istio gateway stops working when using subdomain in virtualservice

Question

have this GCP load balancer within a GKE Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gcp-loadbalancer-ingress
  namespace: istio-ingress
spec:
  rules:
    - host: "*.foo.com"
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: istio-ingressgateway
                port:
                  number: 80
  

The istio gateway looks like this:

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway
  namespace: istio-ingress
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    - "*.foo.com"

And virtual service:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: sample-app
  namespace: istio-ingress
spec:
  hosts:
  - "*"
  # - "app.foo.com" If replace above with this it stops working
  gateways:
  - gateway
  http:
  - match:
      - uri:
          prefix: /
    route:
      - destination:
          host: sample-app

How can I limit so sample-app virtualservice only routes when route is app.foo.com

Update

Wondering if the issue has to do something with my istio-ingressgateway:

kind: Service
apiVersion: v1
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
  labels:
    app: istio-ingressgateway
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: istio-ingressgateway
    app.kubernetes.io/version: 1.20.0
    helm.sh/chart: gateway-1.20.0
    istio: ingressgateway
  annotations:
    cloud.google.com/neg: '{"ingress":true}'
    meta.helm.sh/release-name: istio-ingressgateway
    meta.helm.sh/release-namespace: istio-ingress
spec:
  ports:
  - name: status-port
    protocol: TCP
    port: 15021
    targetPort: 15021
    nodePort: 30276
  - name: http-web
    protocol: TCP
    port: 80
    targetPort: 80
    nodePort: 31849
  - name: https-ssl
    protocol: TCP
    port: 443
    targetPort: 443
    nodePort: 30824
  selector:
    app: istio-ingressgateway
    istio: ingressgateway
  clusterIP: {IP}
  clusterIPs:
  - {IP}
  type: NodePort
  sessionAffinity: None
  externalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  internalTrafficPolicy: Cluster
status:
  loadBalancer: {}

Answer 1

You may try to use a service entry to access external service or site, see sample as below, you can see this one also on the docs link:

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: external-svc-site
spec:
  hosts:
  - external-site.com
  location: MESH_EXTERNAL
  ports:
  - number: 443
    name: example-https
    protocol: HTTPS
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-external-site-rule
spec:
  hosts:
  - external-site.com
  http:
  - timeout: 5s
    route:
    - destination:
        host: external-site.com

Answer 2

You don't need Istio's Gateway resource if you're using the Ingress resource. You can pick one. If you must use the Ingress resource, you can use the kubernetes.io/ingress.class: istio annotation on the Ingress to use the istio-ingressgateway as your controller. (Check the docs here: https://istio.io/latest/docs/tasks/traffic-management/ingress/kubernetes-ingress/)

If you don't have to use the Ingress resource, use the Istio's Gateway resource.

If you want to "expose" the sample-app through the Gateway, you have to ensure the following:

1. You add the Gateway name to the gateways field (which you have)
2. You match the host name in the Gateway resource with the host name in the VirtualService (i.e. add app.foo.bar to the hosts field in the VirtualService).