istio: Create two gateways will lead the second gateway does not work

I deployed two applications including bookinfo and httpbin.

  1. Create gateway and virutalservice for httpbin first, and httpbin works fine.
[root@gyliu-icp-1 istio-0.8.0]# cat <<EOF | istioctl create -f -
> apiVersion: networking.istio.io/v1alpha3
> kind: Gateway
> metadata:
>   name: httpbin-gateway
> spec:
>   selector:
>     istio: ingressgateway # use Istio default gateway implementation
>   servers:
>   - port:
>       number: 80
>       name: http
>       protocol: HTTP
>     hosts:
>     - "*"
> EOF
Created config gateway/default/httpbin-gateway at revision 1709253
[root@gyliu-icp-1 istio-0.8.0]#
[root@gyliu-icp-1 istio-0.8.0]# cat <<EOF | istioctl create -f -
> apiVersion: networking.istio.io/v1alpha3
> kind: VirtualService
> metadata:
>   name: httpbin
> spec:
>   hosts:
>   - "*"
>   gateways:
>   - httpbin-gateway
>   http:
>   - match:
>     - uri:
>         prefix: /status
>     - uri:
>         prefix: /delay
>     route:
>     - destination:
>         port:
>           number: 8000
>         host: httpbin
> EOF
Created config virtual-service/default/httpbin at revision 1709254
[root@gyliu-icp-1 istio-0.8.0]# curl --resolve httpbin.example.com:$INGRESS_PORT:$INGRESS_HOST -I http://httpbin.example.com:$INGRESS_PORT/status/200
HTTP/1.1 200 OK
server: envoy
date: Wed, 06 Jun 2018 03:15:45 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
content-length: 0
x-envoy-upstream-service-time: 8
  1. Deploy gateway and virtualservice for bookinfo and bookinfo will not work.
[root@gyliu-icp-1 istio-0.8.0]# istioctl create -f samples/bookinfo/routing/bookinfo-gateway.yaml
Created config gateway/default/bookinfo-gateway at revision 1709319
Created config virtual-service/default/bookinfo at revision 1709320

The curl command return nothing and no log in istio-proxy of bookinfo.

[root@gyliu-icp-1 istio-0.8.0]# curl $INGRESS_HOST:$INGRESS_PORT/productpage
  1. All of the gateway and virtualservices in my cluster.
[root@gyliu-icp-1 istio-0.8.0]# istioctl get virtualservices -oyaml
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  creationTimestamp: null
  name: bookinfo
  namespace: default
  resourceVersion: "1709320"
spec:
  gateways:
  - bookinfo-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        exact: /productpage
    - uri:
        exact: /login
    - uri:
        exact: /logout
    - uri:
        prefix: /api/v1/products
    route:
    - destination:
        host: productpage
        port:
          number: 9080
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  creationTimestamp: null
  name: httpbin
  namespace: default
  resourceVersion: "1709254"
spec:
  gateways:
  - httpbin-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: /delay
    route:
    - destination:
        host: httpbin
        port:
          number: 8000
---
[root@gyliu-icp-1 istio-0.8.0]# istioctl get gateway -oyaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  creationTimestamp: null
  name: bookinfo-gateway
  namespace: default
  resourceVersion: "1709319"
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  creationTimestamp: null
  name: httpbin-gateway
  namespace: default
  resourceVersion: "1709253"
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - '*'
    port:
      name: http
      number: 80
      protocol: HTTP
---

But if I delete gateway of httpbin, then productpage works fine.

[root@gyliu-icp-1 istio-0.8.0]# istioctl delete virtualservices httpbin
Deleted config: virtualservices httpbin
[root@gyliu-icp-1 istio-0.8.0]# istioctl delete gateway httpbin-gateway
Deleted config: gateway httpbin-gateway
[root@gyliu-icp-1 istio-0.8.0]# curl $INGRESS_HOST:$INGRESS_PORT/productpage
<!DOCTYPE html>
<html>
  <head>
    <title>Simple Bookstore App</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">

<!-- Optional theme -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">

  </head>
  <body>



<nav class="navbar navbar-inverse navbar-static-top">
    <div class="container">
        <div class="navbar-header">
            <a class="navbar-brand" href="#">BookInfo Sample</a>
        </div>

        <button type="button" class="btn btn-default navbar-btn navbar-
....

@rshriram @vadimeisenbergibm @cmluciano comments for this?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 18 (9 by maintainers)

Most upvoted comments

I think we should reopen this issue for a couple of reasons

  1. it causes ingress config to go stale. So no changes are reflected to ingress controller if someone adds a gateway with same rules. Ideally, Istio should validate the create gateway request and reject for this use case.

  2. How does a virtual service refer to the gateway if the default gateway is not present in the same namespace? So let’s suppose if the default gateway exists in namespaceA, how does a virtual service in namespaceB can refer to default gateway? AFAIT from virtual service doc, it takes a list of gateway name. The other option is to create the gateway in the namespaceB and refer it in the virtual service but that causes above problem.

Thoughts?

The problem is in the wildcard certificate. After I created different certs for every sub domain and the root domain, everything works find again. Even if one domain or sub domain uses a wildcard certificate, some will not work. The workaround is to not use wildcard for now. Using istio-1.0.0 on the cluster.

I fixed a bug today with respect to gateway references. When referring to a gateway in another namespace use the fqdn (name.ns.svc.cluster.local).

Fixed in #6483