HTTPS Ingress with Istio and SDS not working (returns 404) when I configure multiple Gateways

Question

When I configure multiple (gateway - virtual service) pairs in a namespace, each pointing to basic HTTP services, only one service becomes accessable. Calls to the other (typically, the second configured) return 404. If the first gateway is deleted, the second service then becomes accesible

I raised a github issue a few weeks ago ( https://github.com/istio/istio/issues/20661 ) that contains all my configuration but no response to date. Does anyone know what I'm doing wrong (if anything) ?

Answer 1

Based on that github issue

The gateway port names have to be unique, if they are sharing the same port. Thats the only way we differentiate different RDS blocks. We went through this motion earlier as well. I wouldn't rock this boat unless absolutely necessary.

More about the issue here

Checked it on istio documentation, and in fact if you configure multiple gateways name of the first one is https, but second is https-bookinfo.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "httpbin.example.com"

---

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: bookinfo-gateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https-bookinfo
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-bookinfo-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-bookinfo-certs/tls.key
    hosts:
    - "bookinfo.com"

---

EDIT

That's weird, but I have another idea.

There is a github pull which have the following line in pilot:

routeName := gatewayRDSRouteName(s, config.Namespace)

This change adds namespace scoping to Gateway port names by appending namespace suffix to the HTTPS RDS routes. Port names still have to be unique within the namespace boundaries, but this change makes adding more specific scoping rather trivial.

Could you try make 2 namespaces like in below example

EXAMPLE

apiVersion: v1
kind: Namespace
metadata:
  name: httpbin
  labels:
    name: httpbin
    istio-injection: enabled
---
apiVersion: v1
kind: Namespace
metadata:
  name: nodejs
  labels:
    name: nodejs
    istio-injection: enabled

And deploy everything( deployment,service,virtual service,gateway) in proper namespace and let me know if that works?

---

Could You try change the hosts from "*" to some names? It's only thing that came to my mind besides trying serverCertficate and privateKey but from the comments I assume you have already try it.

Let me know if that help.