ExternalName service doesnot generate xds correctly

[hzxuzhonghu]

Following this guide https://istio.io/latest/docs/tasks/traffic-management/egress/egress-kubernetes-services/#cleanup-of-kubernetes-externalname-service

$ kubectl apply -f - <<EOF
kind: Service
apiVersion: v1
metadata:
  name: my-httpbin
spec:
  type: ExternalName
  externalName: httpbin.org
  ports:
  - name: http
    protocol: TCP
    port: 80
EOF

I cannot access my-httpbin.default.svc.cluster.local/headers expected.

After checing the xds, i cannot find the related cluster about my-httpbin

[hzxuzhonghu]

I know #46332 is related @howardjohn is this intended to break

[howardjohn]

works for me.

$  cat <<EOF | kubectl apply -f -
kind: Service
apiVersion: v1
metadata:
  name: my-httpbin
spec:
  type: ExternalName
  externalName: httpbin.org
  ports:
  - name: http
    protocol: TCP
    port: 80
EOF
service/my-httpbin created
$ qbash shell
/ $curl my-httpbin.default.svc.cluster.local/headers
{
  "headers": {
    "Accept": "*/*",
    "Host": "my-httpbin.default.svc.cluster.local",
    "User-Agent": "curl/8.5.0",
    "X-Amzn-Trace-Id": "Root=1-663b86b4-6262137f746d55f6040ad7c5",
    "X-Envoy-Attempt-Count": "1",
    "X-Envoy-Peer-Metadata": "ChkKDkFQUF9DT05UQUlORVJTEgcaBXNoZWxsChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwodCgxJTlNUQU5DRV9JUFMSDRoLMTAuMjQ0LjAuMzcKGwoNSVNUSU9fVkVSU0lPThIKGggxLjIzLWRldgqhAQoGTEFCRUxTEpYBKpMBCg4KA2FwcBIHGgVzaGVsbAokChlzZWN1cml0eS5pc3Rpby5pby90bHNNb2RlEgcaBWlzdGlvCioKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSBxoFc2hlbGwKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0ChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAogCgROQU1FEhgaFnNoZWxsLTc4NDg2Yjc3NTctOTRobnIKFgoJTkFNRVNQQUNFEgkaB2RlZmF1bHQKSQoFT1dORVISQBo+a3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2RlZmF1bHQvZGVwbG95bWVudHMvc2hlbGwKGAoNV09SS0xPQURfTkFNRRIHGgVzaGVsbA==",
    "X-Envoy-Peer-Metadata-Id": "sidecar~10.244.0.37~shell-78486b7757-94hnr.default~default.svc.cluster.local"
  }
}
/ $

what is your setup? need more info

[hzxuzhonghu]

Maybe i need to do that in a totally new env too. Need to investigate

[hzxuzhonghu]

@howardjohn I am using latest istio, and with ENABLE_EXTERNAL_NAME_ALIAS set true, there is no my-httpbin cluster generated. The request goes through passthrough cluster.

[howardjohn]

Right, it should go through passthrough cluster unless you have SE for httpbin.org

[hzxuzhonghu]

Then users cannot set connection pool or tls settings with DR

[howardjohn]

Correct, they will need a SE for that. If they define that, the behavior will be the same as it was previously

[Jonnymcc]

Was reading this and was wondering why it causes our externalName services to 503 when used in a virtualService. We used to route to the service and the service provided an alias external to the cluster. After upgrading from 1.18.2 to 1.20.2 our VS produced a 503. The service itself was still reachable from within a pod (with Istio sidecar).

I see that the behavior was not supposed to change but could be opted into with ENABLE_EXTERNAL_NAME_ALIAS=true. When was this behavior enforced? Is this why we are seeing 503's? The VS route did being working again after adding a serviceEntry that matched the external name.

[howardjohn]

it should only change in 1.21

[howardjohn]

there was some bug around this though, let me double check

[howardjohn]

#50571 was the fix I was thinking, will be in 1.21.3. But you are on 1.20.

huh, that should have been cherrypicked to 1.20 but was missed

[howardjohn]

#51241