Skip to content

when different Gateway bind to different vips, the vips can't serve the same host using HTTPS. #40268

New issue
New issue
Closed
#40275
Closed
when different Gateway bind to different vips, the vips can't serve the same host using HTTPS.#40268
#40275
Labels
area/networking
@flyingyang

Description

@flyingyang
flyingyang
opened on Aug 4, 2022

Bug Description

We found when different Gateway bind to different vips, the vips can't serve the same host using HTTPS.

We have two Istio Gateway bind to different vips, 10.0.0.1 and 10.0.0.2 and we expect the two different gateway work properly.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway-test-1
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - bind: 10.0.0.1
    hosts:
    - '*'
    port:
      name: http-port
      number: 80
      protocol: HTTP
  - bind: 10.0.0.1
    hosts:
    - '*'
    port:
      name: https-port
      number: 443
      protocol: HTTPS
    tls:
      cipherSuites:
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES256-GCM-SHA384
      minProtocolVersion: TLSV1_2
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway-test-2
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
  - bind: 10.0.0.2
    hosts:
    - '*'
    port:
      name: http-port2
      number: 80
      protocol: HTTP
  - bind: 10.0.0.2
    hosts:
    - '*'
    port:
      name: https-port2
      number: 443
      protocol: HTTPS
    tls:
      cipherSuites:
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES256-GCM-SHA384
      minProtocolVersion: TLSV1_2
      mode: SIMPLE

However, when we did the data plane test, we get the following results.

port 10.0.0.1 10.0.0.2
80 pass pass
443 pass failed

We checked the ingressgateway pod's TCP listener and found that ingressgateway doesn't listen on the 10.0.0.2:8443

# netstat -nlpt
tcp        0      0 10.0.0.1:8080       0.0.0.0:*               LISTEN      31/envoy
tcp        0      0 10.0.0.1:8443       0.0.0.0:*               LISTEN      31/envoy
tcp        0      0 10.0.0.2:8080       0.0.0.0:*               LISTEN      31/envoy

Then we try to change the hosts in gateway-test-2 to 'abc.com', the ingressgateway will listen on the 10.0.0.2:8443

# netstat -nlpt
tcp        0      0 10.0.0.1:8080       0.0.0.0:*               LISTEN      31/envoy
tcp        0      0 10.0.0.1:8443       0.0.0.0:*               LISTEN      31/envoy
tcp        0      0 10.0.0.2:8080       0.0.0.0:*               LISTEN      31/envoy
tcp        0      0 10.0.0.2:8443       0.0.0.0:*               LISTEN      31/envoy

Version

istio version: 1.10
kubectl version: 1.18.8

Additional Information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/networking

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions