hello here @hbagdi I step into istio world recently and I encounter the same issue while set up the kong with ingress controller and istio,the traffic of kong simply pass to the PassthroughCluster and magically appear into pods in kiali.
I deploy kong in istio mash and set service with upstream annotation.
After some dig into Envoy’s proxy configuration and trying to compare to istio ingress controller’s proxy config,even with tcpdump,I found the problem.
The problem is how istio setup listener with route and host header in HTTP request.
there is the point why demo setup in https://konghq.com/blog/kong-istio-setting-service-mesh-kubernetes-kiali-observability/ can success because is it didn’t preserve Host and send request to 9080 port with
productpage.default.svc:9080 host header and capture with proxy listener on 9080 ,so is success
While with deployment with kong ingress controller,it trigger the preserve Host setting,while HTTP request send to 9080 port listener,the host header in HTTP request is not replace from the source(example: product.example.com),and istio’s HTTP route on 9080 is base on HTTP request,since there is no route for the host product.example.com in request,then it fall back to PassthroughCluster.
If you setup the host in virtual service with the name (product.example.com) not in service registry,is still won’t work since it only add route on port 80 listener with product.example.com route,not on 9080,and kong only send traffic to service ip:9080 port with product.example.com HTTP host,then it fallback to PassthroughCluster again.
But if we don’t preserve Host in HTTP request it will caused some problem in some application.So as the workaround I make sure the service is only on 80 port that need to accept external traffic ,set up a virtual service with external host name and don’t bind it with a Gateway.
Just need to figure out how to configure istio to add route to right port listener with external HTTP host request to kong pods like how istio gateway ingress did,or force kong send all it traffic to 80 port(via kong ingress controller) while service is in a istio mash namespace I guess.