SDS ingress TLS not working (404) when multiple gateways configured with different secrets

Raised an issue on github but was hoping to get some advice / recommendations here.

Details in the github issue but in short.

  • Create 2 istio secrets
  • Configure 2 gateway virtual service pairs pointing to 2 different applications
  • Each gateway points to a unique secret (using SDS)
  • Only one application is accessible .
  • Calls to the other return 404 .
  • As long as only once gateway (it oesn’t matter which one) is configured with a secret, it will work. The moment two are configured, one willl stop working.

Thoughts / Help ?

So just to confirm are the certs different for each app? Or wild card certs? This is an old issue but something we ran into.

As we want to provide an easy experience for apps on boarding to our platform and have tls by default in the environment for their endpoints but it means one master gateway only that everyone shares and no ability to create gateways per namespace

We have many Gateways and many secrets and everything works. I had this issue with Chrome. Incognito mode helped or try to disable extensions.

I tried this with curl itself and failed . I raised another issue on another manifestation of the same issue, … namely the wrong server certificate is presented . There is a CLi session that shows the wrong cert being presented as well as my gateway and virtual service configs

Does anything look different from what you are doing. I used wildcards for the hosts field in the gateway and virtual service but that shouldn’t cause the wrong certificate to be presented

@Tomas_Kohout - would you mind trying a similar config to mine if you feel things work in your environment. The issue should be very easy to duplicate . I have replicated it in Istio 1.4.3 and 1.4.4

The certs are different for each app (I remember an old issue which required that the certs be unique)

The certs are not wildcard. For what it’s worth,

We had to move to single wildcard gateway. :slight_smile:

1 Like

Are multiple wildcarded gateways not supported by Istio? I get the same results when using volume mounted secrets too.

There mustn’t be a host name clash. Then I suppose it should work.

But I use sds.

1 Like