I have istio 1.2.2 installed using helm, on GKE.
I use the same ingressgateway config for port 443 and 31500.
Some how, I able to connect to my service via port 31500 but not 443 (also, cannot use port 80 for service without HTTPS setup).
By an extreme luck, I go past this solution Istio Ingress TLS key management use ACM · Issue #6566 · istio/istio · GitHub say I need to disable k8sIngress, I follow and some how it success.
In the past I follow this topic to work with cert-manager Istio / cert-manager
The question are:
- What is the root cause of the issue? Maybe disable k8sIngress is just a work-around.
- What can I do to provide more context about this issue?
- Is it OK to disable k8sIngress when still using cert-manager? Do cert-manager need to have a ingress when renew certs?
--- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: {{ include "my-app.fullname" . }} labels: {{ include "my-app.labels" . | indent 4 }} spec: selector: istio: ingressgateway # use istio default controller servers: - port: number: 443 name: https protocol: HTTPS hosts: - "{{ .Values.publicAddresses.api }}" tls: credentialName: cert-{{ .Values.publicAddresses.api }} mode: SIMPLE privateKey: sds serverCertificate: sds - port: number: 31500 name: grpc-api protocol: HTTPS hosts: - "{{ .Values.publicAddresses.api }}" tls: credentialName: cert-{{ .Values.publicAddresses.api }} mode: SIMPLE privateKey: sds serverCertificate: sds --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "my-app.fullname" . }} labels: {{ include "my-app.labels" . | indent 4 }} spec: hosts: - "{{ .Values.publicAddresses.api }}" gateways: - {{ include "my-app.fullname" . }} http: - match: - uri: prefix: /manabie.bob route: - destination: host: {{ .Release.Name }}-bob port: number: 5050 - match: - uri: prefix: /manabie.tom route: - destination: host: {{ .Release.Name }}-tom port: number: 5050