John Howard

I'd have to look closer to be sure/find the PR but iirc there was a change to not merge services with mismatched label selectors

closing as this was resolved - thanks!

:eyes: ``` $ ik pc l deploy/shell | rg 9092 0.0.0.0 9092 ALL PassthroughCluster 0.0.0.0 9092 Addr: 10.123.8.192/28 Cluster: outbound|9092||b-1.msk02.fedcba.b12.kafka.us-east-1.amazonaws.com $ cat

Just to clarify in my comment, I think this is bug. Just a subtle one which is only triggered in some scenarios. Details incoming as I investigate, I think I...

So the difference is from a mismatch in `SidecarScope.services` and `SidecarScope.EgressListeners.services`. The former is used in CDS/NDS, the latter in LDS/RDS (proxyless gRPC uses the SidecarScope.services for LDS -- perhaps...

I put a PR up to fully unify these two codepaths: https://github.com/istio/istio/pull/51776. It fixes this case, though I am sure there are some weird edge cases I didn't think of,...

Alright looks like every test failed so its not exactly ready to go :-). Just setting ``` apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: sidecar spec: egress: - hosts: - ./*...

Route has a similar but different issue: ``` apiVersion: networking.istio.io/v1 kind: ServiceEntry metadata: name: test-se namespace: echo spec: addresses: - 240.240.240.210 - 2001:2::f0f0:255 endpoints: - address: fc00:f853:ccd:e793::65 ports: http: 80...

I view 51776 as highly risky, so would prefer backporting 51967 and work on 51776 in master and taking our time to get it right

Wanted to followup on this. The 1.22 and 1.23 changes for this have been reverted. There is a simple workaround: ```yaml apiVersion: networking.istio.io/v1 kind: Sidecar metadata: name: sidecar namespace: default...