0

I have two separate applications that I need to deploy and I've noticed that the routing is only working for either one. The Gateways/VirtualServices are deployed in different namespaces. Here are the configs:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: foo-gateway
  namespace: foo
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
      - foo.example.com
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: wildcard-tls
      hosts:
      - foo.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: foo-vs
  namespace: foo
spec:
  hosts:
  - foo.example.com
  gateways:
  - foo-gateway
  http:
  - route:
    - destination:
        host: foo.default.svc.cluster.local
        port:
          number: 8080

And my other app:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: "bar-gateway"
  namespace: bar
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
      - bar.example.com
      tls:
        httpsRedirect: true
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: wildcard-tls
      hosts:
      - bar.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: bar-vs
  namespace: bar
spec:
  hosts:
  - bar.example.com
  gateways:
  - bar-gateway
  http:
  - name: "bar-route"
    match:
    - uri:
        prefix: "/api/bar/"
    route:
    - destination:
        host: "bar.bar.svc.cluster.local"
        port:
          number: 8000

Envoy logs:

[2021-11-09T14:55:21.512Z] "GET /auth/ HTTP/2" 404 NR route_not_found - "-" 0 0 0 - "10.0.100.49" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36" "2abf2054-2fa0-4749-dca6-9143a3c36828" "foo.example.com" "-" - - 10.0.100.124:8443 10.0.100.49:55097 bar.example.com

Whichever Gateway/VS pair gets deployed first, it's the one that is working properly. What could be the issue here? The only common thing that I can see if the same certificate (wildcard) used for both gateways but I'm not sure if that's the problem. What could it be? I've read a similar problem on istio's github page however it was marked as resolved with a newer version. My istio version:

client version: 1.11.4
control plane version: 1.11.4
data plane version: 1.11.4 (1 proxies)
dywan666
  • 385
  • 8
  • 14
  • Just to make sure, both namespaces have istio injection enabled? Which version of kubernetes are you using? –  Nov 10 '21 at 08:15
  • No, why is istio injection needed here? I'm running kubenetes 1.21.2 – dywan666 Nov 10 '21 at 12:11
  • There is similar question on SO [here](https://stackoverflow.com/questions/67137746/istio-ingress-gateway-404-nr-route-not-found), with quite brutal, but working solution. Do you think it would solve your issue? –  Nov 10 '21 at 12:45
  • I've found that this behaviour is caused by using a wildcard certificate. The solution is to have only a single gateway and multiple virtual services pointing to it. Only then the traffic is routed properly. – dywan666 Dec 07 '21 at 17:33

0 Answers0