istio: Ingress gateway use case of HTTPS to HTTPS doesn't work.

installed by Service mesh operator 1.1.7 image

Two namespaces is used, first is my nginx namespace: ns1 second is istio-system. purpose: Https request from Webpage and using gateway pass it to nginx HTTPS port 443.

  1. Webpage 443 to nginx HTTP 80 port, as HTTP of nginx is redirect to HTTPS port. so web page got so much redirect error.but it seems works.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cpd-nginx-gateway
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-svc
spec:
  hosts:
  - "*"
  gateways:
  - cpd-nginx-gateway
  tcp:
  - match:
    - uri:
        exact: /*
    route:
    - destination:
        host: nginx-svc.ns1.svc.cluster.local
        port:
          number: 80
  1. using tls in VirtualService returns 404

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: cpd-nginx-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "a.example.com"
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: nginx-svc
spec:
  hosts:
  - "a.example.com"
  gateways:
  - cpd-nginx-gateway
  tls:
  - name: "https-nginx-route"
    match:
    - uri:
        exact: /*
      sni_hosts:
      - "a.example.com"
    route:
    - destination:
        host: nginx-svc.ns1.svc.cluster.local
        port:
          number: 443

logs from ingressgate is

[2020-09-10T05:47:47.316Z] "GET /zen HTTP/2" 404 - "-" "-" 0 0 0 - "10.254.4.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "ea9f7fa1-6aaf-9694-af5a-fd9c19cdbbac" "a.example.com" "-" - - 10.254.8.76:8443 10.254.4.1:46464 a.example.com default
{"duration":"0","route_name":"default","upstream_transport_failure_reason":"-","downstream_local_address":"10.254.8.76:8443","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","response_code":"404","response_flags":"-","start_time":"2020-09-10T05:47:47.316Z","request_id":"ea9f7fa1-6aaf-9694-af5a-fd9c19cdbbac","method":"GET","upstream_host":"-","x_forwarded_for":"10.254.4.1","requested_server_name":"a.example.com","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"-","downstream_remote_address":"10.254.4.1:46464","path":"/zen","authority":"a.example.com","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-"}

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (3 by maintainers)

Most upvoted comments

@bjwyun

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: jenkins-vs
  namespace: jenkins
spec:
  gateways:
  - jenkins-gw.jenkins
  hosts:
  - '*'
  http:
  - headers:
      request:
        set:
          x-forwarded-port: "443"
          x-forwarded-proto: https 
    match:
    - uri:
        prefix: /jenkinsargo
    route:
    - destination:
        host: argojenkins.jenkins.svc.cluster.local
        port:
          number: 8080

After adding x-forward port, it’s working fine. Thanks