Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

network.http-protocol=Redirected breaks custom Istio ingress gateways #14879

Open
braunsonm opened this issue Feb 12, 2024 · 4 comments
Open

network.http-protocol=Redirected breaks custom Istio ingress gateways #14879

braunsonm opened this issue Feb 12, 2024 · 4 comments
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug.

Comments

@braunsonm
Copy link

/area networking

What version of Knative?

1.12.3

Expected Behavior

Enabling this option with a custom Istio gateway should simply keep the custom-namespace.custom-gateway in the VirtualService so that requests coming in on 443 will match.

Actual Behavior

When enabling network.http-protocol=Redirected, Knative Serving will create a custom Gateway for every service to set httpRedirect. This way requests are immediately redirected to port 443. The problem is when this setting is enabled it replaces the custom Istio ingress gateway with the app-specific ingress gateway that is only configured with port 80, and not the custom gateway that may have been configured with TLS certificates.

This means all requests to your app after the redirect will 404.

Steps to Reproduce the Problem

  1. Create a custom Istio gateway setup to terminate TLS
  2. Configure Knative Serving to use that gateway
  3. Enable http-protocol=Redirected
  4. Notice requests will always 404.
@braunsonm braunsonm added the kind/bug Categorizes issue or PR as related to a bug. label Feb 12, 2024
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 13, 2024
@skonto
Copy link
Contributor

skonto commented May 15, 2024

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 15, 2024
@skonto
Copy link
Contributor

skonto commented May 15, 2024

cc @ReToCode may have more to add here.

@ReToCode
Copy link
Member

I don't think we support that combination. Knative will create dynamic gateways for configuration with TLS for istio. I don't think you can mix that with a static custom Gateway. IMHO, If you want need to do that, you must not use the Knative TLS features but handle this on your custom gateway on your own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@braunsonm @skonto @ReToCode