Kubernetes Ingress not working while Gateway + VS is OK?

Hi there

I’ve a recently setup EKS cluster with Istio running. I can expose services using the recommended Gateway + VirtualService. We’ll use that for our services.

But for some third party, like Grafana, we would like to just “ingress.enable: true”, specify a letsencrypt generated wildcard certificate we have and done with it. Except that it doesn’t work. As a workaround we’re dropping a GW + VS basic manifest in every third party Helm chart… but I’ld like to troubleshoot this Kubernets ingress not working thing.

I created a test (helm create test), enabled ingress with the wildcard. Then a curl says

~ ᐅ curl -Lv https://test.company.cloud/       
*   Trying 3.122.144.240:443...
* Connected to test.company.cloud (xxx.xxx.xxx.240) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.company.cloud:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.company.cloud:443 

Looking at istiod logs

istio-ingressgateway-9648f7447-snckp istio-proxy [2022-04-13T13:36:58.404Z] "- - -" 0 NR filter_chain_not_found - "-" 0 0 17 - "-" "-" "-" "-" "-" - - 10.x.x.7:8443 10.x.x.18:50592 3.122.144.240 -

Here’s the very basic ingress definition

apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
  kind: Ingress
    labels:
      app.kubernetes.io/instance: test
      app.kubernetes.io/managed-by: Helm
      app.kubernetes.io/name: test
      app.kubernetes.io/version: 1.16.0
      argocd.argoproj.io/instance: test
      helm.sh/chart: test-0.1.0
    name: test
    namespace: test
  spec:
    ingressClassName: istio
    rules:
    - host: test.company.cloud
      http:
        paths:
        - backend:
            service:
              name: test
              port:
                number: 80
          path: /
          pathType: ImplementationSpecific
    - host: test2.company.cloud
      http:
        paths:
        - backend:
            service:
              name: test
              port:
                number: 80
          path: /
          pathType: ImplementationSpecific
    tls:
    - hosts:
      - test.company.cloud
      - test2.company.cloud
      secretName: wildcard-certificate
  status:
    loadBalancer: {}
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Tried with / without sidecar. With the annotation instead of ingressClassName. With the tls annotation. Nothing worked…