=== CMD: kubectl apply -f manifest.yaml === pod/client created deployment.apps/echo created service/echo created serviceaccount/portconflict-gw created deployment.apps/portconflict-gw created service/portconflict-gw created gateway.networking.istio.io/portconflict-gw-passthrough created gateway.networking.istio.io/portconflict-gw-mutual created virtualservice.networking.istio.io/portconflict-route-a created virtualservice.networking.istio.io/portconflict-route-b created === CMD: kubectl -n istio-vt-t08 wait --for=condition=Ready pod/client --timeout=90s === pod/client condition met === CMD: kubectl -n istio-vt-t08 rollout status deploy/portconflict-gw --timeout=90s === deployment "portconflict-gw" successfully rolled out === CMD: kubectl -n istio-vt-t08 rollout status deploy/echo --timeout=90s === deployment "echo" successfully rolled out === pod status snapshot === NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES client 2/2 Running 0 22s 10.255.194.114 k8s-worker1 echo-5767bbcc56-lbtl6 2/2 Running 0 22s 10.255.194.115 k8s-worker1 portconflict-gw-7f7647968b-hgmzf 1/1 Running 0 22s 10.255.194.116 k8s-worker1 === CMD: istioctl proxy-config listener deploy/portconflict-gw.istio-vt-t08 --port 8443 -o json | jq '.[0].filterChains | length' === 2 === CMD: istioctl proxy-config listener deploy/portconflict-gw.istio-vt-t08 --port 8443 -o json | jq '.[0].filterChains[].filterChainMatch' === { "serverNames": [ "echo.istio-vt-t08.svc.homelab.local" ] } { "serverNames": [ "mock.istio-verify-ext.svc.homelab.local" ] } === CMD: kubectl -n istio-system logs deploy/istiod --since=1m | grep -iE 'portconflict|conflict|filter_chain_not_found' | tail -10 === 2026-07-04T22:32:26.407341Z info delta LDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:1 removed:0 size:3.3kB 2026-07-04T22:32:26.512429Z info delta CDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:3 removed:0 size:2.3kB cached:2/2 2026-07-04T22:32:26.512539Z info delta EDS: PUSH INC for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:2 removed:0 size:293B empty:0 cached:2/2 2026-07-04T22:32:26.512672Z info delta LDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:1 removed:0 size:3.3kB 2026-07-04T22:32:43.062409Z info delta CDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:3 removed:0 size:2.1kB cached:2/2 2026-07-04T22:32:43.062611Z info delta LDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:1 removed:0 size:3.3kB 2026-07-04T22:32:43.139204Z info delta EDS: PUSH request for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:2 removed:0 size:101B empty:0 cached:2/2 filtered:45 2026-07-04T22:32:44.519966Z info delta CDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:3 removed:0 size:2.2kB cached:2/2 2026-07-04T22:32:44.519989Z info delta EDS: PUSH INC for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:2 removed:0 size:101B empty:0 cached:2/2 2026-07-04T22:32:44.520208Z info delta LDS: PUSH for node:portconflict-gw-7f7647968b-hgmzf.istio-vt-t08 resources:1 removed:0 size:3.3kB (grep exit code: 0) === CMD: istiod logs grep (full, showing incidental portconflict node-name matches only, no real conflict/duplicate lines) === (see above capture; separately verified no conflict/duplicate/filter_chain_not_found lines outside node-name substring matches) === CMD: curl via_A_passthrough (mock.istio-verify-ext) === via_A_passthrough=000 command terminated with exit code 35 === RETRY CMD: curl via_A_passthrough (mock.istio-verify-ext) === * Connecting to hostname: portconflict-gw.istio-vt-t08.svc.homelab.local * Connecting to port: 8443 * Host portconflict-gw.istio-vt-t08.svc.homelab.local:8443 was resolved. * IPv6: (none) * IPv4: 10.250.127.157 * Trying 10.250.127.157:8443... * ALPN: curl offers h2,http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [1585 bytes data] * Recv failure: Connection reset by peer * TLS connect error: error:00000000:lib(0)::reason(0) * OpenSSL SSL_connect: Connection reset by peer in connection to mock.istio-verify-ext.svc.homelab.local:443 * closing connection #0 via_A_passthrough=000 command terminated with exit code 35 === CMD: curl via_B_mutual (echo.istio-vt-t08) === * Connecting to hostname: portconflict-gw.istio-vt-t08.svc.homelab.local * Connecting to port: 8443 * Host portconflict-gw.istio-vt-t08.svc.homelab.local:8443 was resolved. * IPv6: (none) * IPv4: 10.250.127.157 * Trying 10.250.127.157:8443... * ALPN: curl offers h2,http/1.1 } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [1581 bytes data] * TLSv1.3 (OUT), TLS alert, decode error (562): } [2 bytes data] * TLS connect error: error:0A000126:SSL routines::unexpected eof while reading * closing connection #0 via_B_mutual=000 command terminated with exit code 35 === RETRY (post-convergence) CMD: via_A_passthrough === via_A_passthrough=200 === RETRY (post-convergence) CMD: via_B_mutual === via_B_mutual=000 command terminated with exit code 35 === SUPPLEMENTARY DIAGNOSTIC (not part of spec commands; performed to root-cause the via_B_mutual=000 result) === --- istioctl analyze -n istio-vt-t08 --- Error [IST0101] (VirtualService istio-vt-t08/portconflict-route-b) Referenced host not found: "echo.istio-vt-t08.svc.homelab.local" (only Info-level deprecation notices otherwise; NO conflict/duplicate/port-collision warning of any kind) --- istioctl proxy-config clusters deploy/portconflict-gw.istio-vt-t08 (relevant lines) --- mock.istio-verify-ext.svc.cluster.local 80 outbound EDS mock.istio-verify-ext.svc.cluster.local 443 outbound EDS mock.istio-verify-ext.svc.homelab.local 80 outbound STRICT_DNS mock.istio-verify-ext.svc.homelab.local 443 outbound STRICT_DNS echo.istio-vt-t08.svc.cluster.local 80 outbound EDS echo.istio-vt-t08.svc.cluster.local 443 outbound EDS (NOTE: no "echo.istio-vt-t08.svc.homelab.local" EDS cluster exists -- Istio's internal k8s-Service hostname registry uses the hardcoded "cluster.local" suffix regardless of the real kubeadm clusterDomain "homelab.local". PASSTHROUGH mode auto-generates a STRICT_DNS cluster keyed on the literal SNI/host string, which is why "mock....svc. homelab.local" happens to resolve on its own via CoreDNS; ISTIO_MUTUAL+tcp-route mode requires an exact match against the EDS-registered hostname, which only exists under the ...svc.cluster.local suffix.) --- gateway access log (istio-proxy) for the 3 original curl attempts --- [22:33:18.847Z] ... 0 NC ... 0 0 3 ... mock.istio-verify-ext.svc.homelab.local - (chain A hit, but its EDS-cluster wasn't converged yet -> "NC"/no-cluster) [22:33:26.421Z] ... 0 NC ... 0 0 2 ... mock.istio-verify-ext.svc.homelab.local - (retry, still not converged) [22:33:34.967Z] ... 0 NC ... 0 0 2 ... echo.istio-vt-t08.svc.homelab.local - (chain B hit; cluster genuinely never exists under this name) --- retest ~5 min later (config since converged) --- via_A_passthrough=200 <- succeeds end-to-end once EDS converged access log: ...(no flags)... 1819 3761 13 ... 10.250.183.220:443 outbound|443||mock.istio-verify-ext.svc.homelab.local ... mock.istio-verify-ext.svc.homelab.local - via_B_mutual=000 (curl exit 35, still NC in access log) <- persists, root cause = destination host domain mismatch (not convergence, not merge conflict) --- isolation test: patched (only) VirtualService/portconflict-route-b tcp.route.destination.host istio-vt-t08.svc.homelab.local -> istio-vt-t08.svc.cluster.local (ephemeral namespace, reverted by teardown) --- $ kubectl -n istio-vt-t08 patch virtualservice portconflict-route-b --type=json \ -p '[{"op":"replace","path":"/spec/tcp/0/route/0/destination/host","value":"echo.istio-vt-t08.svc.cluster.local"}]' virtualservice.networking.istio.io/portconflict-route-b patched tcp_proxy cluster ref on chain B after patch: outbound|80||echo.istio-vt-t08.svc.cluster.local (now resolves) $ curl ... via_B_mutual_afterfix via_B_mutual_afterfix=000 (curl exit 56 = recv error, NOT exit 35 SSL-connect-error anymore) access log for this attempt: [22:39:11.783Z] "- - -" 0 - - - "-" 0 0 11 - "-" "-" "-" "-" "10.255.194.115:8080" outbound|80||echo.istio-vt-t08.svc.cluster.local 10.255.194.116:52508 10.255.194.116:8443 10.255.194.114:49568 echo.istio-vt-t08.svc.homelab.local - (cluster now resolves, upstream connection to echo pod's plain-HTTP port 8080 is established; remaining failure is because curl offers no client certificate while chain B's DownstreamTlsContext has requireClientCertificate=true (ISTIO_MUTUAL) -- this is the CORRECT/ EXPECTED Istio behavior for a non-mesh client hitting an ISTIO_MUTUAL server, unrelated to the filter-chain-merge question under test.) CONCLUSION OF DIAGNOSTIC: the via_B_mutual=000 result is fully explained by a test-manifest artifact (destination.host domain-suffix mismatch, confirmed by istioctl analyze IST0101) plus expected mTLS-certificate enforcement -- NEITHER of which is the "merge conflict / one server dropped" failure mode the test is checking for. The actual merge-conflict question is answered cleanly and independently by the filterChains-length/filterChainMatch/access-log-SNI-dispatch evidence captured under the official spec commands above.