Brief of the problem:
Error messages:
Domain 1 (ok):
✗ curl -I https://integration.domain.com
HTTP/2 200
server: envoy
[...]
Domain 2 (bad):
✗ curl -vI https://staging.domain.com
* Rebuilt URL to: https://staging.domain.com/
* Trying 35.205.120.133...
* TCP_NODELAY set
* Connected to staging.domain.com (35.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to staging.domain.com:443
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to staging.domain.com:443 Facts:
I have a wildcard TLS cert (lets say '*.domain.com') I've put in a secret with:
kubectl create -n istio-system secret tls istio-ingressgateway-certs --key tls.key --cert tls.crtI have the default istio-ingressgateway attached to a static IP:
apiVersion: v1
kind: Service
metadata:
name: istio-ingressgateway
namespace: istio-system
annotations:
labels:
chart: gateways-1.0.0
release: istio
heritage: Tiller
app: istio-ingressgateway
istio: ingressgateway
spec:
loadBalancerIP: "35.x.x.x"
type: LoadBalancer
selector:
app: istio-ingressgateway
istio: ingressgateway
[...]
Then I have two gateways in different namespaces, for two domains included on the TLS wildcard (staging.domain.com, integration.domain.com):
staging:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: domain-web-gateway
namespace: staging
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "staging.domain.com"
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "staging.domain.com"integration:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: domain-web-gateway
namespace: integration
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "integration.domain.com"
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "integration.domain.com"The problem is that you are using the same name (https) for port 443 in two Gateways managed by the same workload (selector). They need to have unique names. This restriction is documented here.
You can fix it by just changing the name of your second Gateway, for example:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: domain-web-gateway
namespace: integration
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https-integration
protocol: HTTPS
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
hosts:
- "integration.domain.com"
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "integration.domain.com"