I am setting up istio gateway as a NLB loadbalancer service and using NLB to terminate TLS. On the istio gateway side, I have a self-signed certificate. I notice that NLB doesn’t send SNI during TLS handshake to istio gateway and that causes HTTPs requests to fail. Is there a configuration option I can make on the istio gateway side to make this work?
Have you tried setting
* as hosts for the GW ? (I’m just thinking out loud here…)
Can you have multiple gateways defined in multiple namespaces with a wildcard “*” for the host?
I have a l7 proxy sitting in front of out ingress gateway to handle a limitation in our NAT implementation.
We NAT public to private ip all with destination address 443. We have a L7 proxy direct to ingress gateway of associated K8s cluster based on host headers.
Unfortunately the L7 Proxy doesn’t support SNI health checks so need a fallback as it does a client TLS connection for whitelisting.
I setup a “healthcheck” gateway / vs / svc / pod to response for the health check of the cluster’s ingress gateway. However when trying to setup another gateway in another namespace on port 443 with a different certificate it receives no traffic. Only the health check gateway with the wildcard host on port 443 is receiving traffic.
I’m using istio 1.5.1.
Any help would be appreciated.