I’m new to Istio and still trying to wrap my head around how the custom gateways connect to the default istio-ingressgateway. My aim is to configure the cluster/istio into different namespaces for separate environments, reflecting a separate subdomain, e.g. dev.example.com, test.example.com, prod.example.com. I’ve been spinning my wheels trying to get this to work and only get 404 responses. From my understanding of the docs, and tutorials/ examples online, having the gateway reference the istio-ingressgateway ( selector: istio: ingressgateway) should be enough for a custom gateway to be “added on” and the virtual services can point then to the custom gateway, the custom gateway can reference the tls cert, and all of that can be contained in the same namespace. This would seem the most ideal set up for multiple environments in order to install/ upgrade each independently through helm with 1 set of templates.
Clearly there’s something I’m missing, does each custom gateway need a corresponding service of the same name? Do the custom gateways (and therefore the issuers/ certificates for tls) need to be in the same namespace as the istio-ingressgateway? Do I even need the istio-ingressgateway (I’ve tried removing it, but my custom gateway does not get assigned an external IP, tried installing istio with the minimal profile and still get the same result)? I have not been able to find any clear answers online, and I certainly cannot be the only person struggling with this… or maybe I am just missing something so simple…
Hey @joznox
So, it is correct that the GW does not need to be in the same ns as the Ingress deployment.
Now, the 404 may indicate the host header is not properly set or the VirtualService attached to the GW is not matching the given path.
Notice how in the first example I’ve set header "host: httpbi.com" (I missed the last n)
—————» ns:httpbin-a ❯ curl http://127.0.0.1:8080/status/201 -H"host: httpbi.com" -v -s -o /dev/null
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /status/201 HTTP/1.1
> Host: httpbi.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< date: Mon, 18 Dec 2023 07:04:01 GMT
< server: istio-envoy
< content-length: 0
<
* Connection #0 to host 127.0.0.1 left intact
[8:04:01] ~ ()
—————» ns:httpbin-a ❯ curl http://127.0.0.1:8080/status/201 -H"host: httpbin.com" -v -s -o /dev/null
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /status/201 HTTP/1.1
> Host: httpbin.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< server: istio-envoy
< date: Mon, 18 Dec 2023 07:04:06 GMT
< content-type: text/html; charset=utf-8
< access-control-allow-origin: *
< access-control-allow-credentials: true
< content-length: 0
< x-envoy-upstream-service-time: 16
<
* Connection #0 to host 127.0.0.1 left intact
I’d recommend you to check the header and to make sure the host+route you’re using is correct in the GW+VS.