You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating a gateway that has a host section with identical hosts on different namespaces on port 443 with simple-mode TLS, the resulting listener config is always rejected by envoy
@howardjohn@hzxuzhonghu can you tell me, whether that behavior is intended or not? I will gladly fix this issue, if you can point me in the right direction. My current approach would be deduplicating the gateway hosts before they are used to generate the listener config.
Bug description
When creating a gateway that has a host section with identical hosts on different namespaces on port 443 with simple-mode TLS, the resulting listener config is always rejected by envoy
The log message in the gateway deployment's envoy is
The proxy diff (retrieved with
istioctl proxy-status <gateway-proxy>
) contains following listener:Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Expected behavior
Pilot should deduplicate the wildcard hosts in this case, as no real conflict exists.
Steps to reproduce the bug
In an istio cluster with default ingress gateway create following test gateway:
Then retrieve the proxy-status of your ingress gateway. Observe that
LDS
isSTALE
:Obtain the diff using
istioctl proxy-status istio-ingressgateway-5f54f8875b-dt7ns.istio-system
(replace with your gateway pod's name)Proxy diff
Version (include the output of
istioctl version --remote
andkubectl version
)How was Istio installed?
Using the official helm chart
Environment where bug was observed (cloud vendor, OS, etc)
Custom bare-metal cluster
The text was updated successfully, but these errors were encountered: