Say we have below Istio ingress gateway, which is configured with 2 overlapping hosts *.contoso.com and foo.contoso.com
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: external
namespace: istio-system
spec:
selector:
istio: ingressgateway
gateway: external
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: external-cert
hosts:
- "*.contoso.com"
- "foo.contoso.com"
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*.contoso.com"
- "foo.contoso.com"
Below are the Virtual Services configured with the above gateway.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: contoso-external
namespace: contoso
spec:
hosts:
- "*.contoso.com"
gateways:
- istio-system/external
http:
- route:
- destination:
host: wildcard.contoso.xyz
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: foo-external
namespace: contoso-foo
spec:
hosts:
- "foo.contoso.com"
gateways:
- istio-system/external
http:
- route:
- destination:
host: foo.contoso.xyz
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bar-external
namespace: contoso-bar
spec:
hosts:
- "bar.contoso.com"
gateways:
- istio-system/external
http:
- route:
- destination:
host: bar.contoso.xyz
Interestingly, through the ingress gateway, traffic with host header foo.contoso.com will be routed to wildcard.contoso.xyz instead of foo.contoso.xyz. But traffic with host header bar.contoso.com will be routed to bar.contoso.xyz correctly.
Can someone help me understand why this is happening? Why the one I specified in gateway host list fail to use its matching VirtualService, but instead routed through the Virtual Service defined for the wilcard host?
