We’re currently running Istio version 1.7.6 and I’m trying to figure out the correct way to make the istio-gateway service listen only on the https port (=443), or at least not listen on port 80. I’ve tried adding
which, presumably, is because the gateway is now running as non-root. I think this is because setting ports in the istio operator file also affects the istio-ingressgateway deployment, not just the public service. So I’m taking this to mean that I’m not really on the right track by manipulating the ports directly in this way. Is there some other, better, way to make the public service only listen on the https port?
There is also a second part to this though, when you create an Istio Gateway CRD and matching VirtualService you need to make sure it is also not on 80
Thanks for the reply @nick_tetrate! We did something similar by putting http2 on a “hard to guess” non-standard port instead of port 80. But what we really would like to accomplish is to not have the port open at all. Our security people are upset with us having a non-encrypted port open, no matter whether any gateway is actually using it
Yeah, that’s what I thought the code in my original post did. But then I got the cannot bind '0.0.0.0:80': Permission denied error in istiod and the newly started istio-ingressgateway hung.
I didn’t try with status-port included, though, is that one obligatory to include in the service? I will try tomorrow when I’m back at work. Many thanks for your help!
Switched to an ingressGateway very much like in the latest example but still encountered the problem. So I figured that the other suggestion about the Gateway CRD must be the key and indeed it was, found an old Gateway CRD that referenced port 80 in an unexpected namespace. Removed it and everything works just fine. Again, many thanks for your help @nick_tetrate!