=== CMD1: apply + wait (already done above, re-confirm) === $ kubectl apply -f manifest.yaml && kubectl -n istio-vt-t48 wait --for=condition=Ready pod/client --timeout=90s pod/client condition met === CMD2: capture upstream_cx_total BEFORE any requests === $ kubectl -n istio-vt-t48 exec client -c istio-proxy -- curl -s 'localhost:15000/stats' | grep 'outbound|443||mock.istio-verify-ext.svc.homelab.local.*upstream_cx_total' --- NOTE: env deviation discovered --- The exact spec grep against /stats returned EMPTY output (no cluster.outbound* stats present at all). Root cause: cluster's default meshConfig proxyStatsMatcher excludes raw per-cluster Envoy stats (only cluster_manager/listener_manager/server/istiocustom/xds-grpc stats are in /stats by default). Confirmed via: /clusters admin endpoint DOES show live per-host cx_total counters for this cluster (outbound|443||mock.istio-verify-ext.svc.homelab.local:::443::cx_total::0), proving the cluster itself exists and is tracked -- just excluded from the /stats text-format sink by default. ADAPTATION: added pod annotation sidecar.istio.io/statsInclusionRegexps to client pod so the exact spec grep command against /stats works as literally written, and recreated the client pod. === ENV DISCOVERY (led to adaptation) === config_dump shows the REAL per-VIP listener for mock's ClusterIP (10.250.183.220_443) uses envoy.filters.network.tcp_proxy -> cluster outbound|443||mock.istio-verify-ext.svc.CLUSTER.LOCAL (the k8s-native auto-registered cluster, Istio's internal clusterDomain default, unaffected by kubeadm's actual homelab.local CoreDNS domain). My ServiceEntry-declared cluster (outbound|443||mock.istio-verify-ext.svc.homelab.local) got folded into the generic 0.0.0.0_443 SNI-passthrough listener instead, and never receives traffic because the dedicated per-VIP listener for the real k8s Service's ClusterIP wins over the wildcard listener for iptables- captured traffic to that literal IP. BOTH clusters use envoy.filters.network.tcp_proxy (confirmed via config_dump), i.e. both are opaque L4 TCP proxy targets (port named 'https' => passthrough, not HTTP-decoded) -- so the claim under test (L4 tcp_proxy 1:1 downstream:upstream mapping) is still faithfully measurable, just via the cluster that ACTUALLY carries the traffic: outbound|443||mock.istio-verify-ext.svc.cluster.local ADAPTATION: substitute 'svc.cluster.local' for 'svc.homelab.local' in the observation grep only; the client's request URL/SNI/Host still uses the spec's homelab.local FQDN unchanged. Also: raw /stats endpoint by default excludes per-cluster upstream_cx_total entirely (mesh-wide default proxyStatsMatcher trims cluster stats) -- added pod annotation sidecar.istio.io/statsInclusionRegexps: '.*upstream_cx_total.*' to client pod (recreated) so the spec's literal /stats grep observation works. === CMD2 (adapted): capture upstream_cx_total BEFORE the 5-request batch === $ kubectl -n istio-vt-t48 exec client -c istio-proxy -- curl -s 'localhost:15000/stats' | grep 'outbound|443||mock.istio-verify-ext.svc.cluster.local.*upstream_cx_total' cluster.outbound|443||mock.istio-verify-ext.svc.cluster.local;.upstream_cx_total: 1 === CMD3: 5 SEPARATE short-lived connections (5 distinct exec/curl processes) === $ for i in $(seq 1 5); do kubectl -n istio-vt-t48 exec client -c curl -- curl -sk -o /dev/null --max-time 4 https://mock.istio-verify-ext.svc.homelab.local/; done req#1 http_code=200 exit=0 req#2 http_code=200 exit=0 req#3 http_code=200 exit=0 req#4 http_code=200 exit=0 req#5 http_code=200 exit=0 === CMD4 (adapted): capture upstream_cx_total AFTER the 5-request batch === $ kubectl -n istio-vt-t48 exec client -c istio-proxy -- curl -s 'localhost:15000/stats' | grep 'outbound|443||mock.istio-verify-ext.svc.cluster.local.*upstream_cx_total' cluster.outbound|443||mock.istio-verify-ext.svc.cluster.local;.upstream_cx_total: 6 === CMD5: ONE curl process sending 3 requests to the SAME URL (keepalive reuse within invocation) === $ kubectl -n istio-vt-t48 exec client -c curl -- curl -sk -o /dev/null --max-time 6 https://mock.istio-verify-ext.svc.homelab.local/ https://mock.istio-verify-ext.svc.homelab.local/ https://mock.istio-verify-ext.svc.homelab.local/ req1=200 req2=200 req3=200 { "path": "/", "headers": { "host": "mock.istio-verify-ext.svc.homelab.local", "user-agent": "curl/8.14.1", "accept": "*/*" }, "method": "GET", "body": "", "fresh": false, "hostname": "mock.istio-verify-ext.svc.homelab.local", "ip": "::ffff:10.255.194.100", "ips": [], "protocol": "https", "query": {}, "subdomains": [ "svc", "istio-verify-ext", "mock" ], "xhr": false, "os": { "hostname": "mock-597cccffdf-bwsnt" }, "connection": { "servername": "mock.istio-verify-ext.svc.homelab.local" }, "clientCertificate": {} }req1=200 req2=200 req3=200 { "path": "/", "headers": { "host": "mock.istio-verify-ext.svc.homelab.local", "user-agent": "curl/8.14.1", "accept": "*/*" }, "method": "GET", "body": "", "fresh": false, "hostname": "mock.istio-verify-ext.svc.homelab.local", "ip": "::ffff:10.255.194.100", "ips": [], "protocol": "https", "query": {}, "subdomains": [ "svc", "istio-verify-ext", "mock" ], "xhr": false, "os": { "hostname": "mock-597cccffdf-bwsnt" }, "connection": { "servername": "mock.istio-verify-ext.svc.homelab.local" }, "clientCertificate": {} }req1=200 req2=200 req3=200 === CMD6 (adapted): capture upstream_cx_total AFTER the 3-request-1-connection batch === $ kubectl -n istio-vt-t48 exec client -c istio-proxy -- curl -s 'localhost:15000/stats' | grep 'outbound|443||mock.istio-verify-ext.svc.cluster.local.*upstream_cx_total' cluster.outbound|443||mock.istio-verify-ext.svc.cluster.local;.upstream_cx_total: 7 === SUPPLEMENTARY: verbose curl to directly confirm client-side connection reuse === $ kubectl -n istio-vt-t48 exec client -c curl -- curl -sk -v -o /dev/null ... (3 urls, same invocation) * Connected to mock.istio-verify-ext.svc.homelab.local (10.250.183.220) port 443 > GET / HTTP/1.1 > GET / HTTP/1.1 > GET / HTTP/1.1 (grep -iE 'connect|re-us' on the verbose trace showed exactly ONE "Connected to..." followed by TWO "Re-using existing https: connection with host mock.istio-verify-ext.svc.homelab.local" lines, confirming client-side that all 3 requests shared a single TCP connection.) === SUMMARY === before_cx.txt : upstream_cx_total = 1 after5_cx.txt : upstream_cx_total = 6 (delta = 5, for 5 separate curl processes/connections) after_reuse_cx.txt : upstream_cx_total = 7 (delta = 1, for 3 requests over 1 reused connection) => exact match to pass_criteria: 5 separate downstream connections -> +5 upstream connections (1:1); 3 requests over 1 reused downstream connection -> +1 upstream connection only (no per-request multiplexing/pooling at the L4 tcp_proxy layer).