Destination Rule subset merge doesn't work as expected

[pavelkuchin]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

https://istio.io/latest/docs/ops/best-practices/traffic-management/#split-virtual-services claims that destination rules for same host will be merged but when I'm trying to create multiple destination rules for same host with different subsets only one of them is used. When I merge the DestinationRules into one then everything works as expected.
Separate Destination Rules (Doesn't work as expected)

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-appa
spec:
  host: appa
  subsets:
  - name: qa
    labels:
      app: appa
      venv: qa

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-appa
spec:
  host: appa
  subsets:
  - name: dev
    labels:
      app: appa
      venv: dev

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-appa
spec:
  host: appa
  subsets:
  - name: dev-test
    labels:
      app: appa
      venv: dev-test

One Destination Rule (works as expected)

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: dr-appa
spec:
  host: appa
  subsets:
  - name: qa
    labels:
      app: appa
      venv: qa
  - name: dev
    labels:
      app: appa
      venv: dev
  - name: dev-test
    labels:
      app: appa
      venv: dev-test

Version

MAC:local-istio-sandbox Pavel.Kuchin$ istioctl --context kind-kind --kubeconfig ~/.kube/kind version
client version: 1.15.0
control plane version: 1.20.7
data plane version: 1.20.7 (8 proxies)

MAC:local-istio-sandbox Pavel.Kuchin$ kubectl --context kind-kind --kubeconfig ~/.kube/kind version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.1", GitCommit:"e4d4e1ab7cf1bf15273ef97303551b279f0920a9", GitTreeState:"clean", BuildDate:"2022-09-14T19:40:59Z", GoVersion:"go1.19.1", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.0", GitCommit:"a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2", GitTreeState:"clean", BuildDate:"2022-09-01T23:34:08Z", GoVersion:"go1.19", Compiler:"gc", Platform:"linux/arm64"}

Additional Information

MAC:local-istio-sandbox Pavel.Kuchin$ istioctl --context kind-kind --kubeconfig ~/.kube/kind bug-report

Target cluster context: kind-kind
Running with the following config: 

kubeconfig: /Users/Pavel.Kuchin/.kube/kind
context: kind-kind
istio-namespace: istio-system
full-secrets: false
timeout (mins): 30
include: {  }
exclude: { Namespaces: kube-node-lease,kube-public,kube-system,local-path-storage }
end-time: 2024-06-12 10:44:17.181707 -0400 EDT



Cluster endpoint: https://127.0.0.1:57784
CLI version:
version.BuildInfo{Version:"1.15.0", GitRevision:"e3364ab424b70ca8ee1ca76cb0b3afb73476aaac-dirty", GolangVersion:"go1.18.5", BuildStatus:"Clean", GitTag:"1.15.0"}

The following Istio control plane revisions/versions were found in the cluster:
Revision 1-20:
&version.MeshInfo{
    {
        Component: "istiod",
        Info:      version.BuildInfo{Version:"1.20.7", GitRevision:"b41f63d6e0b6f92712f17a5892260fb4f3dd9d30", GolangVersion:"", BuildStatus:"Clean", GitTag:"1.20.7"},
    },
}

The following proxy revisions/versions were found in the cluster:
Revision 1-20: Versions {1.20.7}


Fetching proxy logs for the following containers:

istio-system/istio-ingressgateway/istio-ingressgateway-7fd695cfb9-c7r8z/istio-proxy
istio-system/istiod-1-20/istiod-1-20-55b8d6c6fc-rswgw/discovery
kubernetes-dashboard/dashboard-metrics-scraper/dashboard-metrics-scraper-7cc7856cfb-ckjn7/dashboard-metrics-scraper
kubernetes-dashboard/kubernetes-dashboard/kubernetes-dashboard-b8df5b7bc-f8d87/kubernetes-dashboard
test//alpine/alpine
test//alpine/istio-proxy
test/appa-dev-deployment/appa-dev-deployment-7b5ddbc69f-99zr7/appa-dev
test/appa-dev-deployment/appa-dev-deployment-7b5ddbc69f-99zr7/istio-proxy
test/appa-dev-test-deployment/appa-dev-test-deployment-79fbd7c8dd-p747z/appa-dev-test
test/appa-dev-test-deployment/appa-dev-test-deployment-79fbd7c8dd-p747z/istio-proxy
test/appa-qa-deployment/appa-qa-deployment-8d8885b8d-7cdpc/appa-qa
test/appa-qa-deployment/appa-qa-deployment-8d8885b8d-7cdpc/istio-proxy
test/appb-dev-deployment/appb-dev-deployment-6888666798-bfpm5/appb-dev
test/appb-dev-deployment/appb-dev-deployment-6888666798-bfpm5/istio-proxy
test/appb-dev-test-deployment/appb-dev-test-deployment-66bf9bd877-79hfn/appb-dev-test
test/appb-dev-test-deployment/appb-dev-test-deployment-66bf9bd877-79hfn/istio-proxy
test/appb-qa-deployment/appb-qa-deployment-bd9cdcdd5-lprw7/appb-qa
test/appb-qa-deployment/appb-qa-deployment-bd9cdcdd5-lprw7/istio-proxy

Fetching Istio control plane information from cluster.

Running istio analyze on all namespaces and report as below:
Analysis Report:
Error [IST0109] (VirtualService test/vs-appa-dev-test) The VirtualServices test/vs-appa-qa,test/vs-appa-dev,test/vs-appa-dev-test associated with mesh gateway define the same host */appa.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Error [IST0109] (VirtualService test/vs-appa-dev) The VirtualServices test/vs-appa-qa,test/vs-appa-dev,test/vs-appa-dev-test associated with mesh gateway define the same host */appa.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Error [IST0109] (VirtualService test/vs-appa-qa) The VirtualServices test/vs-appa-qa,test/vs-appa-dev,test/vs-appa-dev-test associated with mesh gateway define the same host */appa.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Error [IST0109] (VirtualService test/vs-appb-dev-test) The VirtualServices test/vs-appb-dev,test/vs-appb-dev-test,test/vs-appb-qa associated with mesh gateway define the same host */appb.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Error [IST0109] (VirtualService test/vs-appb-dev) The VirtualServices test/vs-appb-dev,test/vs-appb-dev-test,test/vs-appb-qa associated with mesh gateway define the same host */appb.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Error [IST0109] (VirtualService test/vs-appb-qa) The VirtualServices test/vs-appb-dev,test/vs-appb-dev-test,test/vs-appb-qa associated with mesh gateway define the same host */appb.test.svc.cluster.local which can lead to undefined behavior. This can be fixed by merging the conflicting VirtualServices into a single resource.
Warning [IST0108] (Pod test/alpine) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appa-dev-deployment-7b5ddbc69f-99zr7) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appa-dev-test-deployment-79fbd7c8dd-p747z) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appa-qa-deployment-8d8885b8d-7cdpc) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appb-dev-deployment-6888666798-bfpm5) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appb-dev-test-deployment-66bf9bd877-79hfn) Unknown annotation: istio.io/rev
Warning [IST0108] (Pod test/appb-qa-deployment-bd9cdcdd5-lprw7) Unknown annotation: istio.io/rev
Info [IST0102] (Namespace default) The namespace is not enabled for Istio injection. Run 'kubectl label namespace default istio-injection=enabled' to enable it, or 'kubectl label namespace default istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0102] (Namespace kubernetes-dashboard) The namespace is not enabled for Istio injection. Run 'kubectl label namespace kubernetes-dashboard istio-injection=enabled' to enable it, or 'kubectl label namespace kubernetes-dashboard istio-injection=disabled' to explicitly mark it as not needing injection.
Info [IST0118] (Service kubernetes-dashboard/dashboard-metrics-scraper) Port name  (port: 8000, targetPort: 8000) doesn't follow the naming convention of Istio port.
Info [IST0118] (Service kubernetes-dashboard/kubernetes-dashboard) Port name  (port: 443, targetPort: 8443) doesn't follow the naming convention of Istio port.
Creating an archive at /Users/Pavel.Kuchin/src/Disney/local-istio-sandbox/bug-report.tar.gz.
Cleaning up temporary files in /var/folders/rh/2k4ndbtj1yl6rqqkbz7j_r4h0000gq/T/bug-report.
Done.

[hzxuzhonghu]

Let me have look

[hzxuzhonghu]

With separate DRs, why do you set same name?

[pavelkuchin]

With separate DRs, why do you set same name?

Hello @hzxuzhonghu, thank you for looking into it!
We are working on virtual environments concepts and leveraging istio to separate traffic. We need separate DRs (with separate subsets) for the same host to allow end-users to create their own environments. Since we allow custom environments, potentially number of such environments can be high and it is desirable to keep them separate instead of piling up in one large DR file.

[hzxuzhonghu]

I mean the name of the DRs are all dr-appa

[pavelkuchin]

Hey @hzxuzhonghu, you are right, I don't think it makes sense to use same name. After using different names for DRs merge works as expected. Thanks a lot for looking into it. Closing the ticket.