We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certificateRefs
$ istioctl install -y --set values.gateways.istio-ingressgateway.type=NodePort $ kubectl apply -f samples/httpbin/httpbin.yaml
$ kubectl get secret -n istio-system wildcard-example-com-cert NAME TYPE DATA AGE wildcard-example-com-cert kubernetes.io/tls 2 12s
kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1alpha2 kind: GatewayClass metadata: name: istio spec: controllerName: istio.io/gateway-controller --- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: Gateway metadata: name: knative-gateway namespace: istio-system spec: addresses: - type: Hostname value: istio-ingressgateway gatewayClassName: istio listeners: - allowedRoutes: namespaces: from: All name: default port: 80 protocol: HTTP - allowedRoutes: namespaces: from: All name: https port: 443 protocol: HTTPS tls: certificateRefs: - group: "" kind: Secret name: wildcard-example-com-cert namespace: istio-system mode: Terminate --- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: HTTPRoute metadata: name: http namespace: default spec: hostnames: - httpbin.example.com parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: knative-gateway namespace: istio-system sectionName: https rules: - backendRefs: - group: "" kind: Service name: httpbin port: 8000 weight: 1 filters: - requestHeaderModifier: add: - name: my-added-header value: added-value type: RequestHeaderModifier matches: - path: type: PathPrefix value: /get EOF
This deployments (without cross namespace cert) works fine:
$ curl -sI -k https://httpbin.example.com:32434/get HTTP/2 200 server: istio-envoy date: Sun, 14 Nov 2021 11:58:03 GMT content-type: application/json content-length: 1826 access-control-allow-origin: * access-control-allow-credentials: true x-envoy-upstream-service-time: 1
Set certificateRefs to namespace: default.
namespace: default
tls: certificateRefs: - group: "" kind: Secret name: wildcard-example-com-cert namespace: default mode: Terminate
Deploy ReferencePolicy and secret.
ReferencePolicy
kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1alpha2 kind: ReferencePolicy metadata: name: allow-gateways-to-ref-secrets namespace: default spec: from: - group: gateway.networking.k8s.io kind: Gateway namespace: istio-system to: - group: "" kind: Secret EOF
$ kubectl get secret -n default wildcard-example-com-cert NAME TYPE DATA AGE wildcard-example-com-cert kubernetes.io/tls 2 163m
After a few minutes, it stops working.
$ curl -sI -v -k https://httpbin.example.com:32434/get * Trying 172.20.0.2:32434... * Connected to httpbin.example.com (172.20.0.2) port 32434 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * OpenSSL SSL_connect: Connection reset by peer in connection to httpbin.example.com:32434 * Closing connection 0
$ istioctl version client version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8 control plane version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8 data plane version: 1.13-alpha.8aea949750d59a51b322d36ec7cac2c60cea5ac8 (1 proxies) $ kubectl version --short Client Version: v1.21.4 Server Version: v1.22.0 $ kubectl api-resources |grep gateway gatewayclasses gc gateway.networking.k8s.io/v1alpha2 false GatewayClass gateways gtw gateway.networking.k8s.io/v1alpha2 true Gateway httproutes gateway.networking.k8s.io/v1alpha2 true HTTPRoute referencepolicies refpol gateway.networking.k8s.io/v1alpha2 true ReferencePolicy tcproutes gateway.networking.k8s.io/v1alpha2 true TCPRoute tlsroutes gateway.networking.k8s.io/v1alpha2 true TLSRoute udproutes gateway.networking.k8s.io/v1alpha2 true UDPRoute gateways gw networking.istio.io/v1beta1 true Gateway
No response
The text was updated successfully, but these errors were encountered:
gateway: improvements to reference policy
6174b35
* Fix istio#36075 * Support to.Name * Properly update PushContext on change
thanks! sent a fix
Sorry, something went wrong.
gateway: improvements to reference policy (#36177)
0305a69
* Fix #36075 * Support to.Name * Properly update PushContext on change
howardjohn
Successfully merging a pull request may close this issue.
Bug Description
certificateRefs
with cross namespace, HTTPRoute does not work.Step to reproduce the issue
1. deploy istio, httpbin and secret
2. Deploy Gateway, GatewayClass and HTTPRoute (without cross namespace cert)
This deployments (without cross namespace cert) works fine:
3. Deploy Referencepolicy, secret and use cross namespace cert
Set
certificateRefs
tonamespace: default
.Deploy
ReferencePolicy
and secret.After a few minutes, it stops working.
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: