When trying to add https listener with credentialName: xx-credential and mode: MUTUAL, we are getting following errors at proxy with a non-root user.
[2019-11-12 14:30:24.050][18][debug][http] [external/envoy/source/common/http/async_client_impl.cc:109] async http request response trailers:
‘grpc-status’, ‘2’
‘grpc-message’, ‘RDS: Failed to generate route http.8443 for node &{Kubernetes router [10.233.123.168] pep-ingressgateway-bd56f67d6-p99dv.pep pep.svc.cluster.local pep map[CONFIG_NAMESPACE:pep ISTIO_META_INSTANCE_IPS:10.233.123.168,10.233.123.168 ISTIO_PROXY_SHA:istio-proxy:a169a0c0cd86b51538c240e2d037fa8f7f5860ae ISTIO_PROXY_VERSION:1.1.3 ISTIO_VERSION:1.1.3 POD_NAME:pep-ingressgateway-bd56f67d6-p99dv ROUTER_MODE:sni-dnat USER_SDS:true istio:sidecar] [0xc000d02a00 0xc000d02b00 0xc000d02c00 0xc000d02d00 0xc000d02e00 0xc000d02e80 0xc000d03000 0xc000d03100 0xc000d03200] [app=pep-ingressgateway,chart=gateways,heritage=Tiller,pod-template-hash=bd56f67d6,release=pep,pep=ingressgateway]}: buildGatewayRoutes: could not find server for routeName http.8443, have map[http.8080:[port:<number:8080 protocol:“HTTP” name:“http” > hosts:"" ] http.8444:[port:<number:8444 protocol:“HTTP” name:“http” > hosts:"" ] http.8445:[port:<number:8445 protocol:“HTTP” name:“http” > hosts:"" ] https.8443.http.pep-ingressgateway.pep:[port:<number:8443 protocol:“HTTPS” name:“http” > hosts:"" tls:<mode:MUTUAL credential_name:“xx-credential” > ]]’
[2019-11-12 14:30:24.050][18][warning][config] [bazel-out/k8-opt/bin/external/envoy/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:86] gRPC config stream closed: 2, RDS: Failed to generate route http.8443 for node &{Kubernetes router [10.233.123.168] pep-ingressgateway-bd56f67d6-p99dv.pep pep.svc.cluster.local pep map[CONFIG_NAMESPACE:pep ISTIO_META_INSTANCE_IPS:10.233.123.168,10.233.123.168 ISTIO_PROXY_SHA:istio-proxy:a169a0c0cd86b51538c240e2d037fa8f7f5860ae ISTIO_PROXY_VERSION:1.1.3 ISTIO_VERSION:1.1.3 POD_NAME:pep-ingressgateway-bd56f67d6-p99dv ROUTER_MODE:sni-dnat USER_SDS:true istio:sidecar] [0xc000d02a00 0xc000d02b00 0xc000d02c00 0xc000d02d00 0xc000d02e00 0xc000d02e80 0xc000d03000 0xc000d03100 0xc000d03200] [app=pep-ingressgateway,chart=gateways,heritage=Tiller,pod-template-hash=bd56f67d6,release=pep,pep=ingressgateway]}: buildGatewayRoutes: could not find server for routeName http.8443, have map[http.8080:[port:<number:8080 protocol:“HTTP” name:“http” > hosts:"" ] http.8444:[port:<number:8444 protocol:“HTTP” name:“http” > hosts:"" ] http.8445:[port:<number:8445 protocol:“HTTP” name:“http” > hosts:"" ] https.8443.http.pep-ingressgateway.pep:[port:<number:8443 protocol:“HTTPS” name:“http” > hosts:"" tls:<mode:MUTUAL credential_name:“xx-credential” > ]]
We are using non standard port for https listener (8443) and running pilot-agent as non-root user.
gateways dump:
apiVersion: v1
items:
- apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
creationTimestamp: “2019-11-12T14:15:14Z”
generation: 2
name: sepp-ingressgateway
namespace: sepp
resourceVersion: “10725437”
selfLink: /apis/networking.istio.io/v1alpha3/namespaces/sepp/gateways/sepp-ingressgateway
uid: d8b2b38f-0556-11ea-871e-ac162db38004
spec:
selector:
sepp: ingressgateway
servers:- hosts:
- ‘*’
port:
name: http
number: 8080
protocol: HTTP
- ‘*’
- hosts:
- ‘*’
port:
name: http
number: 8443
protocol: HTTPS
tls:
credentialName: ocsepp-credential
mode: MUTUAL
- ‘*’
- hosts:
- ‘*’
port:
name: http
number: 8444
protocol: HTTP
- ‘*’
- hosts:
- ‘*’
port:
name: http
number: 8445
protocol: HTTP
kind: List
metadata:
resourceVersion: “”
selfLink: “”
- ‘*’
- hosts: