HTTPRoute is always exposed via default istio-ingressgateway service

[nak3]

[X] Networking

Expected behavior

• HTTPRoute is always exposed via default istio-ingressgateway service.
• I would like to create a private Gateway but it seems not possible due to this issue.

Steps to reproduce the bug

1. Deploy test apps

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: gateway-demo
---
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: istio
spec:
  controller: istio.io/gateway-controller
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: foo
  namespace: gateway-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: foo
  template:
    metadata:
      labels:
        app: foo
    spec:
      containers:
      - name: whereami
        image: docker.io/kennethreitz/httpbin
        ports:
          - containerPort: 80
        env:
        - name: METADATA
          value: "foo"
---
apiVersion: v1
kind: Service
metadata:
  name: foo-svc
  namespace: gateway-demo
spec:
  selector:
    app: foo
  ports:
  - port: 8000
    targetPort: 80
---
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: test
  namespace: gateway-demo
  labels:
     knative-e2e-test: "net-ingressv2-local"
spec:
  gateways:
    allow: SameNamespace
  hostnames:
  - "foo.example.com"
  rules:
  - forwardTo:
    - port: 8000
      serviceName: foo-svc
      weight: 0
    matches:
    - path:
        type: Prefix
        value: /
EOF

2. Deploy Gateways with 8081 port and ClusterIP service.

cat <<EOF | kubectl apply -f -
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: istio
spec:
  controller: istio.io/gateway-controller
---
kind: Gateway
apiVersion: networking.x-k8s.io/v1alpha1
metadata:
  name: test-local-gateway
  namespace: gateway-demo
spec:
  gatewayClassName: istio
  listeners:
  - protocol: HTTP
    port: 8081
    routes:
      kind: HTTPRoute
      selector:
        matchLabels:
          knative-e2e-test: "net-ingressv2-local"
---
apiVersion: v1
kind: Service
metadata:
  name: test-local-gateway
  namespace: istio-system
  labels:
    serving.knative.dev/release: devel
    networking.knative.dev/ingress-provider: istio
spec:
  type: ClusterIP
  selector:
    istio: ingressgateway
  ports:
    - name: http2
      port: 80
      targetPort: 8081
EOF

3. Access to the HTTPRoute.

The HTTPRoute is exposed via 80 port.

$ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
$ curl -Is -H "Host: foo.example.com" $INGRESS_HOST  -o /dev/null -w '%{http_code}\n'
200

(I expected the access failed because Gateway (test-local-gateway) with 8081 should expose it.)

Version

$ istioctl version
client version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92
control plane version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92
data plane version: 1.10-alpha.75974d56a327e9857f36d17151b2ef3146745b92 (1 proxies)

How was Istio installed?

I'm using this manifest https://github.com/knative-sandbox/net-ingressv2/blob/main/third_party/istio-head/istio-ci-no-mesh.yaml

[howardjohn]

I think this is related to #31566. Its not even about gateway-api so much, the same happens with standard GW/VS

[nak3]

#32653 should fix this issue. I am testing it now.

[nak3]

Thank you! I verified that it works.