John Howard

The EKS IPv4 vs IPv6 setup is probably making this check: https://github.com/istio/istio/blob/65d15b6b616ac969f2a354a990599fd908ba3b28/pilot/pkg/networking/core/v1alpha3/tls.go#L206 fail. `actualWildcard` is probably 0.0.0.0 but svcListenAddress=="::" or something

Ok I can reproduce it on just a simple IPv6 only kind cluster

So the problem is svcListenAddress is always set to 0.0.0.0 while the actualWildcard is `::`. Not sure why it worked in 1.19, though

Here is the culprit: https://github.com/istio/istio/commit/ce053f0bb0fad42cc15c98ac49aa0e11f7482c9c#diff-b054376d40667db7823124715d25d44bbc43b6f9cc2dee26117cfa5a3f1c7435R59. Very subtle and unintended. With the `/` vs without we hit different paths: https://github.com/istio/istio/blob/1963196b26c31585874e81633df1393558625e77/pilot/pkg/networking/core/v1alpha3/listener.go#L815. If CIDR is set, it lets us pass this `if`: https://github.com/istio/istio/blob/65d15b6b616ac969f2a354a990599fd908ba3b28/pilot/pkg/networking/core/v1alpha3/tls.go#L206....

Can you try later Istio version? 1.17 is EOL and there have been fixes in this area

Ah, misunderstood the issue here. Got it now. ORIGINAL_DST applies to the port as well, so its not overriding the port. so its ultimately going to httpbin.org:80 with TLS which...

There is the _ability for us to implement_ `targetPort` on NONE service entry, but it hasn't been done -- largely due to concerns of backwards incompatibility. But I think we...

I think there is a long standing issue that a single envoy will only ever open one socket so 1 coredns instance. But I wouldn't expect them to _all_ pick...

> Due to TLS origination I can't use resolution: NONE Technically you can, you just need to send the HTTP request on port 443 which is fairly awkward https://github.com/envoyproxy/envoy/issues/20562 could...

Put up a draft in https://github.com/istio/istio/pull/49585