SDS ingress TLS not working (404) when multiple gateways configured with different secrets

Raised an issue on github https://github.com/istio/istio/issues/20661 but was hoping to get some advice / recommendations here.

Details in the github issue but in short.

• Create 2 istio secrets
• Configure 2 gateway virtual service pairs pointing to 2 different applications
• Each gateway points to a unique secret (using SDS)
• Only one application is accessible .
• Calls to the other return 404 .
• As long as only once gateway (it oesn’t matter which one) is configured with a secret, it will work. The moment two are configured, one willl stop working.

Thoughts / Help ?

So just to confirm are the certs different for each app? Or wild card certs? This is an old issue but something we ran into. https://github.com/istio/istio/issues/6046

As we want to provide an easy experience for apps on boarding to our platform and have tls by default in the environment for their endpoints but it means one master gateway only that everyone shares and no ability to create gateways per namespace

We have many Gateways and many secrets and everything works. I had this issue with Chrome. Incognito mode helped or try to disable extensions.

I tried this with curl itself and failed . I raised another issue on another manifestation of the same issue, … namely the wrong server certificate is presented . There is a CLi session that shows the wrong cert being presented as well as my gateway and virtual service configs https://github.com/istio/istio/issues/21077

Does anything look different from what you are doing. I used wildcards for the hosts field in the gateway and virtual service but that shouldn’t cause the wrong certificate to be presented

@Tomas_Kohout - would you mind trying a similar config to mine if you feel things work in your environment. The issue should be very easy to duplicate . I have replicated it in Istio 1.4.3 and 1.4.4

The certs are different for each app (I remember an old issue which required that the certs be unique)

The certs are not wildcard. For what it’s worth,

• We have various groups of services, and for that reason intended to provide a gateway for each group (hence the requirement)
• I generated certificates using the mtls-go example as described here https://istio.io/docs/tasks/traffic-management/ingress/secure-ingress-sds/#generate-client-and-server-certificates-and-keys
• I used totally fictitious host names etc ./generate.sh some.host.com . I wildcarded the host entries in the gateway and virtual service so the entry in the certificate shouldn’t matter.

We had to move to single wildcard gateway.

Are multiple wildcarded gateways not supported by Istio? I get the same results when using volume mounted secrets too.

There mustn’t be a host name clash. Then I suppose it should work.

But I use sds.