istio: tls.httpsRedirect doesn't work in Gateway resources
What I did: installed sample bookinfo app using Istio (via Helm chart from release-0.8
branch with istionightly:nightly-release-0.8
images) on GKE 1.9.6-gke.1, and tried using this Gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- bookinfo.example.com
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- bookinfo.example.com
tls:
mode: SIMPLE
serverCertificate: /etc/istio/istio-ingress-certs/tls.crt
privateKey: /etc/istio/istio-ingress-certs/tls.key
Expected behavior: http request returns 302, https 200 Actual behavior: both http and https requests return 200
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 38 (9 by maintainers)
The same issue here with a 0.8 cluster on 1.10.4 on GKE
I made the redirect work using protocol HTTP2 instead of just HTTP (Istio 1.2.0). Example from my helm chart:
I followed the following process to resolve this and have the redirect running currently:
I started by resetting the ingress IP and ports as it might have been the case that values were cleared between sessions.
https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports-when-using-an-external-load-balancer
I then followed the default setup for configuring the ingress gateway using the httpbin example until I was able to complete this curl:
https://istio.io/docs/tasks/traffic-management/ingress/#configuring-ingress-using-an-istio-gateway
curl -I -HHost:httpbin.example.com http://$INGRESS_HOST:$INGRESS_PORT/status/200
This confirmed that my ingress host and port values were set as well.
At this point I also had the httpbin service and deployment running.
All of this was done in a user created namespace with mutual tls.
I then tested this to ensure that tls redirect was working.
Once I confirmed that, I switched to my own gateway and virtual service files while using the prefixes from the httpbin virtual services to test the status responses.
To begin with, I set all hosts to “*” as desribed here:
https://istio.io/docs/tasks/traffic-management/ingress/#accessing-ingress-services-using-a-browser
This have me files like this which allowed my domain to have the https redirect:
This was the first time that my domain had the redirect. I was then able to shift the host files away from using the catch all values and to using my specific domain. The final files were these which currently allow the redirect.
Just tested this on the recently released 0.8.0, here are the results (using 1.9.7-gke.1 with either COS or ubuntu nodes):
Recv failure: Connection reset by peer
instead of 200 for http/80 requestshttpsRedirect: true
tohttpsRedirect: false
still responds withRecv failure: Connection reset by peer
tls.httpsRedirect
returns (as it should) 200I believe this issue is caused by default gateway ‘istio-autogenerated-k8s-ingress’, which is installed by the chart. When I remove this gateway, https redirect on my custom gateway start to work as expected.