I am setting up istio gateway as a NLB loadbalancer service and using NLB to terminate TLS. On the istio gateway side, I have a self-signed certificate. I notice that NLB doesn’t send SNI during TLS handshake to istio gateway and that causes HTTPs requests to fail. Is there a configuration option I can make on the istio gateway side to make this work?
Have you tried setting * as hosts for the GW ? (I’m just thinking out loud here…)
@prune Thanks, we figured it out. ingress gateway matches the most specific host first so “" works for us. Yes, using "” as hosts works for non-SNI traffic. Thanks to @rshriram for the information.
Can you have multiple gateways defined in multiple namespaces with a wildcard “*” for the host?
I have a l7 proxy sitting in front of out ingress gateway to handle a limitation in our NAT implementation.
We NAT public to private ip all with destination address 443. We have a L7 proxy direct to ingress gateway of associated K8s cluster based on host headers.
Unfortunately the L7 Proxy doesn’t support SNI health checks so need a fallback as it does a client TLS connection for whitelisting.
I setup a “healthcheck” gateway / vs / svc / pod to response for the health check of the cluster’s ingress gateway. However when trying to setup another gateway in another namespace on port 443 with a different certificate it receives no traffic. Only the health check gateway with the wildcard host on port 443 is receiving traffic.
I’m using istio 1.5.1.
Any help would be appreciated.
So what was the solution? I tried to use “*” but did not work
Can someone add a sample ingress gateway yaml config that worked for them?
Hi Everyone,
I am using Cloudflare which sends over the traffic to my Istio mesh.
I am stuck with a similar issue where it works on port 80 but fails on port 443.
I have tried using ‘*’ as the hosts, but it didn’t work for me.
Would really appreciate any help here.
Thanks.