=== [PRECHECK] confirm postman-echo.com has zero pre-existing Istio config cluster-wide === clean: no SE/VS/DR references postman-echo.com anywhere === [SETUP] create namespace istio-vt-t02-r2 (istio-injection=enabled) === namespace/istio-vt-t02-r2 created === [SETUP] apply client-echo.yaml (Pod client + Deployment echo + Service echo) === pod/client created deployment.apps/echo created service/echo created === [WAIT] client pod Ready === pod/client condition met === [WAIT] echo rollout === Waiting for deployment "echo" rollout to finish: 0 of 1 updated replicas are available... deployment "echo" successfully rolled out === [CHECK] pod status (expect 2/2 sidecar injected) === NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 3s 10.255.194.113 k8s-worker1 echo-5767bbcc56-nsg6k 2/2 Running 0 3s 10.255.126.13 k8s-worker2 === [DIAG-A0] proxy-config clusters client (baseline, before anything, filter=postman-echo.com) === SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE (expect: no dedicated postman-echo.com cluster yet -> ALLOW_ANY traffic to it rides PassthroughCluster) === CMD1: kubectl apply -f client-echo.yaml && wait Ready === pod/client configured deployment.apps/echo unchanged service/echo unchanged pod/client condition met === CMD2: allow_any_http check (real external host postman-echo.com) === allow_any_http=200 === CMD3: allow_any_https check (real external host postman-echo.com) === allow_any_https=200 === [DIAG-A1] proxy-config clusters client (ALLOW_ANY, path taken for postman-echo.com:80/443) === BlackHoleCluster - - - STATIC InboundPassthroughCluster - - - ORIGINAL_DST PassthroughCluster - - - ORIGINAL_DST === CMD4: kubectl apply -f registry-only-sidecar.yaml === sidecar.networking.istio.io/registry-only created === CMD5: sleep 5 === === CMD6: istioctl proxy-config cluster client.istio-vt-t02-r2 | grep -i blackhole === BlackHoleCluster - - - STATIC === [DIAG-B1] proxy-config clusters client (REGISTRY_ONLY, before SE, filter=postman-echo.com) === SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE (expect: still no dedicated postman-echo.com cluster -> no vhost/no IP match -> falls to BlackHoleCluster on both protocols) === CMD7: registry_only_http check === registry_only_http=502 === CMD8: registry_only_https check === registry_only_https_code=000 command terminated with exit code 35 curl_exit=35 === [DIAG-B2] proxy-config listener client on 0.0.0.0_443 (virtualOutbound default filter chain path, REGISTRY_ONLY) === "name": "virtualOutbound-blackhole" === CMD9: kubectl apply -f postman-ext-se.yaml (ServiceEntry hosts: postman-echo.com) === serviceentry.networking.istio.io/postman-ext-se created === CMD10: sleep 5 === === [DIAG-C1] proxy-config clusters client (after SE, filter=postman-echo.com) === SERVICE FQDN PORT SUBSET DIRECTION TYPE DESTINATION RULE postman-echo.com 80 - outbound STRICT_DNS postman-echo.com 443 - outbound STRICT_DNS (expect: outbound|80||postman-echo.com and outbound|443||postman-echo.com now exist, STRICT_DNS) === CMD11: after_se_registered_http check === after_se_registered_http=200 === [DIAG-C2] after_se_registered_https check (extra, not in spec commands but useful corroboration) === after_se_registered_https=200 === DONE (namespace istio-vt-t02-r2 will be deleted by trap on exit) === === [CLEANUP] deleting namespace istio-vt-t02-r2 === namespace "istio-vt-t02-r2" deleted