocol: HTTPS
tls:
mode: PASSTHROUGH
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs1
namespace: default
spec:
gateways:
- istio-system/ingressgateway
hosts:
- mysite.example.com
tls:
- match:
- port: 443
sniHosts:
- mysite.example.com
route:
- destination:
host: mysite.default.svc.cluster.local
port:
number: 443
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: vs2
namespace: default
spec:
gateways:
- istio-system/ingressgateway
hosts:
- mysite.example.com
http:
- match:
- uri:
prefix: /
route:
- destination:
host: mysite-svc
port:
number: 443
tls:
- match:
- port: 443
sniHosts:
- mysite.example.com
route:
- destination:
host: mysite.default.svc.cluster.local
port:
number: 443We should:
- Not fail with a NACK, and instead pick one of them
- Add an analyzer for this scenario