Gateways with multiple ports result in a route with a single port

[chrisob]

TL;DR: Are Gateways with multiple port definitions supported by Maistra's IOR controller and/or is there a way to automatically redirect HTTP to HTTPS on the Route or Gateway level using Maistra's IOR?

My scenario:

• I have a deployment and an associated HTTP service.
• I would like to create a Gateway (and associated VirtualService, etc.) which allows ingress to this HTTP service.
• I would also like to expose this service as HTTPS to the outside world, and automatically redirect any incoming HTTP ingress traffic to HTTPS (using either the Gateway's spec.servers.tls.httpsRedirect: true field, or the Route's spec.tls.insecureEdgeTerminationPolicy: Redirect field).
• I would like to use IOR to expose both the HTTP and HTTPS ports of the Gateway via an OpenShift Route.

Here is my example Gateway:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
  namespace: httpbin
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      tls:
        httpsRedirect: true
      hosts:
        - httpbin.apps.example.com
    - port:
        number: 443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
        privateKey: /etc/istio/ingressgateway-certs/tls.key
      hosts:
        - httpbin.apps.example.com

When deploying a ServiceMeshControlPlane with spec.istio.gateways.istio-ingressgateway.ior_enabled: true, the IOR controller creates the following route which only listens for HTTPS traffic:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    maistra.io/original-host: httpbin.apps.example.com
  creationTimestamp: "2020-06-04T12:54:55Z"
  generateName: httpbin-httpbin-gateway-
  labels:
    maistra.io/gateway-name: httpbin-gateway
    maistra.io/gateway-namespace: httpbin
    maistra.io/generated-by: ior
  name: httpbin-httpbin-gateway-w5zlz
  namespace: istio-system
  resourceVersion: "21713361"
  selfLink: /apis/route.openshift.io/v1/namespaces/istio-system/routes/httpbin-httpbin-gateway-w5zlz
  uid: 8f4c024a-b3ee-4ce3-af46-f910113a2511
spec:
  host: httpbin.apps.example.com
  port:
    targetPort: https
  tls:
    termination: passthrough
  to:
    kind: Service
    name: istio-ingressgateway
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: "2020-06-04T12:54:55Z"
      status: "True"
      type: Admitted
    host: httpbin.apps.example.com
    routerCanonicalHostname: apps.example.com
    routerName: default
    wildcardPolicy: None

Troubleshooting steps I've taken:
When removing either the HTTP or HTTP port blocks from the Gateway, the generated Route is correctly configured for either HTTP or HTTPS. However, when both ports are specified in the Gateway (as shown above), the route doesn't allow redirecting HTTP traffic to HTTPS.

I would expect that the IOR controller can either forward HTTP and HTTPS traffic to the Gateway and configure HTTP redirection to HTTPS on that level, or it should set the spec.tls.insecureEdgeTerminationPolicy to Redirect on the Route level.

Is there a way to automatically redirect HTTP to HTTPS on the Route or Gateway level using Maistra's IOR?

[chrisob]

@jwendell @knrc Apologies if this isn't the correct place to open issues for Maistra. If it's not, could you please direct me to the right place? Thanks.

[chrisob]

I suppose an alternative solution would be to terminate HTTPS at the Route and have the Gateway just configured for HTTP traffic, but I'm not sure if that's possible to configure with IOR.

[chrisob]

Opened a JIRA issue in parallel, I'll close whichever one isn't used for tracking :)

[knrc]

@chrisob Thanks very much, jira is better for our tracking

[chrisob]

closing in favor of jira ticket