What is the default Istio IngressGateway for & should it support httpsRedirect?

I could use some guidance on the right way to use the ingressgateway component installed by default with Istio.

In versions of Istio prior to 1.4, we were deploying a separate gateway object with HttpsRedirect to direct all http traffic to https.

I believe it was when we started using istioctl for install (but could be misremembering), that a default ingressgateway was created which includes port 80 with no ability to set a redirect. If I disable this gateway using the istio operator api it turns off lots of other (potentially important) things, but it was conflicting with our other gateway, so we removed the port 80 bits from ours. No more https redirect.

What’s the “right” approach to doing this? Is the ingressgateway simply meant to be a quick start or is it meant to be the template we use to create our gateway? Is the httpsRedirect simply missing and will be added later, or is it omitted for a reason?

Search for httpsRedirect redirect. :slight_smile:

Thanks, I probably didn’t communicate this clearly. I do know what the Gateway does and that it supports redirect. I mean specifically the ingressgateway instance which Istio now creates when installing using the default configuration profile. It already has a port 80 section defined, and afaik no way to provide an httpsRedirect…

1 Like

do you have an example of what is disabled if you didn’t install the default ingressgateway… I’m just curious, coz in my current config I’ve disabled the default and installed 3 custom ingressgateway. Thanks

What I was hoping for is a separation between the Gateway metadata and the ingress gateway deployment. It looks to me like the current installer combines them. Not sure whether there’s a reason for that.

What I wanted was to just stop generating the:

  • ingressgateway Gateway

But when I disabled the ingressGateways component, it also stopped generating:

  • istio-ingressgateway Deployment
  • istio-ingressgateway HorizontalPodAuthscalar
  • ingressgateway PodDisruptionBudget
  • istio-ingressgateway-sds Role
  • istio-ingressgateway-sds RoleBinding
  • istio-ingressgateway Service
  • istio-ingressgateway-service-account
  • default Sidecar

I think this is actually normal. If you don’t need the istio-ingressgateway you won’t need any of these components as they will be useless otherwise.

Yeah, that does makes sense if I’m really turning it off. But for small changes to the Gateway which aren’t supported by the templates, I then have to turn it off and take ownership of the deployment etc. just to make a small configuration tweak to the gateway (like for httpsRedirect which I would have thought is common). If I remember right, the Helm install only installed the deployment but left the Gateway spec up to me (which for me is preferable I think).

What do you mean here? I’m having a problem with httpsRedirect in gateways that don’t seem to work on custom created ingress-gateways… Just to be clear, I have disabled the default ingress-gaateway and manually created three… None of them seem to honour the httpsRedirect for the attached gateways…

The default gateway (in 1.5.1) provided the port 80 config without a way to specify the httpsRedirect: see template here. However, I just checked and it looks like the default gateway has been removed in #22227. I haven’t had a chance to look in detail, but maybe that will resolve both of our problems (which ultimately are maybe the same problem). To work around this, I’m currently adding the gateway components separately from the Istio install.